From 7d28d50979c68a3c82b79d529643167a62385671 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Sun, 28 Jun 2026 23:58:45 -0400 Subject: [PATCH] import CS git git-lfs-3.4.1-11.el8_10 --- SOURCES/git-lfs-3.4.1-cve-2026-39821.patch | 39 ++++++++++++++++++++++ SPECS/git-lfs.spec | 10 +++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 SOURCES/git-lfs-3.4.1-cve-2026-39821.patch diff --git a/SOURCES/git-lfs-3.4.1-cve-2026-39821.patch b/SOURCES/git-lfs-3.4.1-cve-2026-39821.patch new file mode 100644 index 0000000..161fcf6 --- /dev/null +++ b/SOURCES/git-lfs-3.4.1-cve-2026-39821.patch @@ -0,0 +1,39 @@ +From adfb8ef6fc0e091b061472cf8e68122be1bbd907 Mon Sep 17 00:00:00 2001 +From: RHEL Packaging Agent +Date: Fri, 12 Jun 2026 11:09:33 +0000 +Subject: [PATCH] idna: reject xn-- labels that decode to all-ASCII + +Add an all-ASCII rejection check in the process method of the IDNA +package. After Punycode decoding an xn-- label, check if the decoded +result is pure ASCII. If so, return an A3 error (invalid Punycode label). + +This fixes a specification bug in UTS 46 (corrected in revision 33) +where xn-- labels that decode to all-ASCII were not properly rejected. + +The upstream fix in golang/net@8c4c965 guards this check behind a +unicode16 flag, but since RHEL 8 ships Go 1.21 with Unicode 15.0.0, +the guard is removed here so the fix is always active. + +For golang/go#78760 +CVE: CVE-2026-39821 +--- + vendor/golang.org/x/net/idna/idna10.0.0.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/vendor/golang.org/x/net/idna/idna10.0.0.go b/vendor/golang.org/x/net/idna/idna10.0.0.go +index 64ccf85..170095d 100644 +--- a/vendor/golang.org/x/net/idna/idna10.0.0.go ++++ b/vendor/golang.org/x/net/idna/idna10.0.0.go +@@ -371,6 +371,9 @@ func (p *Profile) process(s string, toASCII bool) (string, error) { + // Spec says keep the old label. + continue + } ++ if err == nil && ascii(u) { ++ err = punyError(label[len(acePrefix):]) ++ } + isBidi = isBidi || bidirule.DirectionString(u) != bidi.LeftToRight + labels.set(u) + if err == nil && p.fromPuny != nil { +-- +2.52.0 + diff --git a/SPECS/git-lfs.spec b/SPECS/git-lfs.spec index 483e618..a008906 100644 --- a/SPECS/git-lfs.spec +++ b/SPECS/git-lfs.spec @@ -19,7 +19,7 @@ Version: 3.4.1 %global gobuild CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all" go build -compiler gc -buildmode pie '-tags=rpm_crashtraceback libtrust_openssl ' -ldflags "-linkmode=external -compressdwarf=false ${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**} Name: git-lfs -Release: 10%{?dist} +Release: 11%{?dist} Summary: Git extension for versioning large files License: MIT @@ -40,6 +40,10 @@ Patch1: git-lfs-3.4.1-cve-2024-53263.patch # And additional commits to support the fix # Some tests had to be skipped as they require features not present in v3.4.1. and always fail Patch2: git-lfs-3.4.1-cve-2025-26625.patch +# Fixes CVE-2026-39821 +# Vendored golang.org/x/net idna: reject xn-- labels that decode to all-ASCII +# https://github.com/golang/net/commit/8c4c965e028475082408749b50ed7a686df0d265 +Patch3: git-lfs-3.4.1-cve-2026-39821.patch # Generated provides by vendor2provides.py # https://src.fedoraproject.org/rpms/syncthing/blob/603e4e03a92a7d704d199629dd85304018e8279d/f/vendor2provides.py @@ -181,6 +185,10 @@ PATH=%{buildroot}%{_bindir}:%{gobuilddir}/bin:$PATH \ %changelog +* Fri Jun 12 2026 RHEL Packaging Agent - 3.4.1-11 +- Backport CVE-2026-39821 fix (vendored golang.org/x/net IDNA) +- Resolves: RHEL-183731 + * Mon May 04 2026 RHEL Packaging Agent - 3.4.1-10 - Rebuild with new Golang - Resolves: RHEL-167541, RHEL-167379, RHEL-166518