git-lfs: upgrade to 3.4.1 to fix multiple CVEs (microsoft#8843)

gjswalling · Apr 19, 2024 · 49417ec · 49417ec
1 parent 73b6061
commit 49417ec
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 211 deletions.
diff --git a/SPECS/git-lfs/CVE-2021-44716.patch b/SPECS/git-lfs/CVE-2021-44716.patch
diff --git a/SPECS/git-lfs/CVE-2023-44487.patch b/SPECS/git-lfs/CVE-2023-44487.patch
diff --git a/SPECS/git-lfs/git-lfs.signatures.json b/SPECS/git-lfs/git-lfs.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "git-lfs-3.1.4.tar.gz": "d7bfeb6f4c219c44773da4f93da28eb1e2e654efa4cd23294d9039247d8cde64",
-  "git-lfs-3.1.4-vendor.tar.gz": "0bb6efd3854ebb232445ecc0bd6fbb8bbce65bca4a958111293ed0084f43cab2"
+  "git-lfs-3.4.1-vendor.tar.gz": "a7b525a15b71a92ab789853a172345a4e4815de71ebe3486d5b843651b74cf1e",
+  "git-lfs-3.4.1.tar.gz": "2a36239d7968ae18e1ba2820dc664c4ef753f10bf424f98bccaf44d527f19a17"
  }
-}
+}
diff --git a/SPECS/git-lfs/git-lfs.spec b/SPECS/git-lfs/git-lfs.spec
@@ -1,8 +1,8 @@
 %global debug_package %{nil}
 Summary:       Git extension for versioning large files
 Name:          git-lfs
-Version:       3.1.4
-Release:       17%{?dist}
+Version:       3.4.1
+Release:       1%{?dist}
 Group:         System Environment/Programming
 Vendor:        Microsoft Corporation
 Distribution:  Mariner
@@ -28,41 +28,37 @@ Source0:       https://github.com/git-lfs/git-lfs/archive/v%{version}.tar.gz#/%{
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:       %{name}-%{version}-vendor.tar.gz
-Patch0:        CVE-2023-44487.patch
-Patch1:        CVE-2021-44716.patch
 
 BuildRequires: golang
 BuildRequires: which
-BuildRequires: rubygem-ronn
 BuildRequires: tar
 BuildRequires: git
+BuildRequires: rubygem-asciidoctor
 Requires:      git
 %define our_gopath %{_topdir}/.gopath
 
 %description
 Git LFS is a command line extension and specification for managing large files with Git
 
 %prep
-%autosetup -N
-# Apply vendor before patching
-tar --no-same-owner -xf %{SOURCE1}
-%autopatch -p1
+%autosetup
 
 %build
+tar --no-same-owner -xf %{SOURCE1}
 export GOPATH=%{our_gopath}
 export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
 go generate ./commands
 go build .
 export PATH=$PATH:%{gem_dir}/bin
-make man %{?_smp_mflags}
+make man GIT_LFS_SHA=unused VERSION=unused PREFIX=unused
 
 %install
 rm -rf %{buildroot}
 install -D git-lfs %{buildroot}%{_bindir}/git-lfs
 mkdir -p %{buildroot}%{_mandir}/man1
 mkdir -p %{buildroot}%{_mandir}/man5
-install -D man/*.1 %{buildroot}%{_mandir}/man1
-install -D man/*.5 %{buildroot}%{_mandir}/man5
+install -D man/man1/*.1 %{buildroot}%{_mandir}/man1
+install -D man/man5/*.5 %{buildroot}%{_mandir}/man5
 
 %check
 go test -mod=vendor ./...
@@ -81,6 +77,10 @@ git lfs uninstall
 %{_mandir}/man5/*
 
 %changelog
+* Thu Apr 18 2024 Andrew Phelps <anphel@microsoft.com> - 3.4.1-1
+- Bump version to 3.4.1 based on AZL3 spec
+- Add BR on asciidoctor & drop un-needed BR
+
 * Mon Feb 05 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 3.1.4-17
 - Patch CVE-2021-44716
 

diff --git a/cgmanifest.json b/cgmanifest.json
@@ -4290,8 +4290,8 @@
         "type": "other",
         "other": {
           "name": "git-lfs",
-          "version": "3.1.4",
-          "downloadUrl": "https://github.com/git-lfs/git-lfs/archive/v3.1.4.tar.gz"
+          "version": "3.4.1",
+          "downloadUrl": "https://github.com/git-lfs/git-lfs/archive/v3.4.1.tar.gz"
         }
       }
     },