CVS commit: pkgsrc/devel/git-lfs

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Jan 14 22:46:06 UTC 2025

Modified Files:
        pkgsrc/devel/git-lfs: Makefile distinfo

Log Message:
git-lfs: updated to 3.6.1

3.6.1 (3 December 2024)

This release introduces a security fix for Linux, macOS, and Windows
systems, which has been assigned CVE-2024-53263.

When Git LFS requests credentials from Git for a remote host, it passes
portions of the host's URL to the `git-credential(1)` command without
checking for embedded line-ending control characters, and then sends any
credentials it receives back from the Git credential helper to the
remote host.  By inserting URL-encoded control characters such as
line feed (LF) or carriage return (CR) characters into the URL, an
attacker may be able to retrieve a user's Git credentials.

By default Git LFS will now report an error if a line-ending control
character (LF or CR) or a null byte (NUL) is found in any value Git LFS
would otherwise pass to the `git-credential(1)` command.

For users who depend on the ability to pass bare carriage return
characters in a Git credential request, Git LFS will now honour the
`credential.protectProtocol` Git configuration option.  If this option
is set to `false`, Git LFS will allow carriage return characters in the
values it sends to the `git-credential(1)` command.  This option will be
introduced in Git as part of the remedy for the vulnerability in Git
designated as CVE-2024-52006.

Git LFS v3.6.1 will be released in coordination with releases from
several other projects including Git, Git for Windows, and Git Credential
Manager (GCM).

We would like to extend a special thanks to the following open-source
contributors:

* @Ry0taK for reporting this to us responsibly

Bugs

* Reject bare line-ending control characters in Git credential requests


To generate a diff of this commit:
cvs rdiff -u -r1.82 -r1.83 pkgsrc/devel/git-lfs/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/devel/git-lfs/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/git-lfs/Makefile
diff -u pkgsrc/devel/git-lfs/Makefile:1.82 pkgsrc/devel/git-lfs/Makefile:1.83
--- pkgsrc/devel/git-lfs/Makefile:1.82  Mon Nov 25 10:33:35 2024
+++ pkgsrc/devel/git-lfs/Makefile       Tue Jan 14 22:46:06 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.82 2024/11/25 10:33:35 adam Exp $
+# $NetBSD: Makefile,v 1.83 2025/01/14 22:46:06 adam Exp $
 
-DISTNAME=      git-lfs-3.6.0
+DISTNAME=      git-lfs-3.6.1
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=git-lfs/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}

Index: pkgsrc/devel/git-lfs/distinfo
diff -u pkgsrc/devel/git-lfs/distinfo:1.18 pkgsrc/devel/git-lfs/distinfo:1.19
--- pkgsrc/devel/git-lfs/distinfo:1.18  Mon Nov 25 10:33:35 2024
+++ pkgsrc/devel/git-lfs/distinfo       Tue Jan 14 22:46:06 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.18 2024/11/25 10:33:35 adam Exp $
+$NetBSD: distinfo,v 1.19 2025/01/14 22:46:06 adam Exp $
 
-BLAKE2s (git-lfs-3.6.0.tar.gz) = 1210ef4cb6806d6fda8dc2286f40593064b4df71bdbeef0229164c8db8664c09
-SHA512 (git-lfs-3.6.0.tar.gz) = bc312fcbbfb8ff0116ff358fc9d25567e5f9394c8bd51c17387c87265b78bb59bb6e46af7966ff906578fa258f6fb79828eef4f7880337ad63d8bf88fb811ee6
-Size (git-lfs-3.6.0.tar.gz) = 694707 bytes
+BLAKE2s (git-lfs-3.6.1.tar.gz) = e38c9bfd48cb74fb89f0392838958167dae6373509c1697468c5a6f49dfa1b44
+SHA512 (git-lfs-3.6.1.tar.gz) = 18354bb724fa71a38440684fb31a09a0c7c3e6470b6e84f909ca13d695eec1d2004070fdbca9b6ca4e56b8ceec82557d38b3989df3dd41128a546cdd854a3b56
+Size (git-lfs-3.6.1.tar.gz) = 696231 bytes
 BLAKE2s (github.com_alexbrainman_sspi_@v_v0.0.0-20210105120005-909beea2cc74.mod) = c21a1ebaba97d3b288d48b37ba7e87cb0872c5eaa04d535accae5c379fc492ff
 SHA512 (github.com_alexbrainman_sspi_@v_v0.0.0-20210105120005-909beea2cc74.mod) = 
aee6f208fe93284b91980e086ddb31e4550149072fbadb81a7084ad30d39bcbeda0e497aebfb231599ea22a52c67cdf4319a8b538e6594ec2bb2892c9ce77570
 Size (github.com_alexbrainman_sspi_@v_v0.0.0-20210105120005-909beea2cc74.mod) = 45 bytes