[AUTO-CHERRYPICK] Patch git-lfs for CVE-2025-22870 [Medium] - branch main (#13326)

CBL-Mariner-Bot · xordux · web-flow · commit 56b9a2212fea · 2025-04-09T17:42:42.000-04:00
Co-authored-by: Rohit Rawat &lt;rohitrawat@microsoft.com&gt;
diff --git a/SPECS/git-lfs/CVE-2025-22870.patch b/SPECS/git-lfs/CVE-2025-22870.patch
@@ -0,0 +1,47 @@
+From 6adba806734b12ec5efc243ba60331e610387037 Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Tue, 8 Apr 2025 17:59:35 +0000
+Subject: [PATCH] Fix CVE CVE-2025-22870 in git-lfs
+Upstream Patch Reference: https://github.com/golang/go/commit/334de7982f8ec959c74470dd709ceedfd6dbd50a.patch
+---
+ vendor/golang.org/x/net/http/httpproxy/proxy.go | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http/httpproxy/proxy.go b/vendor/golang.org/x/net/http/httpproxy/proxy.go
+index c3bd9a1..864961c 100644
+--- a/vendor/golang.org/x/net/http/httpproxy/proxy.go
++++ b/vendor/golang.org/x/net/http/httpproxy/proxy.go
+@@ -14,6 +14,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"net"
++	"net/netip"
+ 	"net/url"
+ 	"os"
+ 	"strings"
+@@ -180,8 +181,10 @@ func (cfg *config) useProxy(addr string) bool {
+ 	if host == "localhost" {
+ 		return false
+ 	}
+-	ip := net.ParseIP(host)
+-	if ip != nil {
++	nip, err := netip.ParseAddr(host)
++	var ip net.IP
++	if err == nil {
++		ip = net.IP(nip.AsSlice())
+ 		if ip.IsLoopback() {
+ 			return false
+ 		}
+@@ -363,6 +366,9 @@ type domainMatch struct {
+ }
+ 
+ func (m domainMatch) match(host, port string, ip net.IP) bool {
++	if ip != nil {
++		return false
++	}
+ 	if strings.HasSuffix(host, m.host) || (m.matchHost && host == m.host[1:]) {
+ 		return m.port == "" || m.port == port
+ 	}
+-- 
+2.40.4
+
diff --git a/SPECS/git-lfs/git-lfs.spec b/SPECS/git-lfs/git-lfs.spec
@@ -2,7 +2,7 @@
 Summary:       Git extension for versioning large files
 Name:          git-lfs
 Version:       3.5.1
-Release:       4%{?dist}
+Release:       5%{?dist}
 Group:         System Environment/Programming
 Vendor:        Microsoft Corporation
 Distribution:  Mariner
@@ -30,6 +30,7 @@ Source0:       https://github.com/git-lfs/git-lfs/archive/v%{version}.tar.gz#/%{
 Source1:       %{name}-%{version}-vendor.tar.gz
 Patch0:        CVE-2023-45288.patch
 Patch1:        CVE-2024-53263.patch
+Patch2:        CVE-2025-22870.patch
 
 BuildRequires: golang
 BuildRequires: which
@@ -43,11 +44,9 @@ Requires:      git
 Git LFS is a command line extension and specification for managing large files with Git
 
 %prep
-%autosetup -N
+%autosetup -p1 -a1
 
 %build
-tar --no-same-owner -xf %{SOURCE1}
-%autopatch -p1 
 export GOPATH=%{our_gopath}
 export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
 go generate ./commands
@@ -80,6 +79,9 @@ git lfs uninstall
 %{_mandir}/man5/*
 
 %changelog
+* Tue Apr 08 2025 Rohit Rawat <rohitrawat@microsoft.com> - 3.5.1-5
+- Patch CVE-2025-22870
+
 * Mon Jan 27 2025 Rohit Rawat <rohitrawat@microsoft.com> - 3.5.1-4
 - Add patch for CVE-2024-53263
 
