CVS commit: pkgsrc/devel/git-lfs

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Oct 23 09:41:06 UTC 2025

Modified Files:
        pkgsrc/devel/git-lfs: Makefile distinfo

Log Message:
git-lfs: updated to 3.7.1

3.7.1 (16 October 2025)

This release introduces security fixes for Linux, macOS, and Windows
systems, which have been collectively assigned CVE-2025-26625.

When populating a Git repository's working tree with the contents of
Git LFS objects, certain Git LFS commands may write to files visible
outside the current Git working tree if symbolic or hard links exist
which collide with the paths of files tracked by Git LFS.

Git LFS has resolved this problem by revising the `git lfs checkout` and
`git lfs pull` commands so that they check for symbolic links in the same
manner as performed by Git before writing to files in the working tree.
These commands now also remove existing files in the working tree before
writing new files in their place.

As well, Git LFS has resolved a problem whereby the `git lfs checkout` and
`git lfs pull` commands, when run in a bare repository, could write to
files visible outside the repository.  While a specific and relatively
unlikely set of conditions were required for this to occur, it is no
longer possible under any circumstances.

We would like to extend a special thanks to the following open-source
contributors:

* Apple Product Security for reporting this to us responsibly

Bugs

* Detect symbolic links on checkout and pull (@chrisd8088)

Misc

* Upgrade to Go 1.25 (@chrisd8088)


To generate a diff of this commit:
cvs rdiff -u -r1.91 -r1.92 pkgsrc/devel/git-lfs/Makefile
cvs rdiff -u -r1.20 -r1.21 pkgsrc/devel/git-lfs/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/git-lfs/Makefile
diff -u pkgsrc/devel/git-lfs/Makefile:1.91 pkgsrc/devel/git-lfs/Makefile:1.92
--- pkgsrc/devel/git-lfs/Makefile:1.91  Thu Oct 16 17:59:46 2025
+++ pkgsrc/devel/git-lfs/Makefile       Thu Oct 23 09:41:06 2025
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.91 2025/10/16 17:59:46 bsiegert Exp $
+# $NetBSD: Makefile,v 1.92 2025/10/23 09:41:06 adam Exp $
 
-DISTNAME=      git-lfs-3.7.0
-PKGREVISION=   4
+DISTNAME=      git-lfs-3.7.1
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=git-lfs/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}

Index: pkgsrc/devel/git-lfs/distinfo
diff -u pkgsrc/devel/git-lfs/distinfo:1.20 pkgsrc/devel/git-lfs/distinfo:1.21
--- pkgsrc/devel/git-lfs/distinfo:1.20  Wed Jul  9 11:49:46 2025
+++ pkgsrc/devel/git-lfs/distinfo       Thu Oct 23 09:41:06 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.20 2025/07/09 11:49:46 adam Exp $
+$NetBSD: distinfo,v 1.21 2025/10/23 09:41:06 adam Exp $
 
-BLAKE2s (git-lfs-3.7.0.tar.gz) = 9e3175575e8573f7f451c1bf43ef4aacf777295cd2e34a7d667334941e70f07f
-SHA512 (git-lfs-3.7.0.tar.gz) = 36488760310fa9124ed4db5d10de5bee2d413afbc67cd137f3f842c8ca549b35ad9e2da60c5f501c23c67dc663414ee97d7ad3b3245e7d51689020940fdee393
-Size (git-lfs-3.7.0.tar.gz) = 701005 bytes
+BLAKE2s (git-lfs-3.7.1.tar.gz) = 2c66c3ad97fac23cf2e14da98fb6d6972db46b1cee80b99b29481d33438ca783
+SHA512 (git-lfs-3.7.1.tar.gz) = 043efd5d12c3910bb03d22be5f2bfaf7cb53e767c1417114788c018e30b30a6f15a5fcc6535673342dc062996f64e0618d74ec529aacf52dadab6b8587d83301
+Size (git-lfs-3.7.1.tar.gz) = 713950 bytes
 BLAKE2s (github.com_alexbrainman_sspi_@v_v0.0.0-20210105120005-909beea2cc74.mod) = c21a1ebaba97d3b288d48b37ba7e87cb0872c5eaa04d535accae5c379fc492ff
 SHA512 (github.com_alexbrainman_sspi_@v_v0.0.0-20210105120005-909beea2cc74.mod) = 
aee6f208fe93284b91980e086ddb31e4550149072fbadb81a7084ad30d39bcbeda0e497aebfb231599ea22a52c67cdf4319a8b538e6594ec2bb2892c9ce77570
 Size (github.com_alexbrainman_sspi_@v_v0.0.0-20210105120005-909beea2cc74.mod) = 45 bytes