On 05/05/17 20:46, Tomasz Buchert wrote: > On 05/05/17 06:19, Salvatore Bonaccorso wrote: > > [...] > > Hi Salvatore, > the fix for this issue seems to be here: > https://gitlab.com/winniehell/gitlab-ce/commit/dd944bf14f4a0fd555db32d5833325fa459d9565 > > I'll try to apply it to stretch's gitlab. > Tomasz
Interestingly, the CVE has been fixed for unstable just an hour ago or so: https://anonscm.debian.org/cgit/pkg-ruby-extras/gitlab.git/commit/?id=7241318db49ec356f31dac96345a4ff730d313f0 I've reapplied this for the stretch version and I attach the debdiff. I'm going to request an unblock for this. For some reason I couldn't push my branch to ssh://git.debian.org/git/pkg-ruby-extras/gitlab.git. Probably I should become ruby-extras team member or something. For this reason I also attach the commits from my branch. Cheers, Tomasz
diff -Nru gitlab-8.13.11+dfsg1/debian/changelog gitlab-8.13.11+dfsg1/debian/changelog --- gitlab-8.13.11+dfsg1/debian/changelog 2017-04-21 12:32:25.000000000 +0200 +++ gitlab-8.13.11+dfsg1/debian/changelog 2017-05-05 21:23:50.000000000 +0200 @@ -1,3 +1,9 @@ +gitlab (8.13.11+dfsg1-4) testing-proposed-updates; urgency=medium + + * Fix CVE-2017-8778 + + -- Tomasz Buchert <tom...@debian.org> Fri, 05 May 2017 21:23:50 +0200 + gitlab (8.13.11+dfsg1-3) unstable; urgency=medium * Quote variable in test -n (Thanks to Benjamin Drung) diff -Nru gitlab-8.13.11+dfsg1/debian/patches/cve-2017-8778.patch gitlab-8.13.11+dfsg1/debian/patches/cve-2017-8778.patch --- gitlab-8.13.11+dfsg1/debian/patches/cve-2017-8778.patch 1970-01-01 01:00:00.000000000 +0100 +++ gitlab-8.13.11+dfsg1/debian/patches/cve-2017-8778.patch 2017-05-05 21:14:50.000000000 +0200 @@ -0,0 +1,99 @@ +From: Debian Ruby Extras Maintainers + <pkg-ruby-extras-maintain...@lists.alioth.debian.org> +Date: Fri, 5 May 2017 21:00:42 +0200 +Subject: cve-2017-8778 + +--- + app/uploaders/file_uploader.rb | 2 +- + app/uploaders/uploader_helper.rb | 8 ++++++++ + spec/controllers/uploads_controller_spec.rb | 22 ++++++++++++++++++++++ + spec/factories/notes.rb | 6 +++++- + 4 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb +index 3ac6030..407606a 100644 +--- a/app/uploaders/file_uploader.rb ++++ b/app/uploaders/file_uploader.rb +@@ -36,7 +36,7 @@ class FileUploader < CarrierWave::Uploader::Base + escaped_filename = filename.gsub("]", "\\]") + + markdown = "[#{escaped_filename}](#{self.secure_url})" +- markdown.prepend("!") if image_or_video? ++ markdown.prepend("!") if image_or_video? || dangerous? + + { + alt: filename, +diff --git a/app/uploaders/uploader_helper.rb b/app/uploaders/uploader_helper.rb +index b10ad71..5a9c0b7 100644 +--- a/app/uploaders/uploader_helper.rb ++++ b/app/uploaders/uploader_helper.rb +@@ -7,11 +7,19 @@ module UploaderHelper + # on IE >= 9. + # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html + VIDEO_EXT = %w[mp4 m4v mov webm ogv] ++ # These extension types can contain dangerous code and should only be embedded inline with ++ # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline". ++ DANGEROUS_EXT = %w[svg] ++ + + def image? + extension_match?(IMAGE_EXT) + end + ++ def dangerous? ++ extension_match?(DANGEROUS_EXT) ++ end ++ + def video? + extension_match?(VIDEO_EXT) + end +diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb +index 69124ab..8ea9c71 100644 +--- a/spec/controllers/uploads_controller_spec.rb ++++ b/spec/controllers/uploads_controller_spec.rb +@@ -4,6 +4,28 @@ describe UploadsController do + let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) } + + describe "GET show" do ++ context 'Content-Disposition security measures' do ++ let(:project) { create(:empty_project, :public) } ++ ++ context 'for PNG files' do ++ it 'returns Content-Disposition: inline' do ++ note = create(:note, :with_attachment, project: project) ++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png' ++ ++ expect(response['Content-Disposition']).to start_with('inline;') ++ end ++ end ++ ++ context 'for SVG files' do ++ it 'returns Content-Disposition: attachment' do ++ note = create(:note, :with_svg_attachment, project: project) ++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg' ++ ++ expect(response['Content-Disposition']).to start_with('attachment;') ++ end ++ end ++ end ++ + context "when viewing a user avatar" do + context "when signed in" do + before do +diff --git a/spec/factories/notes.rb b/spec/factories/notes.rb +index a10ba62..b60b9f6 100644 +--- a/spec/factories/notes.rb ++++ b/spec/factories/notes.rb +@@ -83,7 +83,11 @@ FactoryGirl.define do + end + + trait :with_attachment do +- attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "`/png") } ++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png") } ++ end ++ ++ trait :with_svg_attachment do ++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/unsanitized.svg", "image/svg+xml") } + end + end + end diff -Nru gitlab-8.13.11+dfsg1/debian/patches/series gitlab-8.13.11+dfsg1/debian/patches/series --- gitlab-8.13.11+dfsg1/debian/patches/series 2017-04-21 12:32:25.000000000 +0200 +++ gitlab-8.13.11+dfsg1/debian/patches/series 2017-05-05 21:14:50.000000000 +0200 @@ -10,3 +10,4 @@ 0210-use-jquery-ui-rails6.patch 0300-git-2-11-support.patch cve-2017-0882.patch +cve-2017-8778.patch
From b2a3feebe1e49ed14ef4eabf70ca3ecf4930f9b1 Mon Sep 17 00:00:00 2001 From: Tomasz Buchert <tom...@buchert.pl> Date: Fri, 5 May 2017 21:15:30 +0200 Subject: [PATCH 1/2] Fix CVE-2017-8778 --- debian/patches/cve-2017-8778.patch | 99 ++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 100 insertions(+) create mode 100644 debian/patches/cve-2017-8778.patch diff --git a/debian/patches/cve-2017-8778.patch b/debian/patches/cve-2017-8778.patch new file mode 100644 index 00000000..000507b6 --- /dev/null +++ b/debian/patches/cve-2017-8778.patch @@ -0,0 +1,99 @@ +From: Debian Ruby Extras Maintainers + <pkg-ruby-extras-maintain...@lists.alioth.debian.org> +Date: Fri, 5 May 2017 21:00:42 +0200 +Subject: cve-2017-8778 + +--- + app/uploaders/file_uploader.rb | 2 +- + app/uploaders/uploader_helper.rb | 8 ++++++++ + spec/controllers/uploads_controller_spec.rb | 22 ++++++++++++++++++++++ + spec/factories/notes.rb | 6 +++++- + 4 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb +index 3ac6030..407606a 100644 +--- a/app/uploaders/file_uploader.rb ++++ b/app/uploaders/file_uploader.rb +@@ -36,7 +36,7 @@ class FileUploader < CarrierWave::Uploader::Base + escaped_filename = filename.gsub("]", "\\]") + + markdown = "[#{escaped_filename}](#{self.secure_url})" +- markdown.prepend("!") if image_or_video? ++ markdown.prepend("!") if image_or_video? || dangerous? + + { + alt: filename, +diff --git a/app/uploaders/uploader_helper.rb b/app/uploaders/uploader_helper.rb +index b10ad71..5a9c0b7 100644 +--- a/app/uploaders/uploader_helper.rb ++++ b/app/uploaders/uploader_helper.rb +@@ -7,11 +7,19 @@ module UploaderHelper + # on IE >= 9. + # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html + VIDEO_EXT = %w[mp4 m4v mov webm ogv] ++ # These extension types can contain dangerous code and should only be embedded inline with ++ # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline". ++ DANGEROUS_EXT = %w[svg] ++ + + def image? + extension_match?(IMAGE_EXT) + end + ++ def dangerous? ++ extension_match?(DANGEROUS_EXT) ++ end ++ + def video? + extension_match?(VIDEO_EXT) + end +diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb +index 69124ab..8ea9c71 100644 +--- a/spec/controllers/uploads_controller_spec.rb ++++ b/spec/controllers/uploads_controller_spec.rb +@@ -4,6 +4,28 @@ describe UploadsController do + let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) } + + describe "GET show" do ++ context 'Content-Disposition security measures' do ++ let(:project) { create(:empty_project, :public) } ++ ++ context 'for PNG files' do ++ it 'returns Content-Disposition: inline' do ++ note = create(:note, :with_attachment, project: project) ++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png' ++ ++ expect(response['Content-Disposition']).to start_with('inline;') ++ end ++ end ++ ++ context 'for SVG files' do ++ it 'returns Content-Disposition: attachment' do ++ note = create(:note, :with_svg_attachment, project: project) ++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg' ++ ++ expect(response['Content-Disposition']).to start_with('attachment;') ++ end ++ end ++ end ++ + context "when viewing a user avatar" do + context "when signed in" do + before do +diff --git a/spec/factories/notes.rb b/spec/factories/notes.rb +index a10ba62..b60b9f6 100644 +--- a/spec/factories/notes.rb ++++ b/spec/factories/notes.rb +@@ -83,7 +83,11 @@ FactoryGirl.define do + end + + trait :with_attachment do +- attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "`/png") } ++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png") } ++ end ++ ++ trait :with_svg_attachment do ++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/unsanitized.svg", "image/svg+xml") } + end + end + end diff --git a/debian/patches/series b/debian/patches/series index d8465521..e1c69c4c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,4 @@ pid-log-paths.patch 0210-use-jquery-ui-rails6.patch 0300-git-2-11-support.patch cve-2017-0882.patch +cve-2017-8778.patch -- 2.11.0
From f1d8b98b5561977ca12e4df054c9620161b5c57e Mon Sep 17 00:00:00 2001 From: Tomasz Buchert <tom...@buchert.pl> Date: Fri, 5 May 2017 21:24:14 +0200 Subject: [PATCH 2/2] release --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7e0a139a..49dafd0d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +gitlab (8.13.11+dfsg1-4) testing-proposed-updates; urgency=medium + + * Fix CVE-2017-8778 + + -- Tomasz Buchert <tom...@debian.org> Fri, 05 May 2017 21:23:50 +0200 + gitlab (8.13.11+dfsg1-3) unstable; urgency=medium * Quote variable in test -n (Thanks to Benjamin Drung) -- 2.11.0
signature.asc
Description: PGP signature