On 05/05/17 20:46, Tomasz Buchert wrote: > On 05/05/17 06:19, Salvatore Bonaccorso wrote: > > [...] > > Hi Salvatore, > the fix for this issue seems to be here: > https://gitlab.com/winniehell/gitlab-ce/commit/dd944bf14f4a0fd555db32d5833325fa459d9565 > > I'll try to apply it to stretch's gitlab. > Tomasz
Interestingly, the CVE has been fixed for unstable just an hour ago or so: https://anonscm.debian.org/cgit/pkg-ruby-extras/gitlab.git/commit/?id=7241318db49ec356f31dac96345a4ff730d313f0 I've reapplied this for the stretch version and I attach the debdiff. I'm going to request an unblock for this. For some reason I couldn't push my branch to ssh://git.debian.org/git/pkg-ruby-extras/gitlab.git. Probably I should become ruby-extras team member or something. For this reason I also attach the commits from my branch. Cheers, Tomasz
diff -Nru gitlab-8.13.11+dfsg1/debian/changelog gitlab-8.13.11+dfsg1/debian/changelog
--- gitlab-8.13.11+dfsg1/debian/changelog 2017-04-21 12:32:25.000000000 +0200
+++ gitlab-8.13.11+dfsg1/debian/changelog 2017-05-05 21:23:50.000000000 +0200
@@ -1,3 +1,9 @@
+gitlab (8.13.11+dfsg1-4) testing-proposed-updates; urgency=medium
+
+ * Fix CVE-2017-8778
+
+ -- Tomasz Buchert <tom...@debian.org> Fri, 05 May 2017 21:23:50 +0200
+
gitlab (8.13.11+dfsg1-3) unstable; urgency=medium
* Quote variable in test -n (Thanks to Benjamin Drung)
diff -Nru gitlab-8.13.11+dfsg1/debian/patches/cve-2017-8778.patch gitlab-8.13.11+dfsg1/debian/patches/cve-2017-8778.patch
--- gitlab-8.13.11+dfsg1/debian/patches/cve-2017-8778.patch 1970-01-01 01:00:00.000000000 +0100
+++ gitlab-8.13.11+dfsg1/debian/patches/cve-2017-8778.patch 2017-05-05 21:14:50.000000000 +0200
@@ -0,0 +1,99 @@
+From: Debian Ruby Extras Maintainers
+ <pkg-ruby-extras-maintain...@lists.alioth.debian.org>
+Date: Fri, 5 May 2017 21:00:42 +0200
+Subject: cve-2017-8778
+
+---
+ app/uploaders/file_uploader.rb | 2 +-
+ app/uploaders/uploader_helper.rb | 8 ++++++++
+ spec/controllers/uploads_controller_spec.rb | 22 ++++++++++++++++++++++
+ spec/factories/notes.rb | 6 +++++-
+ 4 files changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb
+index 3ac6030..407606a 100644
+--- a/app/uploaders/file_uploader.rb
++++ b/app/uploaders/file_uploader.rb
+@@ -36,7 +36,7 @@ class FileUploader < CarrierWave::Uploader::Base
+ escaped_filename = filename.gsub("]", "\\]")
+
+ markdown = "[#{escaped_filename}](#{self.secure_url})"
+- markdown.prepend("!") if image_or_video?
++ markdown.prepend("!") if image_or_video? || dangerous?
+
+ {
+ alt: filename,
+diff --git a/app/uploaders/uploader_helper.rb b/app/uploaders/uploader_helper.rb
+index b10ad71..5a9c0b7 100644
+--- a/app/uploaders/uploader_helper.rb
++++ b/app/uploaders/uploader_helper.rb
+@@ -7,11 +7,19 @@ module UploaderHelper
+ # on IE >= 9.
+ # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html
+ VIDEO_EXT = %w[mp4 m4v mov webm ogv]
++ # These extension types can contain dangerous code and should only be embedded inline with
++ # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline".
++ DANGEROUS_EXT = %w[svg]
++
+
+ def image?
+ extension_match?(IMAGE_EXT)
+ end
+
++ def dangerous?
++ extension_match?(DANGEROUS_EXT)
++ end
++
+ def video?
+ extension_match?(VIDEO_EXT)
+ end
+diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb
+index 69124ab..8ea9c71 100644
+--- a/spec/controllers/uploads_controller_spec.rb
++++ b/spec/controllers/uploads_controller_spec.rb
+@@ -4,6 +4,28 @@ describe UploadsController do
+ let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
+
+ describe "GET show" do
++ context 'Content-Disposition security measures' do
++ let(:project) { create(:empty_project, :public) }
++
++ context 'for PNG files' do
++ it 'returns Content-Disposition: inline' do
++ note = create(:note, :with_attachment, project: project)
++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
++
++ expect(response['Content-Disposition']).to start_with('inline;')
++ end
++ end
++
++ context 'for SVG files' do
++ it 'returns Content-Disposition: attachment' do
++ note = create(:note, :with_svg_attachment, project: project)
++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg'
++
++ expect(response['Content-Disposition']).to start_with('attachment;')
++ end
++ end
++ end
++
+ context "when viewing a user avatar" do
+ context "when signed in" do
+ before do
+diff --git a/spec/factories/notes.rb b/spec/factories/notes.rb
+index a10ba62..b60b9f6 100644
+--- a/spec/factories/notes.rb
++++ b/spec/factories/notes.rb
+@@ -83,7 +83,11 @@ FactoryGirl.define do
+ end
+
+ trait :with_attachment do
+- attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "`/png") }
++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png") }
++ end
++
++ trait :with_svg_attachment do
++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/unsanitized.svg", "image/svg+xml") }
+ end
+ end
+ end
diff -Nru gitlab-8.13.11+dfsg1/debian/patches/series gitlab-8.13.11+dfsg1/debian/patches/series
--- gitlab-8.13.11+dfsg1/debian/patches/series 2017-04-21 12:32:25.000000000 +0200
+++ gitlab-8.13.11+dfsg1/debian/patches/series 2017-05-05 21:14:50.000000000 +0200
@@ -10,3 +10,4 @@
0210-use-jquery-ui-rails6.patch
0300-git-2-11-support.patch
cve-2017-0882.patch
+cve-2017-8778.patch
From b2a3feebe1e49ed14ef4eabf70ca3ecf4930f9b1 Mon Sep 17 00:00:00 2001
From: Tomasz Buchert <tom...@buchert.pl>
Date: Fri, 5 May 2017 21:15:30 +0200
Subject: [PATCH 1/2] Fix CVE-2017-8778
---
debian/patches/cve-2017-8778.patch | 99 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 100 insertions(+)
create mode 100644 debian/patches/cve-2017-8778.patch
diff --git a/debian/patches/cve-2017-8778.patch b/debian/patches/cve-2017-8778.patch
new file mode 100644
index 00000000..000507b6
--- /dev/null
+++ b/debian/patches/cve-2017-8778.patch
@@ -0,0 +1,99 @@
+From: Debian Ruby Extras Maintainers
+ <pkg-ruby-extras-maintain...@lists.alioth.debian.org>
+Date: Fri, 5 May 2017 21:00:42 +0200
+Subject: cve-2017-8778
+
+---
+ app/uploaders/file_uploader.rb | 2 +-
+ app/uploaders/uploader_helper.rb | 8 ++++++++
+ spec/controllers/uploads_controller_spec.rb | 22 ++++++++++++++++++++++
+ spec/factories/notes.rb | 6 +++++-
+ 4 files changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb
+index 3ac6030..407606a 100644
+--- a/app/uploaders/file_uploader.rb
++++ b/app/uploaders/file_uploader.rb
+@@ -36,7 +36,7 @@ class FileUploader < CarrierWave::Uploader::Base
+ escaped_filename = filename.gsub("]", "\\]")
+
+ markdown = "[#{escaped_filename}](#{self.secure_url})"
+- markdown.prepend("!") if image_or_video?
++ markdown.prepend("!") if image_or_video? || dangerous?
+
+ {
+ alt: filename,
+diff --git a/app/uploaders/uploader_helper.rb b/app/uploaders/uploader_helper.rb
+index b10ad71..5a9c0b7 100644
+--- a/app/uploaders/uploader_helper.rb
++++ b/app/uploaders/uploader_helper.rb
+@@ -7,11 +7,19 @@ module UploaderHelper
+ # on IE >= 9.
+ # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html
+ VIDEO_EXT = %w[mp4 m4v mov webm ogv]
++ # These extension types can contain dangerous code and should only be embedded inline with
++ # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline".
++ DANGEROUS_EXT = %w[svg]
++
+
+ def image?
+ extension_match?(IMAGE_EXT)
+ end
+
++ def dangerous?
++ extension_match?(DANGEROUS_EXT)
++ end
++
+ def video?
+ extension_match?(VIDEO_EXT)
+ end
+diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb
+index 69124ab..8ea9c71 100644
+--- a/spec/controllers/uploads_controller_spec.rb
++++ b/spec/controllers/uploads_controller_spec.rb
+@@ -4,6 +4,28 @@ describe UploadsController do
+ let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
+
+ describe "GET show" do
++ context 'Content-Disposition security measures' do
++ let(:project) { create(:empty_project, :public) }
++
++ context 'for PNG files' do
++ it 'returns Content-Disposition: inline' do
++ note = create(:note, :with_attachment, project: project)
++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
++
++ expect(response['Content-Disposition']).to start_with('inline;')
++ end
++ end
++
++ context 'for SVG files' do
++ it 'returns Content-Disposition: attachment' do
++ note = create(:note, :with_svg_attachment, project: project)
++ get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg'
++
++ expect(response['Content-Disposition']).to start_with('attachment;')
++ end
++ end
++ end
++
+ context "when viewing a user avatar" do
+ context "when signed in" do
+ before do
+diff --git a/spec/factories/notes.rb b/spec/factories/notes.rb
+index a10ba62..b60b9f6 100644
+--- a/spec/factories/notes.rb
++++ b/spec/factories/notes.rb
+@@ -83,7 +83,11 @@ FactoryGirl.define do
+ end
+
+ trait :with_attachment do
+- attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "`/png") }
++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png") }
++ end
++
++ trait :with_svg_attachment do
++ attachment { fixture_file_upload(Rails.root + "spec/fixtures/unsanitized.svg", "image/svg+xml") }
+ end
+ end
+ end
diff --git a/debian/patches/series b/debian/patches/series
index d8465521..e1c69c4c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ pid-log-paths.patch
0210-use-jquery-ui-rails6.patch
0300-git-2-11-support.patch
cve-2017-0882.patch
+cve-2017-8778.patch
--
2.11.0
From f1d8b98b5561977ca12e4df054c9620161b5c57e Mon Sep 17 00:00:00 2001 From: Tomasz Buchert <tom...@buchert.pl> Date: Fri, 5 May 2017 21:24:14 +0200 Subject: [PATCH 2/2] release --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7e0a139a..49dafd0d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +gitlab (8.13.11+dfsg1-4) testing-proposed-updates; urgency=medium + + * Fix CVE-2017-8778 + + -- Tomasz Buchert <tom...@debian.org> Fri, 05 May 2017 21:23:50 +0200 + gitlab (8.13.11+dfsg1-3) unstable; urgency=medium * Quote variable in test -n (Thanks to Benjamin Drung) -- 2.11.0
signature.asc
Description: PGP signature
