[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

[Balasankar C]

Hi,

As per the upstream blogpost,
https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ ,
the applicability of the CVEs listed at
https://security-tracker.debian.org/tracker/source-package/gitlab to
version of GitLab in Stretch is as follows.

CVE-2018-3710 - Applicable to version in Stretch (8.13.11)
CVE-2017-0927 - Applicable to version in Stretch (8.13.11)
CVE-2017-0926 - Applicable to version in Stretch (8.13.11)
CVE-2017-0925 - Applicable to version in Stretch (8.13.11)
CVE-2017-0923 - Applicable to version in Stretch (8.13.11)
CVE-2017-0918 - Applicable to version in Stretch (8.13.11)
CVE-2017-0916 - Applicable to version in Stretch (8.13.11)
CVE-2017-0915 - Applicable to version in Stretch (8.13.11)

CVE-2017-0914 - Not applicable to version in Stretch (8.13.11)
CVE-2017-0917 - Not applicable to version in Stretch (8.13.11)

Regarding CVE-2017-0923, I will confirm if it is indeed applicable or
not, since the feature was introduced in version 9.1 only
(https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10017) .


Regards
Balasankar C



signature.asc
Description: OpenPGP digital signature
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

[Pirate Praveen]

On ശനി 10 മാർച്ച് 2018 11:25 വൈകു, Pirate Praveen wrote:
> I will attach a debdiff tomorrow with the CVEs we already backported.

debdiff attached.

diff -Nru gitlab-8.13.11+dfsg/debian/changelog 
gitlab-8.13.11+dfsg/debian/changelog
--- gitlab-8.13.11+dfsg/debian/changelog2017-03-23 17:16:50.0 
+0530
+++ gitlab-8.13.11+dfsg/debian/changelog2018-03-11 20:13:17.0 
+0530
@@ -1,3 +1,10 @@
+gitlab (8.13.11+dfsg-8+deb9u1) stretch-security; urgency=high
+
+  * Fixes multiple security vulnerabilities (backported from 10.3.4 release)
+CVE-2017-0916, CVE-2017-0918, CVE-2017-0925, CVE-2017-0926, CVE-2017-3710
+
+ -- Pirate Praveen   Sun, 11 Mar 2018 20:13:17 +0530
+
 gitlab (8.13.11+dfsg-8) unstable; urgency=medium
 
   * Don't fail if gitlab-debian.defaults not found (to support upgrading
diff -Nru gitlab-8.13.11+dfsg/debian/patches/cve-2017-0916.patch 
gitlab-8.13.11+dfsg/debian/patches/cve-2017-0916.patch
--- gitlab-8.13.11+dfsg/debian/patches/cve-2017-0916.patch  1970-01-01 
05:30:00.0 +0530
+++ gitlab-8.13.11+dfsg/debian/patches/cve-2017-0916.patch  2018-03-11 
20:07:30.0 +0530
@@ -0,0 +1,32 @@
+--- a/app/models/hooks/web_hook.rb
 b/app/models/hooks/web_hook.rb
+@@ -19,6 +19,7 @@
+   default_timeout Gitlab.config.gitlab.webhook_timeout
+ 
+   validates :url, presence: true, url: true
++  validates :token, format: { without: /\n/ }
+ 
+   def execute(data, hook_name)
+ parsed_url = URI.parse(url)
+@@ -57,7 +58,7 @@
+   'Content-Type' => 'application/json',
+   'X-Gitlab-Event' => hook_name.singularize.titleize
+ }
+-headers['X-Gitlab-Token'] = token if token.present?
++headers['X-Gitlab-Token'] = Gitlab::Utils.remove_line_breaks(token) if 
token.present?
+ headers
+   end
+ end
+--- a/lib/gitlab/utils.rb
 b/lib/gitlab/utils.rb
+@@ -14,6 +14,10 @@
+   str.force_encoding(Encoding::UTF_8)
+ end
+ 
++def remove_line_breaks(str)
++  str.gsub(/\r?\n/, '')
++end
++
+ def to_boolean(value)
+   return value if [true, false].include?(value)
+   return true if value =~ /^(true|t|yes|y|1|on)$/i
diff -Nru gitlab-8.13.11+dfsg/debian/patches/cve-2017-0918.patch 
gitlab-8.13.11+dfsg/debian/patches/cve-2017-0918.patch
--- gitlab-8.13.11+dfsg/debian/patches/cve-2017-0918.patch  1970-01-01 
05:30:00.0 +0530
+++ gitlab-8.13.11+dfsg/debian/patches/cve-2017-0918.patch  2018-03-11 
20:07:30.0 +0530
@@ -0,0 +1,28 @@
+--- a/lib/gitlab/ci/config/node/validators.rb
 b/lib/gitlab/ci/config/node/validators.rb
+@@ -48,10 +48,24 @@
+ include LegacyValidationHelpers
+ 
+ def validate_each(record, attribute, value)
+-  unless validate_string(value)
++  if validate_string(value)
++validate_path(record, attribute, value)
++  else
+ record.errors.add(attribute, 'should be a string or symbol')
+   end
+ end
++
++private
++
++def validate_path(record, attribute, value)
++  path = CGI.unescape(value.to_s)
++
++  if path.include?('/')
++record.errors.add(attribute, 'cannot contain the "/" 
character')
++  elsif path == '.' || path == '..'
++record.errors.add(attribute, 'cannot be "." or ".."')
++  end
++end
+   end
+ 
+   class TypeValidator < ActiveModel::EachValidator
diff -Nru gitlab-8.13.11+dfsg/debian/patches/cve-2017-0925.patch 
gitlab-8.13.11+dfsg/debian/patches/cve-2017-0925.patch
--- gitlab-8.13.11+dfsg/debian/patches/cve-2017-0925.patch  1970-01-01 
05:30:00.0 +0530
+++ gitlab-8.13.11+dfsg/debian/patches/cve-2017-0925.patch  2018-03-11 
20:07:30.0 +0530
@@ -0,0 +1,39 @@
+--- a/app/models/service.rb
 b/app/models/service.rb
+@@ -98,6 +98,11 @@
+ nil
+   end
+ 
++  def api_field_names
++fields.map { |field| field[:name] }
++  .reject { |field_name| field_name =~ /(password|token|key)/ }
++  end
++
+   def global_fields
+ fields
+   end
+--- a/lib/api/entities.rb
 b/lib/api/entities.rb
+@@ -411,10 +411,7 @@
+   expose :tag_push_events, :note_events, :build_events, :pipeline_events
+   # Expose serialized properties
+   expose :properties do |service, options|
+-field_names = service.fields.
+-  select { |field| options[:include_passwords] || field[:type] != 
'password' }.
+-  map { |field| field[:name] }
+-service.properties.slice(*field_names)
++service.properties.slice(*service.api_field_names)
+   end
+ end
+ 
+--- a/lib/api/services.rb
 b/lib/api/services.rb
+@@ -56,7 +56,7 @@
+   #   GET /project/:id/services/gitlab-ci
+   #
+   get ':id/services/:service_slug' do
+-present project_service, with: Entities::ProjectService, 
include_passwords: current_user.is_admin?
++present 

[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

[Pirate Praveen]

On Mon, 5 Mar 2018 17:18:00 +0530 Pirate Praveen  wrote:
> On ഞായര്‍ 04 മാർച്ച് 2018 10:29 വൈകു, Moritz Mühlenhoff wrote:
> > We're now almost two months in after the upstream security
> > release. If this still isn't ready, that's a sign to me
> > that we can' reasonably support it, so the next best option
> > is to end-of-life it and eventually ask for it's removal
> > from stretch.
> >
> > Cheers,
> > Moritz
> >
> I will ask upstream help in backporting and we can decide based on their
> response.
> 

I will attach a debdiff tomorrow with the CVEs we already backported.
And also will try to respond quicker in case of future CVEs.

CVE-2017-0923 seems to be not affecting 8.13 as this feature was
introduced only in 9.1

CVE-2017-0927 is affecting only an optional component of gitlab
(continuous deployment), while still good to be able to fix it, I don't
think it should result in a removal.

I'm yet to hear back from upstream about their help in fixing this last CVE.



signature.asc
Description: OpenPGP digital signature
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

[Pirate Praveen]

On ഞായര്‍ 04 മാർച്ച് 2018 10:29 വൈകു, Moritz Mühlenhoff wrote:
> We're now almost two months in after the upstream security
> release. If this still isn't ready, that's a sign to me
> that we can' reasonably support it, so the next best option
> is to end-of-life it and eventually ask for it's removal
> from stretch.
>
> Cheers,
> Moritz
>
I will ask upstream help in backporting and we can decide based on their
response.



signature.asc
Description: OpenPGP digital signature
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

[Moritz Mühlenhoff]

On Thu, Feb 15, 2018 at 09:53:25PM +0530, Pirate Praveen wrote:
> On വ്യാഴം 15 ഫെബ്രുവരി 2018 12:07 രാവിലെ, Moritz Mühlenhoff wrote:
> > What's the status?
> > Cheers,
> > Moritz
> Some cve patches are backported, but help is welcome,
> https://salsa.debian.org/ruby-team/gitlab/tree/master-8-13

We're now almost two months in after the upstream security
release. If this still isn't ready, that's a sign to me
that we can' reasonably support it, so the next best option
is to end-of-life it and eventually ask for it's removal
from stretch.

Cheers,
Moritz

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

[Pirate Praveen]

On വ്യാഴം 15 ഫെബ്രുവരി 2018 12:07 രാവിലെ, Moritz Mühlenhoff wrote:
> What's the status?
> Cheers,
> Moritz
Some cve patches are backported, but help is welcome,
https://salsa.debian.org/ruby-team/gitlab/tree/master-8-13

https://pad.disroot.org/p/gitlab_security_bp




signature.asc
Description: OpenPGP digital signature
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

[Moritz Mühlenhoff]

On Fri, Jan 26, 2018 at 10:14:16PM +0530, Pirate Praveen wrote:
> On വെള്ളി 26 ജനുവരി 2018 07:32 വൈകു, Salvatore Bonaccorso wrote:
> > See
> > https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
> > for which several go back to 8.9.0 versions.
> > 
> > There are three CVEs out of
> > https://security-tracker.debian.org/tracker/source-package/gitlab
> > belonging to that list wich are yet marked undetermined, because not
> > clear from the advisory if 8.13.11=dfsg1-12 might be affected.
> > But assuming the 'version affected' information is correct, they are
> > not, please confirm so we can adjust the security-tracker information.
> 
> We are working on backporting the patches (8.13.12 don't have most of
> these patches). We will confirm once we go through all of it.

What's the status?

Cheers,
Moritz

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

[Pirate Praveen]

On വെള്ളി 26 ജനുവരി 2018 07:32 വൈകു, Salvatore Bonaccorso wrote:
> See
> https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
> for which several go back to 8.9.0 versions.
> 
> There are three CVEs out of
> https://security-tracker.debian.org/tracker/source-package/gitlab
> belonging to that list wich are yet marked undetermined, because not
> clear from the advisory if 8.13.11=dfsg1-12 might be affected.
> But assuming the 'version affected' information is correct, they are
> not, please confirm so we can adjust the security-tracker information.

We are working on backporting the patches (8.13.12 don't have most of
these patches). We will confirm once we go through all of it.



signature.asc
Description: OpenPGP digital signature
___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers

[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

[Salvatore Bonaccorso]

Source: gitlab
Version: 8.13.11+dfsg1-12
Severity: grave
Tags: upstream security

Hi 

See
https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
for which several go back to 8.9.0 versions.

There are three CVEs out of
https://security-tracker.debian.org/tracker/source-package/gitlab
belonging to that list wich are yet marked undetermined, because not
clear from the advisory if 8.13.11=dfsg1-12 might be affected.
But assuming the 'version affected' information is correct, they are
not, please confirm so we can adjust the security-tracker information.

Regards,
Salvatore


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

___
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers