Fix CVE-2017-8778

debian/changelog

@@ -1,3 +1,10 @@
+gitlab (8.13.11+dfsg1-6) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2017-8778 (Closes: #861870)
+
+ -- Balasankar C <balasankarc@autistici.org>  Fri, 05 May 2017 23:55:26 +0530
+
 gitlab (8.13.11+dfsg1-5) unstable; urgency=medium
 
   * Fix letsencrypt email handling in config

debian/patches/cve-2017-8778.patch

@@ -0,0 +1,87 @@
+Description: Patch against CVE-2017-8778
+Author: Brian Neel <brian@gitlab.com>
+Origin: <upstream|backport|vendor|other>, <URL, required except if Author is present>
+Bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/27471
+Applied-Upstream: https://gitlab.com/gitlab-org/gitlab-ce/commit/dd944bf14f4a0fd555db32d5833325fa459d9565
+Last-Update: 2017-05-05
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/app/uploaders/file_uploader.rb
++++ b/app/uploaders/file_uploader.rb
+@@ -36,7 +36,7 @@
+     escaped_filename = filename.gsub("]", "\\]")
+
+     markdown = "[#{escaped_filename}](#{self.secure_url})"
+-    markdown.prepend("!") if image_or_video?
++    markdown.prepend("!") if image_or_video? || dangerous?
+
+     {
+       alt:      filename,
+--- a/app/uploaders/uploader_helper.rb
++++ b/app/uploaders/uploader_helper.rb
+@@ -7,11 +7,19 @@
+   # on IE >= 9.
+   # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html
+   VIDEO_EXT = %w[mp4 m4v mov webm ogv]
++  # These extension types can contain dangerous code and should only be embedded inline with
++  # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline".
++  DANGEROUS_EXT = %w[svg]
++
+
+   def image?
+     extension_match?(IMAGE_EXT)
+   end
+
++  def dangerous?
++    extension_match?(DANGEROUS_EXT)
++  end
++
+   def video?
+     extension_match?(VIDEO_EXT)
+   end
+--- a/spec/controllers/uploads_controller_spec.rb
++++ b/spec/controllers/uploads_controller_spec.rb
+@@ -4,6 +4,28 @@
+   let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
+
+   describe "GET show" do
++    context 'Content-Disposition security measures' do
++      let(:project) { create(:empty_project, :public) }
++
++      context 'for PNG files' do
++        it 'returns Content-Disposition: inline' do
++          note = create(:note, :with_attachment, project: project)
++          get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
++
++          expect(response['Content-Disposition']).to start_with('inline;')
++        end
++      end
++
++      context 'for SVG files' do
++        it 'returns Content-Disposition: attachment' do
++          note = create(:note, :with_svg_attachment, project: project)
++          get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg'
++
++          expect(response['Content-Disposition']).to start_with('attachment;')
++        end
++      end
++    end
++
+     context "when viewing a user avatar" do
+       context "when signed in" do
+         before do
+--- a/spec/factories/notes.rb
++++ b/spec/factories/notes.rb
+@@ -83,7 +83,11 @@
+     end
+
+     trait :with_attachment do
+-      attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "`/png") }
++      attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png") }
++    end
++
++    trait :with_svg_attachment do
++      attachment { fixture_file_upload(Rails.root + "spec/fixtures/unsanitized.svg", "image/svg+xml") }
+     end
+   end
+ end

debian/patches/series

@@ -10,3 +10,4 @@ pid-log-paths.patch
 0210-use-jquery-ui-rails6.patch
 0300-git-2-11-support.patch
 cve-2017-0882.patch
+cve-2017-8778.patch