From d739c1e42972f4f9a73cee11b58877d0304efb17 Mon Sep 17 00:00:00 2001
From: Balasankar C <balasankarc@autistici.org>
Date: Sat, 5 Jan 2019 16:20:14 +0530
Subject: [PATCH 1/7] Set debian version as env variable

---
 debian/conf/gitlab-debian.conf.example | 3 +++
 debian/rules                           | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/debian/conf/gitlab-debian.conf.example b/debian/conf/gitlab-debian.conf.example
index 1ef2d433b4..ebf2701131 100644
--- a/debian/conf/gitlab-debian.conf.example
+++ b/debian/conf/gitlab-debian.conf.example
@@ -2,6 +2,9 @@
 # Variables with all caps are passed to gitlab app
 RAILS_ENV=production
 DB=postgres
+# This will be replaced by debian/rules at the time of build.
+GITLAB_DEBIAN_VERSION="__NEW_VERSION__"
+SALSA_TAG_URL="https://salsa.debian.org/ruby-team/gitlab/tags/debian/"
 gitlab_app_root=/usr/share/gitlab
 gitlab_data_dir=/var/lib/gitlab
 gitlab_pid_path=/run/gitlab
diff --git a/debian/rules b/debian/rules
index 77e3f23952..e7febc9fa4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,5 +1,7 @@
 #!/usr/bin/make -f
 
+include /usr/share/dpkg/pkg-info.mk
+
 %:
 	dh $@ --with=systemd
 
@@ -12,6 +14,7 @@ override_dh_install:
 	mv debian/gitlab/usr/share/gitlab/app/assets/javascripts/locale \
 	debian/gitlab/usr/share/gitlab/app/assets/javascripts/locale.static
 	mv debian/gitlab/var/lib/gitlab/db/schema.rb debian/gitlab/var/lib/gitlab/db/schema.rb.template
+	sed -i 's/__NEW_VERSION__/${DEB_VERSION}/g' debian/gitlab/usr/lib/gitlab/templates/gitlab-debian.conf.example
 
 override_dh_installinit:
 	dh_installinit --no-start -p gitlab --name=gitlab-sidekiq

From 928702a5d011eeb01392596fdf85582174a05563 Mon Sep 17 00:00:00 2001
From: Balasankar C <balasankarc@autistici.org>
Date: Sun, 16 Dec 2018 13:19:38 +0530
Subject: [PATCH 2/7] Add patch to use project link on Salsa in the help page

---
 .../patches/0700-add-salsa-link-to-help.patch | 19 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 20 insertions(+)
 create mode 100644 debian/patches/0700-add-salsa-link-to-help.patch

diff --git a/debian/patches/0700-add-salsa-link-to-help.patch b/debian/patches/0700-add-salsa-link-to-help.patch
new file mode 100644
index 0000000000..68e49a4763
--- /dev/null
+++ b/debian/patches/0700-add-salsa-link-to-help.patch
@@ -0,0 +1,19 @@
+Description: Use link to gitlab project on Salsa in help page
+Author: Balasankar C <balasankarc@debian.org>
+Last-Update: 2018-12-16
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/app/helpers/version_check_helper.rb
++++ b/app/helpers/version_check_helper.rb
+@@ -11,7 +11,10 @@
+   end
+ 
+   def link_to_version
+-    if Gitlab.pre_release?
++    if ENV['GITLAB_DEBIAN_VERSION'] && ENV['SALSA_TAG_URL']
++      debian_tag = ENV['GITLAB_DEBIAN_VERSION'].gsub('~', '_')
++      link_to ENV['GITLAB_DEBIAN_VERSION'], ENV['SALSA_TAG_URL'] + debian_tag
++    elsif Gitlab.pre_release?
+       commit_link = link_to(Gitlab.revision, Gitlab::COM_URL + namespace_project_commits_path('gitlab-org', source_code_project, Gitlab.revision))
+       [Gitlab::VERSION, content_tag(:small, commit_link)].join(' ').html_safe
+     else
diff --git a/debian/patches/series b/debian/patches/series
index a3c726cff0..47ed4cfcc8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@
 0650-fix-8-to-10-migration.patch
 0660-fix-gitlab-yml-path.patch
 0670-allow-doorkeepr-4_3.patch
+0700-add-salsa-link-to-help.patch

From f3f3a267ddbfd0a88b4de6bce24cfdf2831e4e79 Mon Sep 17 00:00:00 2001
From: Pirate Praveen <praveen@debian.org>
Date: Sun, 6 Jan 2019 20:44:18 +0530
Subject: [PATCH 3/7] Always overwrite private copy of gitlab-debian.conf (to
 add new entries)

---
 debian/gitlab.postinst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/gitlab.postinst b/debian/gitlab.postinst
index 26dd923f36..eacd940c02 100755
--- a/debian/gitlab.postinst
+++ b/debian/gitlab.postinst
@@ -41,7 +41,9 @@ test -f ${gitlab_common_defaults} && . ${gitlab_common_defaults}
 # Read debian specific configuration
 #######################################################################
 
-test -f ${gitlab_debian_conf_private} || cp ${gitlab_debian_conf_example} ${gitlab_debian_conf_private}
+# Always copy the example configuration file in case there are newer entries
+# added by maintainer
+cp ${gitlab_debian_conf_example} ${gitlab_debian_conf_private}
 . ${gitlab_debian_conf_private}
 
 # If /etc/gitlab/gitlab-debian.conf is already present, use it

From 00d8c745c781dbdbd0eb0714c03b191ff74070be Mon Sep 17 00:00:00 2001
From: Balasankar C <balasankarc@autistici.org>
Date: Fri, 4 Jan 2019 23:02:14 +0530
Subject: [PATCH 4/7] Add patch to set installation type

---
 debian/patches/0690-debian-usage-ping.patch | 10 ++++++++++
 debian/patches/series                       |  1 +
 2 files changed, 11 insertions(+)
 create mode 100644 debian/patches/0690-debian-usage-ping.patch

diff --git a/debian/patches/0690-debian-usage-ping.patch b/debian/patches/0690-debian-usage-ping.patch
new file mode 100644
index 0000000000..1f45ccce01
--- /dev/null
+++ b/debian/patches/0690-debian-usage-ping.patch
@@ -0,0 +1,10 @@
+Description: Set installation type to debian-native for usage ping differentiation
+Author: Balasankar C <balasankarc@debian.org>
+Last-Update: 2019-01-04
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/INSTALLATION_TYPE
++++ b/INSTALLATION_TYPE
+@@ -1 +1 @@
+-source
++debian-native
diff --git a/debian/patches/series b/debian/patches/series
index 47ed4cfcc8..ff902682c9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,4 +22,5 @@
 0650-fix-8-to-10-migration.patch
 0660-fix-gitlab-yml-path.patch
 0670-allow-doorkeepr-4_3.patch
+0690-debian-usage-ping.patch
 0700-add-salsa-link-to-help.patch

From 86ace60a9cca115683015e2374b6e43fe8a7355d Mon Sep 17 00:00:00 2001
From: Abhijith PA <abhijith@disroot.org>
Date: Sun, 20 Jan 2019 21:35:32 +0530
Subject: [PATCH 5/7] New upstream version 11.5.7+dfsg

---
 CHANGELOG.md                            |  7 ++++++
 VERSION                                 |  2 +-
 lib/gitlab/git/bundle_file.rb           | 30 +++++++++++++++++++++++++
 lib/gitlab/git/repository.rb            |  5 +++++
 scripts/prepare_build.sh                |  2 +-
 spec/fixtures/malicious.bundle          |  1 +
 spec/lib/gitlab/git/bundle_file_spec.rb | 26 +++++++++++++++++++++
 spec/lib/gitlab/git/repository_spec.rb  | 17 +++++++++-----
 8 files changed, 83 insertions(+), 7 deletions(-)
 create mode 100644 lib/gitlab/git/bundle_file.rb
 create mode 100644 spec/fixtures/malicious.bundle
 create mode 100644 spec/lib/gitlab/git/bundle_file_spec.rb

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4eb40fc0af..be14fd5ce9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 11.5.7 (2019-01-15)
+
+### Security (1 change)
+
+- Validate bundle files before unpacking them.
+
+
 ## 11.5.6 (2018-12-28)
 
 ### Security (17 changes)
diff --git a/VERSION b/VERSION
index 252c408627..5b8b3c0d81 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-11.5.6
+11.5.7
diff --git a/lib/gitlab/git/bundle_file.rb b/lib/gitlab/git/bundle_file.rb
new file mode 100644
index 0000000000..8384a436fc
--- /dev/null
+++ b/lib/gitlab/git/bundle_file.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Git
+    class BundleFile
+      # All git bundle files start with this string
+      #
+      # https://github.com/git/git/blob/v2.20.1/bundle.c#L15
+      MAGIC = "# v2 git bundle\n"
+
+      InvalidBundleError = Class.new(StandardError)
+
+      attr_reader :filename
+
+      def self.check!(filename)
+        new(filename).check!
+      end
+
+      def initialize(filename)
+        @filename = filename
+      end
+
+      def check!
+        data = File.open(filename, 'r') { |f| f.read(MAGIC.size) }
+
+        raise InvalidBundleError, 'Invalid bundle file' unless data == MAGIC
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/git/repository.rb b/lib/gitlab/git/repository.rb
index 1642c4c568..756bdb2077 100644
--- a/lib/gitlab/git/repository.rb
+++ b/lib/gitlab/git/repository.rb
@@ -770,6 +770,11 @@ module Gitlab
       end
 
       def create_from_bundle(bundle_path)
+        # It's important to check that the linked-to file is actually a valid
+        # .bundle file as it is passed to `git clone`, which may otherwise
+        # interpret it as a pointer to another repository
+        ::Gitlab::Git::BundleFile.check!(bundle_path)
+
         gitaly_repository_client.create_from_bundle(bundle_path)
       end
 
diff --git a/scripts/prepare_build.sh b/scripts/prepare_build.sh
index 75a3cea044..d2b0b80061 100644
--- a/scripts/prepare_build.sh
+++ b/scripts/prepare_build.sh
@@ -11,7 +11,7 @@ fi
 
 # Only install knapsack after bundle install! Otherwise oddly some native
 # gems could not be found under some circumstance. No idea why, hours wasted.
-retry gem install knapsack --no-ri --no-rdoc
+retry gem install knapsack --no-document
 
 cp config/gitlab.yml.example config/gitlab.yml
 sed -i 's/bin_path: \/usr\/bin\/git/bin_path: \/usr\/local\/bin\/git/' config/gitlab.yml
diff --git a/spec/fixtures/malicious.bundle b/spec/fixtures/malicious.bundle
new file mode 100644
index 0000000000..7ba4793290
--- /dev/null
+++ b/spec/fixtures/malicious.bundle
@@ -0,0 +1 @@
+gitdir: foo.git
diff --git a/spec/lib/gitlab/git/bundle_file_spec.rb b/spec/lib/gitlab/git/bundle_file_spec.rb
new file mode 100644
index 0000000000..ff7c981dad
--- /dev/null
+++ b/spec/lib/gitlab/git/bundle_file_spec.rb
@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+describe Gitlab::Git::BundleFile do
+  describe '.check!' do
+    let(:valid_bundle) { Tempfile.new }
+    let(:valid_bundle_path) { valid_bundle.path }
+    let(:invalid_bundle_path) { Rails.root.join('spec/fixtures/malicious.bundle') }
+
+    after do
+      valid_bundle.close!
+    end
+
+    it 'returns nil for a valid bundle' do
+      valid_bundle.write("# v2 git bundle\nfoo bar baz\n")
+      valid_bundle.close
+
+      expect(described_class.check!(valid_bundle_path)).to be_nil
+    end
+
+    it 'raises an exception for an invalid bundle' do
+      expect do
+        described_class.check!(invalid_bundle_path)
+      end.to raise_error(described_class::InvalidBundleError)
+    end
+  end
+end
diff --git a/spec/lib/gitlab/git/repository_spec.rb b/spec/lib/gitlab/git/repository_spec.rb
index 54291e847d..a19b1442ab 100644
--- a/spec/lib/gitlab/git/repository_spec.rb
+++ b/spec/lib/gitlab/git/repository_spec.rb
@@ -1726,22 +1726,23 @@ describe Gitlab::Git::Repository, :seed_helper do
   end
 
   describe '#create_from_bundle' do
-    let(:bundle_path) { File.join(Dir.tmpdir, "repo-#{SecureRandom.hex}.bundle") }
+    let(:valid_bundle_path) { File.join(Dir.tmpdir, "repo-#{SecureRandom.hex}.bundle") }
+    let(:malicious_bundle_path) { Rails.root.join('spec/fixtures/malicious.bundle') }
     let(:project) { create(:project) }
     let(:imported_repo) { project.repository.raw }
 
     before do
-      expect(repository.bundle_to_disk(bundle_path)).to be_truthy
+      expect(repository.bundle_to_disk(valid_bundle_path)).to be_truthy
     end
 
     after do
-      FileUtils.rm_rf(bundle_path)
+      FileUtils.rm_rf(valid_bundle_path)
     end
 
     it 'creates a repo from a bundle file' do
       expect(imported_repo).not_to exist
 
-      result = imported_repo.create_from_bundle(bundle_path)
+      result = imported_repo.create_from_bundle(valid_bundle_path)
 
       expect(result).to be_truthy
       expect(imported_repo).to exist
@@ -1749,11 +1750,17 @@ describe Gitlab::Git::Repository, :seed_helper do
     end
 
     it 'creates a symlink to the global hooks dir' do
-      imported_repo.create_from_bundle(bundle_path)
+      imported_repo.create_from_bundle(valid_bundle_path)
       hooks_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access { File.join(imported_repo.path, 'hooks') }
 
       expect(File.readlink(hooks_path)).to eq(Gitlab.config.gitlab_shell.hooks_path)
     end
+
+    it 'raises an error if the bundle is an attempted malicious payload' do
+      expect do
+        imported_repo.create_from_bundle(malicious_bundle_path)
+      end.to raise_error(::Gitlab::Git::BundleFile::InvalidBundleError)
+    end
   end
 
   describe '#checksum' do

From 066777edcbf8717099d3b6fd51ccac3ecd781fa7 Mon Sep 17 00:00:00 2001
From: Abhijith PA <abhijith@disroot.org>
Date: Sun, 20 Jan 2019 21:56:17 +0530
Subject: [PATCH 6/7] update changelog

---
 debian/changelog | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 414b9e4c37..a3a6e508f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+gitlab (11.5.7+dfsg-1) unstable; urgency=medium
+
+  * New upstream version 11.5.7+dfsg
+  * Fix CVE-2019-6240: Arbitrary repo read in Gitlab project import
+    (Closes: #919822)
+
+ -- Abhijith PA <abhijith@debian.org>  Sun, 20 Jan 2019 21:37:01 +0530
+
 gitlab (11.5.6+dfsg-1) unstable; urgency=high
 
   * New upstream version 11.5.6+dfsg (Closes: #918086) (Fixes: CVE-2018-20488,

From c095ec68d077f47dbcf991577a82636a097dc3f2 Mon Sep 17 00:00:00 2001
From: Abhijith PA <abhijith@disroot.org>
Date: Tue, 22 Jan 2019 10:58:01 +0530
Subject: [PATCH 7/7] Add team upload to changelog

---
 debian/changelog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/changelog b/debian/changelog
index a3a6e508f9..ea311eb07e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
 gitlab (11.5.7+dfsg-1) unstable; urgency=medium
 
+  * Team upload
   * New upstream version 11.5.7+dfsg
   * Fix CVE-2019-6240: Arbitrary repo read in Gitlab project import
     (Closes: #919822)