Add patch for CVE-2016-9086

debian/patches/cve-2016-9086-fix.patch

@@ -0,0 +1,47 @@
+Description: Fix file disclosure via hidden symlinks using the project import
+Author: Rémy Coutable <remy@gitlab.com>
+Bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/36091
+Last-Update: 2017-08-17
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/gitlab/import_export/file_importer.rb
++++ b/lib/gitlab/import_export/file_importer.rb
+@@ -47,12 +47,16 @@
+       end
+ 
+       def remove_symlinks!
+-        Dir["#{@shared.export_path}/**/*"].each do |path|
++        extracted_files.each do |path|
+           FileUtils.rm(path) if File.lstat(path).symlink?
+         end
+ 
+         true
+       end
++
++      def extracted_files
++        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ /.*\/\.{1,2}$/ }
++      end
+     end
+   end
+ end
+--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
++++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
+@@ -5,6 +5,7 @@
+   let(:export_path) { "#{Dir::tmpdir}/file_importer_spec" }
+   let(:valid_file) { "#{shared.export_path}/valid.json" }
+   let(:symlink_file) { "#{shared.export_path}/invalid.json" }
++  let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
+   let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
+ 
+   before do
+@@ -25,6 +26,10 @@
+     expect(File.exist?(symlink_file)).to be false
+   end
+ 
++  it 'removes hidden symlinks in root folder' do
++    expect(File.exist?(hidden_symlink_file)).to be false
++  end
++
+   it 'removes symlinks in subfolders' do
+     expect(File.exist?(subfolder_symlink_file)).to be false
+   end

debian/patches/series

@@ -1,3 +1,4 @@
+cve-2016-9086-fix.patch
 0005-use-debian-omniauth-ldap.patch
 0018-loosen-rdoc.patch
 0050-relax-stable-libs.patch