GitLab 9.3.8, 9.2.8, 9.1.8, 9.0.11, and 8.17.7 released

Today we are releasing versions 9.3.8, 9.2.8, 9.1.8, 9.0.11, and 8.17.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain several security fixes, including an important security fixes for two authorization bypass vulnerabilities (post-authentication), protection against denial-of-service attacks in regular expressions, important security patches for Mattermost, and protections for exporting issues to Microsoft Excel via CSV files. We strongly recommend that all affected GitLab installations be upgraded to one of these versions immediately.

Please read on for more details.

Projects in subgroups authorization bypass with SQL wildcards (CVE-2017-11438)

An internal code review disclosed that by choosing a namespace with underscores an authenticated user could take advantage of a badly written SQL query to add themselves to any project inside a subgroup with permissions of their choice.

This vulnerability was caused by a SQL query that automatically adjusts project permissions but does not escape wildcards. This vulnerability was coincidentally patched when the affected code was rewritten for 9.3. Therefore, versions 9.3 and above are not vulnerable. 33323

This issue has been assigned CVE-2017-11438.

Note: GitLab-CE+EE 8.17 is not vulnerable to this issue, however patches have been included to improve the security of the SQL queries in 8.17.7.

Versions affected

• GitLab CE+EE: 9.0.0 through 9.0.10
• GitLab CE+EE: 9.1.0 through 9.1.7
• GitLab CE+EE: 9.2.0 through 9.2.7

Unauthorized repository access by using project mirrors and CI (GitLab EE only) (CVE-2017-11437)

Peter Lloyd with Cambridge Consultants reported that the GitLab mirroring feature could be abused to steal copies of repositories from other users and possibly push docker images to other user's docker registries.

To exploit this vulnerability an authenticated user would need to create a project mirror, invite another user, assign them as the mirror user, enable CI for the mirror, and modify the original repository. Because the CI scripts will then be executed as the mirror user the attacker can use the CI Token to fetch repositories belonging to the victim. GitLab now only allows users to assign themselves as the mirror user. 2905

This issue has been assigned CVE-2017-11437.

Versions affected

• GitLab EE: 8.5.0-8.17.6
• GitLab EE: 9.0.0-9.0.10
• GitLab EE: 9.1.0-9.1.7
• GitLab EE: 9.2.0-9.2.7
• GitLab EE: 9.3.0-9.3.7

We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible.

Workarounds

There are no workaround for these vulnerabilities.

Other fixes in 9.3.8, 9.2.8, 9.1.8, 9.0.11, and 8.17.7

Symlink cleanup from a previous security release

The 9.2.5 security release contained a fix for a data corruption vulnerability involving file uploads. This fix utilized symlinks to migrate file uploads to a new directory. Due to a typo in the included migration a symlink was accidentally left behind after the migration finished. This symlink can cause problems with instance backups. A fix is included with these releases to remove the problematic symlink. 34056

Affected versions: GitLab CE+EE 9.0.10, 9.1.7, 9.2.5-9.2.7, 9.3.0-9.3.7

Accidental or malicious use of reserved names in group names could cause deletion of all snippet uploads

The 9.2.5 security release contained a fix for a data corruption vulnerability involving file uploads. After the release of 9.2.5 an internal code review determined that the recently introduced snippet file uploads feature was also vulnerable to file deletion. Snippet uploads have now been moved into the protected system namespace. 33359

Affected versions: GitLab CE+EE 9.3.0-9.3.7

Project name leak on todos page

An internal code review discovered that forceful browsing could be utilized to disclose the names of private projects. 33303

Affected versions: GitLab CE+EE 8.10.0-8.17.6, 9.0.0-9.0.10, 9.1.0-9.1.7, 9.2.0-9.2.7, 9.3.0-9.3.7

Denial of Service via regular expressions in CI process

Lukas Svoboda reported that regular expressions (regex) included with CI scripts could be utilized to perform a denial-of-service attack on GitLab instances. GitLab now uses the re2 Regex library to limit regex execution time. 24570

Affected versions: GitLab CE+EE 8.0.0-8.17.6, 9.0.0-9.0.10, 9.1.0-9.1.7, 9.2.0-9.2.7, 9.3.0-9.3.7

Issue title leakage when external issue tracker is enabled

An internal code review determined that when an external issue tracker is configured it was possible to discover the titles of all issues in a given GitLab instance, including issues in private projects and confidential issues. 33679

Affected versions: GitLab CE+EE 8.14.0-8.17.6, 9.0.0-9.0.10, 9.1.0-9.1.7, 9.2.0-9.2.7, 9.3.0-9.3.7

Mattermost security update

GitLab Omnibus packages now include the latest versions of Mattermost, including the most recent security patches. Mattermost has not yet released details on the patched vulnerabilities but is encouraging all users to upgrade.

These updates are only available for GitLab CE+EE 9.1, 9.2, and 9.3. 2576

Affected versions: All GitLab versions prior to 9.3.8, 9.2.8, and 9.1.8.

Client-side command execution in Microsoft Excel using issue exports (EE only)

Edio via HackerOne reported that the export to CSV feature for project issues in GitLab EE could be abused to execute arbitrary commands on a victim's computer if the resulting CSV file were opened in Microsoft Excel. For this attack to work an attacker must have the ability to create or edit issues in a project and must trick a victim into exporting and opening the CSV file containing the malicious issue text in Microsoft Excel.

All issue contents containing dangerous characters are now escaped upon export by prepending a single quote to each column. 30250

Affected versions: GitLab EE 9.0.0-9.0.10, 9.1.0-9.1.7, 9.2.0-9.2.7, 9.3.0-9.3.7

Upgrade barometer

These versions includes two small migrations to remove a leftover symlink and and move private snippet uploads to the system directory. These migrations should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.