GitLab master branch is missing MRs from last security release: Access to package list of restricted projects

HackerOne report #731508 by xanbanx on 2019-11-07, assigned to @cmaxim:

Hi GitLab Security Team,

Summary

In the latest security release, GitLab fixed a vulnerability where non-project members of restricted projects could read the package list via the group's package list.

While this has been fixed in GitLab 12.4.2, the master branch of GitLab does not contain this fix, and thus is still vulnerable.
The fact, that a security fix is missing the master branch is quite critical as this now basically created a Zero-Day.
While the vulnerability itself is Low, I flag this as a Medium severity because it seems to be a problem in the process of creating a security release that the fix to master was missing.

In particular, the following MR is missing: 786b4dd2

Steps to reproduce

  1. Create a public group
  2. Inside of that group, create a public project and restrict the repository to project members only
  3. Push a package
  4. As an unauthenticated user visit the groups package list, which leaks the package of the previous step.

Impact

First, unauthorized users have access to the package list.
Second, this created a Zero-Day, which can be much worse for a more critical vulnerability.

This is flagged as Medium because there seems to be an issue how security fixes are merged internally and it can be the case that partial security fixes are merged.
There must be automated infrastructure, which ensures that security fixes which are merged to stable branches are also merged to master.

What is the current bug behavior?

Unauthorized users have access to the package list. And Security fixes are backported but not included in the master branch.

What is the expected correct behavior?

If user does not have access to the repo, it cannot view the package list via the groups endpoint.
It cannot be the case that a security fix is merged but only to stable branches without the master branch.

Relevant logs and/or screenshots

Results of GitLab environment info  
System information  
System:         Ubuntu 18.04  
Proxy:          no  
Current User:   git  
Using RVM:      no  
Ruby Version:   2.6.3p62  
Gem Version:    2.7.9  
Bundler Version:1.17.3  
Rake Version:   12.3.3  
Redis Version:  3.2.12  
Git Version:    2.22.0  
Sidekiq Version:5.2.7  
Go Version:     unknown

GitLab information  
Version:        12.5.0-pre  
Revision:       b633727c47d  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     10.9  
URL:            https://example.gitlab.com  
HTTP Clone URL: https://example.gitlab.com/some-group/some-project.git  
SSH Clone URL:  git@example.gitlab.com:some-group/some-project.git  
Elasticsearch:  no  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers: 

GitLab Shell  
Version:        10.2.0  
Repository storage paths:  
- default:      /var/opt/gitlab/git-data/repositories  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell  
Git:            /opt/gitlab/embedded/bin/git

Best regards,
Xanbanx

Impact

See above.