Bug#953123: stretch-pu: package rake/10.5.0-2+deb9u1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal
Hiya,
rake seemed to be affected by CVE-2020-8130.
This has been fixed in Sid, Bullseye, and Jessie already.
I got an ack to upload from the Security Team.
Here's the debdiff:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------
diff -Nru rake-10.5.0/debian/changelog rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelodiff -Nru rake-10.5.0/debian/changelog
rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelog 2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/changelog 2020-02-29 20:57:18.000000000 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+ * Team upload
+ * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Sat, 29 Feb 2020 20:57:18 +0530
+
rake (10.5.0-2) unstable; urgency=medium
* Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch 1970-01-01
05:30:00.000000000 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch 2020-02-29
20:54:24.000000000 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
++++ b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+ matched = 0
+ each do |fn|
+ begin
+- open(fn, "r", *options) do |inf|
++ File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+ count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series 2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/patches/series 2020-02-29 20:54:08.000000000 +0530
@@ -2,3 +2,4 @@
skip_permission_test.patch
autopkgtest.patch
skip-rake-libdir.patch
+CVE-2020-8130.patch
g 2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/changelog 2020-02-29 20:57:18.000000000 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+ * Team upload
+ * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Sat, 29 Feb 2020 20:57:18 +0530
+
rake (10.5.0-2) unstable; urgency=medium
* Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch 1970-01-01
05:30:00.000000000 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch 2020-02-29
20:54:24.000000000 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
++++ b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+ matched = 0
+ each do |fn|
+ begin
+- open(fn, "r", *options) do |inf|
++ File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+ count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series 2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/patches/series 2020-02-29 20:54:08.000000000 +0530
@@ -2,3 +2,4 @@
skip_permission_test.patch
autopkgtest.patch
skip-rake-libdir.patch
+CVE-2020-8130.patch
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------
Best,
Utkarsh
---
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: