Bug#953123: stretch-pu: package rake/10.5.0-2+deb9u1

To: submit@bugs.debian.org
Subject: Bug#953123: stretch-pu: package rake/10.5.0-2+deb9u1
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Thu, 5 Mar 2020 02:31:19 +0530
Message-id: <[🔎] CAPP0f95L0M5U8K2_=vpqdGXampdiWT0_r4dVqb-+orpckvNPKQ@mail.gmail.com>
Reply-to: Utkarsh Gupta <utkarsh@debian.org>, 953123@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hiya,

rake seemed to be affected by CVE-2020-8130.
This has been fixed in Sid, Bullseye, and Jessie already.
I got an ack to upload from the Security Team.

Here's the debdiff:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------

diff -Nru rake-10.5.0/debian/changelog rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelodiff -Nru rake-10.5.0/debian/changelog
rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelog    2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/changelog    2020-02-29 20:57:18.000000000 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Sat, 29 Feb 2020 20:57:18 +0530
+
 rake (10.5.0-2) unstable; urgency=medium

   * Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch    1970-01-01
05:30:00.000000000 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch    2020-02-29
20:54:24.000000000 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
++++ b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+       matched = 0
+       each do |fn|
+         begin
+-          open(fn, "r", *options) do |inf|
++          File.open(fn, "r", *options) do |inf|
+             count = 0
+             inf.each do |line|
+               count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series    2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/patches/series    2020-02-29 20:54:08.000000000 +0530
@@ -2,3 +2,4 @@
 skip_permission_test.patch
 autopkgtest.patch
 skip-rake-libdir.patch
+CVE-2020-8130.patch
g    2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/changelog    2020-02-29 20:57:18.000000000 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Sat, 29 Feb 2020 20:57:18 +0530
+
 rake (10.5.0-2) unstable; urgency=medium

   * Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch    1970-01-01
05:30:00.000000000 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch    2020-02-29
20:54:24.000000000 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
++++ b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+       matched = 0
+       each do |fn|
+         begin
+-          open(fn, "r", *options) do |inf|
++          File.open(fn, "r", *options) do |inf|
+             count = 0
+             inf.each do |line|
+               count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series    2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/patches/series    2020-02-29 20:54:08.000000000 +0530
@@ -2,3 +2,4 @@
 skip_permission_test.patch
 autopkgtest.patch
 skip-rake-libdir.patch
+CVE-2020-8130.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------

Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

Follow-Ups:
- Bug#953123: rake 10.5.0-2+deb9u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: tagging 950716, tagging 947165 ...
Next by Date: Bug#953124: buster-pu: package rake/12.3.1-3+deb10u1
Previous by thread: Processed: tagging 950716, tagging 947165 ...
Next by thread: Bug#953123: rake 10.5.0-2+deb9u1 flagged for acceptance
Index(es):
- Date
- Thread