Bug#953124: buster-pu: package rake/12.3.1-3+deb10u1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal
Hiya,
rake seemed to be affected by CVE-2020-8130.
This has been fixed in Sid, Bullseye, and Jessie already.
I got an ack to upload from the Security Team.
Here's the debdiff:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------
diff -Nru rake-12.3.1/debian/changelog rake-12.3.1/debian/changelog
--- rake-12.3.1/debian/changelog 2018-05-02 19:16:41.000000000 +0530
+++ rake-12.3.1/debian/changelog 2020-02-29 20:40:36.000000000 +0530
@@ -1,3 +1,10 @@
+rake (12.3.1-3+deb10u1) buster; urgency=high
+
+ * Team upload
+ * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Sat, 29 Feb 2020 20:40:36 +0530
+
rake (12.3.1-3) unstable; urgency=medium
* Revert the drop of the ruby dependency. See Debian bug #897279 for related
diff -Nru rake-12.3.1/debian/patches/CVE-2020-8130.patch
rake-12.3.1/debian/patches/CVE-2020-8130.patch
--- rake-12.3.1/debian/patches/CVE-2020-8130.patch 1970-01-01
05:30:00.000000000 +0530
+++ rake-12.3.1/debian/patches/CVE-2020-8130.patch 2020-02-29
20:34:19.000000000 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
++++ b/lib/rake/file_list.rb
+@@ -294,7 +294,7 @@
+ matched = 0
+ each do |fn|
+ begin
+- open(fn, "r", *options) do |inf|
++ File.open(fn, "r", *options) do |inf|
+ count = 0
+ inf.each do |line|
+ count += 1
diff -Nru rake-12.3.1/debian/patches/series rake-12.3.1/debian/patches/series
--- rake-12.3.1/debian/patches/series 2018-05-02 19:16:41.000000000 +0530
+++ rake-12.3.1/debian/patches/series 2020-02-29 20:31:31.000000000 +0530
@@ -1,3 +1,4 @@
0001-test-helper-adapt-to-test-installed-package.patch
0002-rake-testtask-never-include-I-usr-lib-ruby-vendor_ru.patch
0003-gemspec-drop-git-usage.patch
+CVE-2020-8130.patch
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------
Best,
Utkarsh
---
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: