Bug#953124: buster-pu: package rake/12.3.1-3+deb10u1

To: submit@bugs.debian.org
Subject: Bug#953124: buster-pu: package rake/12.3.1-3+deb10u1
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Thu, 5 Mar 2020 02:31:20 +0530
Message-id: <[🔎] CAPP0f964L_o5JMSuZb-cW4b9RbiK6N1WAoz0L8UE2BBhL4c3RA@mail.gmail.com>
Reply-to: Utkarsh Gupta <utkarsh@debian.org>, 953124@bugs.debian.org

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

Hiya,

rake seemed to be affected by CVE-2020-8130.
This has been fixed in Sid, Bullseye, and Jessie already.
I got an ack to upload from the Security Team.

Here's the debdiff:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------

diff -Nru rake-12.3.1/debian/changelog rake-12.3.1/debian/changelog
--- rake-12.3.1/debian/changelog    2018-05-02 19:16:41.000000000 +0530
+++ rake-12.3.1/debian/changelog    2020-02-29 20:40:36.000000000 +0530
@@ -1,3 +1,10 @@
+rake (12.3.1-3+deb10u1) buster; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Sat, 29 Feb 2020 20:40:36 +0530
+
 rake (12.3.1-3) unstable; urgency=medium

   * Revert the drop of the ruby dependency. See Debian bug #897279 for related
diff -Nru rake-12.3.1/debian/patches/CVE-2020-8130.patch
rake-12.3.1/debian/patches/CVE-2020-8130.patch
--- rake-12.3.1/debian/patches/CVE-2020-8130.patch    1970-01-01
05:30:00.000000000 +0530
+++ rake-12.3.1/debian/patches/CVE-2020-8130.patch    2020-02-29
20:34:19.000000000 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
++++ b/lib/rake/file_list.rb
+@@ -294,7 +294,7 @@
+       matched = 0
+       each do |fn|
+         begin
+-          open(fn, "r", *options) do |inf|
++          File.open(fn, "r", *options) do |inf|
+             count = 0
+             inf.each do |line|
+               count += 1
diff -Nru rake-12.3.1/debian/patches/series rake-12.3.1/debian/patches/series
--- rake-12.3.1/debian/patches/series    2018-05-02 19:16:41.000000000 +0530
+++ rake-12.3.1/debian/patches/series    2020-02-29 20:31:31.000000000 +0530
@@ -1,3 +1,4 @@
 0001-test-helper-adapt-to-test-installed-package.patch
 0002-rake-testtask-never-include-I-usr-lib-ruby-vendor_ru.patch
 0003-gemspec-drop-git-usage.patch
+CVE-2020-8130.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------

Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

Follow-Ups:
- Bug#953124: rake 12.3.1-3+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#953123: stretch-pu: package rake/10.5.0-2+deb9u1
Next by Date: Bug#953155: buster-pu: package bind9/1:9.11.5.P4+dfsg+1-1
Previous by thread: Processed: rake 10.5.0-2+deb9u1 flagged for acceptance
Next by thread: Bug#953124: rake 12.3.1-3+deb10u1 flagged for acceptance
Index(es):
- Date
- Thread