Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: buster Severity: normal
Hiya, rake seemed to be affected by CVE-2020-8130. This has been fixed in Sid, Bullseye, and Jessie already. I got an ack to upload from the Security Team. Here's the debdiff: 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ diff -Nru rake-12.3.1/debian/changelog rake-12.3.1/debian/changelog --- rake-12.3.1/debian/changelog 2018-05-02 19:16:41.000000000 +0530 +++ rake-12.3.1/debian/changelog 2020-02-29 20:40:36.000000000 +0530 @@ -1,3 +1,10 @@ +rake (12.3.1-3+deb10u1) buster; urgency=high + + * Team upload + * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130) + + -- Utkarsh Gupta <utka...@debian.org> Sat, 29 Feb 2020 20:40:36 +0530 + rake (12.3.1-3) unstable; urgency=medium * Revert the drop of the ruby dependency. See Debian bug #897279 for related diff -Nru rake-12.3.1/debian/patches/CVE-2020-8130.patch rake-12.3.1/debian/patches/CVE-2020-8130.patch --- rake-12.3.1/debian/patches/CVE-2020-8130.patch 1970-01-01 05:30:00.000000000 +0530 +++ rake-12.3.1/debian/patches/CVE-2020-8130.patch 2020-02-29 20:34:19.000000000 +0530 @@ -0,0 +1,18 @@ +Description: Use File.open explicitly. +Author: Hiroshi SHIBATA <h...@ruby-lang.org> +Author: Utkarsh Gupta <utka...@debian.org> +Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130 +Last-Update: 2020-02-29 + +--- a/lib/rake/file_list.rb ++++ b/lib/rake/file_list.rb +@@ -294,7 +294,7 @@ + matched = 0 + each do |fn| + begin +- open(fn, "r", *options) do |inf| ++ File.open(fn, "r", *options) do |inf| + count = 0 + inf.each do |line| + count += 1 diff -Nru rake-12.3.1/debian/patches/series rake-12.3.1/debian/patches/series --- rake-12.3.1/debian/patches/series 2018-05-02 19:16:41.000000000 +0530 +++ rake-12.3.1/debian/patches/series 2020-02-29 20:31:31.000000000 +0530 @@ -1,3 +1,4 @@ 0001-test-helper-adapt-to-test-installed-package.patch 0002-rake-testtask-never-include-I-usr-lib-ruby-vendor_ru.patch 0003-gemspec-drop-git-usage.patch +CVE-2020-8130.patch 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
