Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: stretch Severity: normal
Hiya, rake seemed to be affected by CVE-2020-8130. This has been fixed in Sid, Bullseye, and Jessie already. I got an ack to upload from the Security Team. Here's the debdiff: 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ diff -Nru rake-10.5.0/debian/changelog rake-10.5.0/debian/changelog --- rake-10.5.0/debian/changelodiff -Nru rake-10.5.0/debian/changelog rake-10.5.0/debian/changelog --- rake-10.5.0/debian/changelog 2016-03-01 23:45:05.000000000 +0530 +++ rake-10.5.0/debian/changelog 2020-02-29 20:57:18.000000000 +0530 @@ -1,3 +1,10 @@ +rake (10.5.0-2+deb9u1) stretch; urgency=high + + * Team upload + * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130) + + -- Utkarsh Gupta <utka...@debian.org> Sat, 29 Feb 2020 20:57:18 +0530 + rake (10.5.0-2) unstable; urgency=medium * Team upload. diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch rake-10.5.0/debian/patches/CVE-2020-8130.patch --- rake-10.5.0/debian/patches/CVE-2020-8130.patch 1970-01-01 05:30:00.000000000 +0530 +++ rake-10.5.0/debian/patches/CVE-2020-8130.patch 2020-02-29 20:54:24.000000000 +0530 @@ -0,0 +1,18 @@ +Description: Use File.open explicitly. +Author: Hiroshi SHIBATA <h...@ruby-lang.org> +Author: Utkarsh Gupta <utka...@debian.org> +Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130 +Last-Update: 2020-02-29 + +--- a/lib/rake/file_list.rb ++++ b/lib/rake/file_list.rb +@@ -290,7 +290,7 @@ + matched = 0 + each do |fn| + begin +- open(fn, "r", *options) do |inf| ++ File.open(fn, "r", *options) do |inf| + count = 0 + inf.each do |line| + count += 1 diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series --- rake-10.5.0/debian/patches/series 2016-03-01 23:45:05.000000000 +0530 +++ rake-10.5.0/debian/patches/series 2020-02-29 20:54:08.000000000 +0530 @@ -2,3 +2,4 @@ skip_permission_test.patch autopkgtest.patch skip-rake-libdir.patch +CVE-2020-8130.patch g 2016-03-01 23:45:05.000000000 +0530 +++ rake-10.5.0/debian/changelog 2020-02-29 20:57:18.000000000 +0530 @@ -1,3 +1,10 @@ +rake (10.5.0-2+deb9u1) stretch; urgency=high + + * Team upload + * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130) + + -- Utkarsh Gupta <utka...@debian.org> Sat, 29 Feb 2020 20:57:18 +0530 + rake (10.5.0-2) unstable; urgency=medium * Team upload. diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch rake-10.5.0/debian/patches/CVE-2020-8130.patch --- rake-10.5.0/debian/patches/CVE-2020-8130.patch 1970-01-01 05:30:00.000000000 +0530 +++ rake-10.5.0/debian/patches/CVE-2020-8130.patch 2020-02-29 20:54:24.000000000 +0530 @@ -0,0 +1,18 @@ +Description: Use File.open explicitly. +Author: Hiroshi SHIBATA <h...@ruby-lang.org> +Author: Utkarsh Gupta <utka...@debian.org> +Origin: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130 +Last-Update: 2020-02-29 + +--- a/lib/rake/file_list.rb ++++ b/lib/rake/file_list.rb +@@ -290,7 +290,7 @@ + matched = 0 + each do |fn| + begin +- open(fn, "r", *options) do |inf| ++ File.open(fn, "r", *options) do |inf| + count = 0 + inf.each do |line| + count += 1 diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series --- rake-10.5.0/debian/patches/series 2016-03-01 23:45:05.000000000 +0530 +++ rake-10.5.0/debian/patches/series 2020-02-29 20:54:08.000000000 +0530 @@ -2,3 +2,4 @@ skip_permission_test.patch autopkgtest.patch skip-rake-libdir.patch +CVE-2020-8130.patch 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
