Bug#953123: marked as done (stretch-pu: package rake/10.5.0-2+deb9u1)

Debian Bug Tracking System Sat, 18 Jul 2020 05:13:01 -0700

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 
<b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.ca...@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #953123,
regarding stretch-pu: package rake/10.5.0-2+deb9u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
953123: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953123
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
User: [email protected]
Usertags: pu
Tags: stretch
Severity: normal

Hiya,

rake seemed to be affected by CVE-2020-8130.
This has been fixed in Sid, Bullseye, and Jessie already.
I got an ack to upload from the Security Team.

Here's the debdiff:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------

diff -Nru rake-10.5.0/debian/changelog rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelodiff -Nru rake-10.5.0/debian/changelog
rake-10.5.0/debian/changelog
--- rake-10.5.0/debian/changelog    2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/changelog    2020-02-29 20:57:18.000000000 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta <[email protected]>  Sat, 29 Feb 2020 20:57:18 +0530
+
 rake (10.5.0-2) unstable; urgency=medium

   * Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch    1970-01-01
05:30:00.000000000 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch    2020-02-29
20:54:24.000000000 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA <[email protected]>
+Author: Utkarsh Gupta <[email protected]>
+Origin: 
https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
++++ b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+       matched = 0
+       each do |fn|
+         begin
+-          open(fn, "r", *options) do |inf|
++          File.open(fn, "r", *options) do |inf|
+             count = 0
+             inf.each do |line|
+               count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series    2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/patches/series    2020-02-29 20:54:08.000000000 +0530
@@ -2,3 +2,4 @@
 skip_permission_test.patch
 autopkgtest.patch
 skip-rake-libdir.patch
+CVE-2020-8130.patch
g    2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/changelog    2020-02-29 20:57:18.000000000 +0530
@@ -1,3 +1,10 @@
+rake (10.5.0-2+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add patch to use File.open explicitly. (Fixes: CVE-2020-8130)
+
+ -- Utkarsh Gupta <[email protected]>  Sat, 29 Feb 2020 20:57:18 +0530
+
 rake (10.5.0-2) unstable; urgency=medium

   * Team upload.
diff -Nru rake-10.5.0/debian/patches/CVE-2020-8130.patch
rake-10.5.0/debian/patches/CVE-2020-8130.patch
--- rake-10.5.0/debian/patches/CVE-2020-8130.patch    1970-01-01
05:30:00.000000000 +0530
+++ rake-10.5.0/debian/patches/CVE-2020-8130.patch    2020-02-29
20:54:24.000000000 +0530
@@ -0,0 +1,18 @@
+Description: Use File.open explicitly.
+Author: Hiroshi SHIBATA <[email protected]>
+Author: Utkarsh Gupta <[email protected]>
+Origin: 
https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2020-8130
+Last-Update: 2020-02-29
+
+--- a/lib/rake/file_list.rb
++++ b/lib/rake/file_list.rb
+@@ -290,7 +290,7 @@
+       matched = 0
+       each do |fn|
+         begin
+-          open(fn, "r", *options) do |inf|
++          File.open(fn, "r", *options) do |inf|
+             count = 0
+             inf.each do |line|
+               count += 1
diff -Nru rake-10.5.0/debian/patches/series rake-10.5.0/debian/patches/series
--- rake-10.5.0/debian/patches/series    2016-03-01 23:45:05.000000000 +0530
+++ rake-10.5.0/debian/patches/series    2020-02-29 20:54:08.000000000 +0530
@@ -2,3 +2,4 @@
 skip_permission_test.patch
 autopkgtest.patch
 skip-rake-libdir.patch
+CVE-2020-8130.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------

Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---

Bug#953123: marked as done (stretch-pu: package rake/10.5.0-2+deb9u1)

Reply via email to