Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749363 (CVE-2020-13802) - dev-util/rebar{,-bin}: Command injection (CVE-2020-13802)
Summary: dev-util/rebar{,-bin}: Command injection (CVE-2020-13802)
Alias: CVE-2020-13802
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [ebuild]
Keywords: PullRequest
Depends on:
Reported: 2020-10-16 01:59 UTC by John Helmert III
Modified: 2021-07-29 17:25 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-10-16 01:59:51 UTC
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.


Patched in 3.14.0 and beyond according to Github.
Comment 1 Larry the Git Cow gentoo-dev 2021-03-19 08:52:13 UTC
The bug has been referenced in the following commit(s):

commit 3103eb0734f4183805a63684415e2ab1924ce864
Author:     Matt Smith <>
AuthorDate: 2021-03-16 14:26:43 +0000
Commit:     Joonas Niilola <>
CommitDate: 2021-03-19 08:51:48 +0000

    dev-util/rebar-bin: Drop vulnerable
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Matt Smith <>
    Signed-off-by: Joonas Niilola <>

 dev-util/rebar-bin/Manifest                |  2 --
 dev-util/rebar-bin/rebar-bin-3.13.2.ebuild | 31 ------------------------------
 dev-util/rebar-bin/rebar-bin-3.6.2.ebuild  | 31 ------------------------------
 3 files changed, 64 deletions(-)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:25:43 UTC
Package list is empty or all packages have requested keywords.