Version in base suite: 4.2.1-3

Base version: node-browserify-sign_4.2.1-3
Target version: node-browserify-sign_4.2.1-3+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-browserify-sign/node-browserify-sign_4.2.1-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-browserify-sign/node-browserify-sign_4.2.1-3+deb12u1.dsc

 changelog                    |    7 ++++
 patches/CVE-2023-46234.patch |   68 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 76 insertions(+)

diff -Nru node-browserify-sign-4.2.1/debian/changelog node-browserify-sign-4.2.1/debian/changelog
--- node-browserify-sign-4.2.1/debian/changelog	2022-06-01 10:14:21.000000000 +0000
+++ node-browserify-sign-4.2.1/debian/changelog	2023-10-28 08:03:04.000000000 +0000
@@ -1,3 +1,10 @@
+node-browserify-sign (4.2.1-3+deb12u1) bookworm-security; urgency=high
+
+  * Team upload
+  * Properly check the upper bound for DSA signatures (Closes: #1054667, CVE-2023-46234)
+
+ -- Yadd <yadd@debian.org>  Sat, 28 Oct 2023 12:03:04 +0400
+
 node-browserify-sign (4.2.1-3) unstable; urgency=medium
 
   * Team upload
diff -Nru node-browserify-sign-4.2.1/debian/patches/CVE-2023-46234.patch node-browserify-sign-4.2.1/debian/patches/CVE-2023-46234.patch
--- node-browserify-sign-4.2.1/debian/patches/CVE-2023-46234.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-browserify-sign-4.2.1/debian/patches/CVE-2023-46234.patch	2023-10-28 08:03:04.000000000 +0000
@@ -0,0 +1,68 @@
+Description: properly check the upper bound for DSA signatures
+Author: roadicing <roadicing@gmail.com>
+Origin: upstream, https://github.com/browserify/browserify-sign/commit/85994cd6
+Bug: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
+Bug-Debian: https://bugs.debian.org/1054667
+Forwarded: not-needed
+Applied-Upstream: 4.2.2, commit: 85994cd6
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-10-28
+
+--- a/browser/verify.js
++++ b/browser/verify.js
+@@ -78,7 +78,7 @@
+ 
+ function checkValue (b, q) {
+   if (b.cmpn(0) <= 0) throw new Error('invalid sig')
+-  if (b.cmp(q) >= q) throw new Error('invalid sig')
++  if (b.cmp(q) >= 0) throw new Error('invalid sig')
+ }
+ 
+ module.exports = verify
+--- a/test/index.js
++++ b/test/index.js
+@@ -4,6 +4,8 @@
+ var nCrypto = require('crypto')
+ var bCrypto = require('../browser')
+ var fixtures = require('./fixtures')
++var BN = require('bn.js')
++var parseKeys = require('parse-asn1')
+ 
+ function isNode10 () {
+   return parseInt(process.version.split('.')[1], 10) <= 10
+@@ -100,6 +102,35 @@
+       t.end()
+     })
+   }
++
++  var s = parseKeys(pub).data.q;
++  test(
++    f.message + ' against a fake signature',
++    { skip: !s || '(this test only applies to DSA signatures and not EC signatures, this is ' + f.scheme + ')' },
++    function (t) {
++      var messageBase64 = Buffer.from(f.message, 'base64');
++
++      // forge a fake signature
++      var r = new BN('1');
++
++      try {
++        var fakeSig = asn1.signature.encode({ r: r, s: s }, 'der');
++      } catch (e) {
++        t.ifError(e);
++        t.end();
++        return;
++      }
++
++      var bVer = bCrypto.createVerify(f.scheme);
++      t['throws'](
++        function () { bVer.update(messageBase64).verify(pub, fakeSig); },
++        Error,
++        'fake signature is invalid'
++      );
++
++      t.end();
++    }
++  );
+ })
+ 
+ fixtures.valid.kvectors.forEach(function (f) {
diff -Nru node-browserify-sign-4.2.1/debian/patches/series node-browserify-sign-4.2.1/debian/patches/series
--- node-browserify-sign-4.2.1/debian/patches/series	2022-06-01 10:12:35.000000000 +0000
+++ node-browserify-sign-4.2.1/debian/patches/series	2023-10-28 08:03:04.000000000 +0000
@@ -1 +1,2 @@
 drop-rmd160-support.patch
+CVE-2023-46234.patch