Version in base suite: 2.1.1-6

Base version: node-tar-fs_2.1.1-6
Target version: node-tar-fs_2.1.3-0+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-tar-fs/node-tar-fs_2.1.1-6.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-tar-fs/node-tar-fs_2.1.3-0+deb12u1.dsc

 debian/changelog |    9 +++++++++
 index.js         |   19 +++++++++++++------
 package.json     |    2 +-
 test/index.js    |    2 +-
 4 files changed, 24 insertions(+), 8 deletions(-)

diff: /srv/release.debian.org/tmp/7pt3LRXfjl/node-tar-fs-2.1.1/test/fixtures/e/symlink: Too many levels of symbolic links
diff: /srv/release.debian.org/tmp/hwabvUMCEo/node-tar-fs-2.1.3/test/fixtures/e/symlink: Too many levels of symbolic links
diff -Nru node-tar-fs-2.1.1/debian/changelog node-tar-fs-2.1.3/debian/changelog
--- node-tar-fs-2.1.1/debian/changelog	2021-11-02 16:56:17.000000000 +0000
+++ node-tar-fs-2.1.3/debian/changelog	2025-06-09 19:02:36.000000000 +0000
@@ -1,3 +1,12 @@
+node-tar-fs (2.1.3-0+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream release.
+    - CVE-2024-12905: symlink path traversal (Closes: #1101501)
+    - CVE-2025-48387: hardlink path traversal
+
+ -- Adrian Bunk <bunk@debian.org>  Mon, 09 Jun 2025 22:02:36 +0300
+
 node-tar-fs (2.1.1-6) unstable; urgency=medium
 
   * Team upload
diff -Nru node-tar-fs-2.1.1/index.js node-tar-fs-2.1.3/index.js
--- node-tar-fs-2.1.1/index.js	2020-11-06 18:43:33.000000000 +0000
+++ node-tar-fs-2.1.3/index.js	2025-05-22 19:22:41.000000000 +0000
@@ -260,6 +260,9 @@
     var onsymlink = function () {
       if (win32) return next() // skip symlinks on win for now before it can be tested
       xfs.unlink(name, function () {
+        var dst = path.resolve(path.dirname(name), header.linkname)
+        if (!dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid symlink'))
+
         xfs.symlink(header.linkname, name, stat)
       })
     }
@@ -269,13 +272,17 @@
       xfs.unlink(name, function () {
         var srcpath = path.join(cwd, path.join('/', header.linkname))
 
-        xfs.link(srcpath, name, function (err) {
-          if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
-            stream = xfs.createReadStream(srcpath)
-            return onfile()
-          }
+        xfs.realpath(srcpath, function (err, dst) {
+          if (err || !dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid hardlink'))
+
+          xfs.link(dst, name, function (err) {
+            if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
+              stream = xfs.createReadStream(srcpath)
+              return onfile()
+            }
 
-          stat(err)
+            stat(err)
+          })
         })
       })
     }
diff -Nru node-tar-fs-2.1.1/package.json node-tar-fs-2.1.3/package.json
--- node-tar-fs-2.1.1/package.json	2020-11-06 18:43:33.000000000 +0000
+++ node-tar-fs-2.1.3/package.json	2025-05-22 19:22:41.000000000 +0000
@@ -1,6 +1,6 @@
 {
   "name": "tar-fs",
-  "version": "2.1.1",
+  "version": "2.1.3",
   "description": "filesystem bindings for tar-stream",
   "dependencies": {
     "chownr": "^1.1.1",
diff -Nru node-tar-fs-2.1.1/test/index.js node-tar-fs-2.1.3/test/index.js
--- node-tar-fs-2.1.1/test/index.js	2020-11-06 18:43:33.000000000 +0000
+++ node-tar-fs-2.1.3/test/index.js	2025-05-22 19:22:41.000000000 +0000
@@ -304,7 +304,7 @@
   fs.createReadStream(a)
     .pipe(tar.extract(out))
     .on('error', function (err) {
-      t.ok(/is not a valid path/i.test(err.message))
+      t.ok(/is not a valid symlink/i.test(err.message))
       fs.stat(path.join(out, '../bar'), function (err) {
         t.ok(err)
         t.end()