Version in base suite: 2.1.3-0+deb12u1 Base version: node-tar-fs_2.1.3-0+deb12u1 Target version: node-tar-fs_2.1.3-0+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-tar-fs/node-tar-fs_2.1.3-0+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-tar-fs/node-tar-fs_2.1.3-0+deb12u2.dsc changelog | 6 ++++++ patches/CVE-2025-59343.patch | 39 +++++++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 46 insertions(+) diff: /srv/release.debian.org/tmp/tyJ7rctfFv/node-tar-fs-2.1.3/test/fixtures/e/symlink: Too many levels of symbolic links diff: /srv/release.debian.org/tmp/_jzxCC1V9H/node-tar-fs-2.1.3/test/fixtures/e/symlink: Too many levels of symbolic links diff -Nru node-tar-fs-2.1.3/debian/changelog node-tar-fs-2.1.3/debian/changelog --- node-tar-fs-2.1.3/debian/changelog 2025-06-09 19:02:36.000000000 +0000 +++ node-tar-fs-2.1.3/debian/changelog 2025-09-25 21:12:11.000000000 +0000 @@ -1,3 +1,9 @@ +node-tar-fs (2.1.3-0+deb12u2) bookworm-security; urgency=medium + + * Apply fix for CVE-2025-59343 (Closes: #1116338) + + -- Xavier Guimard Thu, 25 Sep 2025 23:12:11 +0200 + node-tar-fs (2.1.3-0+deb12u1) bookworm; urgency=medium * Non-maintainer upload. diff -Nru node-tar-fs-2.1.3/debian/patches/CVE-2025-59343.patch node-tar-fs-2.1.3/debian/patches/CVE-2025-59343.patch --- node-tar-fs-2.1.3/debian/patches/CVE-2025-59343.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-tar-fs-2.1.3/debian/patches/CVE-2025-59343.patch 2025-09-25 21:12:11.000000000 +0000 @@ -0,0 +1,39 @@ +Description: import CVE-2025-59343 fix +Author: Mathias Buus +Origin: upstream, https://github.com/mafintosh/tar-fs/commit/c412fa13 +Bug: https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v +Bug-Debian: https://bugs.debian.org/1116338 +Forwarded: not-needed +Applied-Upstream: 2.1.4, commit:c412fa13 +Reviewed-By: Xavier Guimard +Last-Update: 2025-09-25 + +--- a/index.js ++++ b/index.js +@@ -261,7 +261,7 @@ + if (win32) return next() // skip symlinks on win for now before it can be tested + xfs.unlink(name, function () { + var dst = path.resolve(path.dirname(name), header.linkname) +- if (!dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid symlink')) ++ if (!inCwd(dst, cwd)) return next(new Error(name + ' is not a valid symlink')) + + xfs.symlink(header.linkname, name, stat) + }) +@@ -273,7 +273,7 @@ + var srcpath = path.join(cwd, path.join('/', header.linkname)) + + xfs.realpath(srcpath, function (err, dst) { +- if (err || !dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid hardlink')) ++ if (err || !inCwd(dst, cwd)) return next(new Error(name + ' is not a valid hardlink')) + + xfs.link(dst, name, function (err) { + if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) { +@@ -356,3 +356,8 @@ + } + }) + } ++ ++function inCwd (dst, cwd) { ++ cwd = path.resolve(cwd) ++ return cwd === dst || dst.startsWith(cwd + path.sep) ++} diff -Nru node-tar-fs-2.1.3/debian/patches/series node-tar-fs-2.1.3/debian/patches/series --- node-tar-fs-2.1.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ node-tar-fs-2.1.3/debian/patches/series 2025-09-25 21:12:11.000000000 +0000 @@ -0,0 +1 @@ +CVE-2025-59343.patch