Version in base suite: 2.1.3-0+deb12u1

Base version: node-tar-fs_2.1.3-0+deb12u1
Target version: node-tar-fs_2.1.3-0+deb12u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-tar-fs/node-tar-fs_2.1.3-0+deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-tar-fs/node-tar-fs_2.1.3-0+deb12u2.dsc

 changelog                    |    6 ++++++
 patches/CVE-2025-59343.patch |   39 +++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 46 insertions(+)

diff: /srv/release.debian.org/tmp/tyJ7rctfFv/node-tar-fs-2.1.3/test/fixtures/e/symlink: Too many levels of symbolic links
diff: /srv/release.debian.org/tmp/_jzxCC1V9H/node-tar-fs-2.1.3/test/fixtures/e/symlink: Too many levels of symbolic links
diff -Nru node-tar-fs-2.1.3/debian/changelog node-tar-fs-2.1.3/debian/changelog
--- node-tar-fs-2.1.3/debian/changelog	2025-06-09 19:02:36.000000000 +0000
+++ node-tar-fs-2.1.3/debian/changelog	2025-09-25 21:12:11.000000000 +0000
@@ -1,3 +1,9 @@
+node-tar-fs (2.1.3-0+deb12u2) bookworm-security; urgency=medium
+
+  * Apply fix for CVE-2025-59343 (Closes: #1116338)
+
+ -- Xavier Guimard <yadd@debian.org>  Thu, 25 Sep 2025 23:12:11 +0200
+
 node-tar-fs (2.1.3-0+deb12u1) bookworm; urgency=medium
 
   * Non-maintainer upload.
diff -Nru node-tar-fs-2.1.3/debian/patches/CVE-2025-59343.patch node-tar-fs-2.1.3/debian/patches/CVE-2025-59343.patch
--- node-tar-fs-2.1.3/debian/patches/CVE-2025-59343.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-tar-fs-2.1.3/debian/patches/CVE-2025-59343.patch	2025-09-25 21:12:11.000000000 +0000
@@ -0,0 +1,39 @@
+Description: import CVE-2025-59343 fix
+Author: Mathias Buus <mathiasbuus@gmail.com>
+Origin: upstream, https://github.com/mafintosh/tar-fs/commit/c412fa13
+Bug: https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v
+Bug-Debian: https://bugs.debian.org/1116338
+Forwarded: not-needed
+Applied-Upstream: 2.1.4, commit:c412fa13
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2025-09-25
+
+--- a/index.js
++++ b/index.js
+@@ -261,7 +261,7 @@
+       if (win32) return next() // skip symlinks on win for now before it can be tested
+       xfs.unlink(name, function () {
+         var dst = path.resolve(path.dirname(name), header.linkname)
+-        if (!dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid symlink'))
++        if (!inCwd(dst, cwd)) return next(new Error(name + ' is not a valid symlink'))
+ 
+         xfs.symlink(header.linkname, name, stat)
+       })
+@@ -273,7 +273,7 @@
+         var srcpath = path.join(cwd, path.join('/', header.linkname))
+ 
+         xfs.realpath(srcpath, function (err, dst) {
+-          if (err || !dst.startsWith(path.resolve(cwd))) return next(new Error(name + ' is not a valid hardlink'))
++          if (err || !inCwd(dst, cwd)) return next(new Error(name + ' is not a valid hardlink'))
+ 
+           xfs.link(dst, name, function (err) {
+             if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
+@@ -356,3 +356,8 @@
+     }
+   })
+ }
++
++function inCwd (dst, cwd) {
++  cwd = path.resolve(cwd)
++  return cwd === dst || dst.startsWith(cwd + path.sep)
++}
diff -Nru node-tar-fs-2.1.3/debian/patches/series node-tar-fs-2.1.3/debian/patches/series
--- node-tar-fs-2.1.3/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ node-tar-fs-2.1.3/debian/patches/series	2025-09-25 21:12:11.000000000 +0000
@@ -0,0 +1 @@
+CVE-2025-59343.patch