Version in base suite: 0.2.8-1.1

Base version: node-xml2js_0.2.8-1.1
Target version: node-xml2js_0.2.8-1.1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-xml2js/node-xml2js_0.2.8-1.1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-xml2js/node-xml2js_0.2.8-1.1+deb11u1.dsc

 changelog                   |    7 ++++++
 patches/CVE-2023-0842.patch |   46 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 54 insertions(+)

diff -Nru node-xml2js-0.2.8/debian/changelog node-xml2js-0.2.8/debian/changelog
--- node-xml2js-0.2.8/debian/changelog	2020-12-29 00:47:54.000000000 +0000
+++ node-xml2js-0.2.8/debian/changelog	2023-07-26 04:27:13.000000000 +0000
@@ -1,3 +1,10 @@
+node-xml2js (0.2.8-1.1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd <yadd@debian.org>  Wed, 26 Jul 2023 08:27:13 +0400
+
 node-xml2js (0.2.8-1.1) unstable; urgency=medium
 
   * Non maintainer upload by the Reproducible Builds team.
diff -Nru node-xml2js-0.2.8/debian/patches/CVE-2023-0842.patch node-xml2js-0.2.8/debian/patches/CVE-2023-0842.patch
--- node-xml2js-0.2.8/debian/patches/CVE-2023-0842.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-xml2js-0.2.8/debian/patches/CVE-2023-0842.patch	2023-07-26 04:24:08.000000000 +0000
@@ -0,0 +1,46 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby <james@coggle.it>
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-04-21
+
+--- a/src/xml2js.coffee
++++ b/src/xml2js.coffee
+@@ -105,12 +105,12 @@
+     charkey = @options.charkey
+ 
+     @saxParser.onopentag = (node) =>
+-      obj = {}
++      obj = Object.create(null)
+       obj[charkey] = ""
+       unless @options.ignoreAttrs
+         for own key of node.attributes
+           if attrkey not of obj and not @options.mergeAttrs
+-            obj[attrkey] = {}
++            obj[attrkey] = Object.create(null)
+           if @options.mergeAttrs
+             obj[key] = node.attributes[key]
+           else
+@@ -158,7 +158,7 @@
+ 
+       # put children into <childkey> property and unfold chars if necessary
+       if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object'
+-        node = {}
++        node = Object.create(null)
+         # separate attributes
+         if @options.attrkey of obj
+           node[@options.attrkey] = obj[@options.attrkey]
+@@ -193,7 +193,7 @@
+         if @options.explicitRoot
+           # avoid circular references
+           old = obj
+-          obj = {}
++          obj = Object.create(null)
+           obj[nodeName] = old
+ 
+         @resultObject = obj
diff -Nru node-xml2js-0.2.8/debian/patches/series node-xml2js-0.2.8/debian/patches/series
--- node-xml2js-0.2.8/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ node-xml2js-0.2.8/debian/patches/series	2023-07-26 04:24:08.000000000 +0000
@@ -0,0 +1 @@
+CVE-2023-0842.patch