Version in base suite: 1.3.0-1+deb11u1

Base version: grunt_1.3.0-1+deb11u1
Target version: grunt_1.3.0-1+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/grunt/grunt_1.3.0-1+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/grunt/grunt_1.3.0-1+deb11u2.dsc

 changelog                   |    7 +++++++
 patches/CVE-2022-1537.patch |   39 +++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 +
 3 files changed, 47 insertions(+)

diff -Nru grunt-1.3.0/debian/changelog grunt-1.3.0/debian/changelog
--- grunt-1.3.0/debian/changelog	2022-04-26 14:38:52.000000000 +0000
+++ grunt-1.3.0/debian/changelog	2023-05-31 10:59:30.000000000 +0000
@@ -1,3 +1,10 @@
+grunt (1.3.0-1+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Patch up race condition in symlink copying (Closes: CVE-2022-1537)
+
+ -- Yadd <yadd@debian.org>  Wed, 31 May 2023 14:59:30 +0400
+
 grunt (1.3.0-1+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff -Nru grunt-1.3.0/debian/patches/CVE-2022-1537.patch grunt-1.3.0/debian/patches/CVE-2022-1537.patch
--- grunt-1.3.0/debian/patches/CVE-2022-1537.patch	1970-01-01 00:00:00.000000000 +0000
+++ grunt-1.3.0/debian/patches/CVE-2022-1537.patch	2023-05-31 10:59:30.000000000 +0000
@@ -0,0 +1,39 @@
+Description: Patch up race condition in symlink copying
+Author: Vlad Filippov <vlad.filippov@gmail.com>
+Origin: upstream, https://github.com/gruntjs/grunt/commit/58016ffa
+Bug: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
+Forwarded: not-needed
+Applied-Upstream: 1.5.3, commit:58016ffa
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-05-31
+
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -333,8 +333,8 @@
+     }
+   }
+   // Abort copy if the process function returns false.
+-  if (contents === false) {
+-    grunt.verbose.writeln('Write aborted.');
++  if (contents === false || file.isLink(destpath)) {
++    grunt.verbose.writeln('Write aborted. Either the process function returned false or the destination is a symlink');
+   } else {
+     file.write(destpath, contents, readWriteOptions);
+   }
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -916,5 +916,13 @@
+       test.ok(fs.lstatSync(path.join(destdir.path, path.basename(fixtures))).isSymbolicLink());
+       test.done();
+     },
+-  }
++  },
++  'symbolicLinkDestError': function(test) {
++    test.expect(1);
++    var tmpfile = new Tempdir();
++    fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), path.join(tmpfile.path, 'octocat.png'), 'file');
++    grunt.file.copy(path.resolve('test/fixtures/octocat.png'), path.join(tmpfile.path, 'octocat.png'));
++    test.ok(fs.lstatSync(path.join(tmpfile.path, 'octocat.png')).isSymbolicLink());
++    test.done();
++  },
+ };
diff -Nru grunt-1.3.0/debian/patches/series grunt-1.3.0/debian/patches/series
--- grunt-1.3.0/debian/patches/series	2022-04-26 14:38:52.000000000 +0000
+++ grunt-1.3.0/debian/patches/series	2023-05-31 10:59:30.000000000 +0000
@@ -2,3 +2,4 @@
 fix-for-coffescript.diff
 adapt-gruntfile.patch
 CVE-2022-0436.patch
+CVE-2022-1537.patch