Version in base suite: 2.29.1+ds-2

Base version: node-moment_2.29.1+ds-2
Target version: node-moment_2.29.1+ds-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-moment/node-moment_2.29.1+ds-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-moment/node-moment_2.29.1+ds-2+deb11u1.dsc

 changelog                    |    7 +++++++
 patches/CVE-2022-24785.patch |   33 +++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 41 insertions(+)

diff -Nru node-moment-2.29.1+ds/debian/changelog node-moment-2.29.1+ds/debian/changelog
--- node-moment-2.29.1+ds/debian/changelog	2020-11-09 16:06:05.000000000 +0000
+++ node-moment-2.29.1+ds/debian/changelog	2022-04-12 04:35:01.000000000 +0000
@@ -1,3 +1,10 @@
+node-moment (2.29.1+ds-2+deb11u1) bullseye; urgency=medium
+
+  * Avoid loading path-looking locales from fs (Closes: #1009327,
+    CVE-2022-24785)
+
+ -- Yadd <yadd@debian.org>  Tue, 12 Apr 2022 06:35:01 +0200
+
 node-moment (2.29.1+ds-2) unstable; urgency=medium
 
   * Install TypeScript typings more correctly.
diff -Nru node-moment-2.29.1+ds/debian/patches/CVE-2022-24785.patch node-moment-2.29.1+ds/debian/patches/CVE-2022-24785.patch
--- node-moment-2.29.1+ds/debian/patches/CVE-2022-24785.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-moment-2.29.1+ds/debian/patches/CVE-2022-24785.patch	2022-04-12 04:35:01.000000000 +0000
@@ -0,0 +1,33 @@
+Description: Avoid loading path-looking locales from fs
+Author: Iskren Chernev <me@iskren.info>
+Origin: upstream, https://github.com/moment/moment/commit/4211bfc8
+Bug: https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
+Bug-Debian: https://bugs.debian.org/1009327
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-04-12
+
+--- a/src/lib/locale/locales.js
++++ b/src/lib/locale/locales.js
+@@ -62,6 +62,11 @@
+     return globalLocale;
+ }
+ 
++function isLocaleNameSane(name) {
++    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
++    return name.match('^[^/\\\\]*$') != null;
++}
++
+ function loadLocale(name) {
+     var oldLocale = null,
+         aliasedRequire;
+@@ -70,7 +75,8 @@
+         locales[name] === undefined &&
+         typeof module !== 'undefined' &&
+         module &&
+-        module.exports
++        module.exports &&
++        isLocaleNameSane(name)
+     ) {
+         try {
+             oldLocale = globalLocale._abbr;
diff -Nru node-moment-2.29.1+ds/debian/patches/series node-moment-2.29.1+ds/debian/patches/series
--- node-moment-2.29.1+ds/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ node-moment-2.29.1+ds/debian/patches/series	2022-04-12 04:35:01.000000000 +0000
@@ -0,0 +1 @@
+CVE-2022-24785.patch