Version in base suite: 4.0.0-2

Base version: node-tough-cookie_4.0.0-2
Target version: node-tough-cookie_4.0.0-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-tough-cookie/node-tough-cookie_4.0.0-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-tough-cookie/node-tough-cookie_4.0.0-2+deb11u1.dsc

 changelog                    |    7 ++++
 patches/CVE-2023-26136.patch |   71 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 79 insertions(+)

diff -Nru node-tough-cookie-4.0.0/debian/changelog node-tough-cookie-4.0.0/debian/changelog
--- node-tough-cookie-4.0.0/debian/changelog	2020-11-27 05:23:44.000000000 +0000
+++ node-tough-cookie-4.0.0/debian/changelog	2023-07-09 04:32:32.000000000 +0000
@@ -1,3 +1,10 @@
+node-tough-cookie (4.0.0-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2023-26136)
+
+ -- Yadd <yadd@debian.org>  Sun, 09 Jul 2023 08:32:32 +0400
+
 node-tough-cookie (4.0.0-2) unstable; urgency=medium
 
   * Team upload
diff -Nru node-tough-cookie-4.0.0/debian/patches/CVE-2023-26136.patch node-tough-cookie-4.0.0/debian/patches/CVE-2023-26136.patch
--- node-tough-cookie-4.0.0/debian/patches/CVE-2023-26136.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-tough-cookie-4.0.0/debian/patches/CVE-2023-26136.patch	2023-07-09 04:32:32.000000000 +0000
@@ -0,0 +1,71 @@
+Description: Fix prototype pollution
+ CVE-2023-26136
+Author: Yadd <yadd@debian.org>
+Forwarded: not-needed
+Last-Update: 2023-07-07
+
+--- a/lib/memstore.js
++++ b/lib/memstore.js
+@@ -39,7 +39,7 @@
+   constructor() {
+     super();
+     this.synchronous = true;
+-    this.idx = {};
++    this.idx = Object.create(null);
+     if (util.inspect.custom) {
+       this[util.inspect.custom] = this.inspect;
+     }
+@@ -109,10 +109,10 @@
+ 
+   putCookie(cookie, cb) {
+     if (!this.idx[cookie.domain]) {
+-      this.idx[cookie.domain] = {};
++      this.idx[cookie.domain] = Object.create(null);
+     }
+     if (!this.idx[cookie.domain][cookie.path]) {
+-      this.idx[cookie.domain][cookie.path] = {};
++      this.idx[cookie.domain][cookie.path] = Object.create(null);
+     }
+     this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
+     cb(null);
+@@ -144,7 +144,7 @@
+     return cb(null);
+   }
+   removeAllCookies(cb) {
+-    this.idx = {};
++    this.idx = Object.create(null);
+     return cb(null);
+   }
+   getAllCookies(cb) {
+--- a/test/cookie_jar_test.js
++++ b/test/cookie_jar_test.js
+@@ -669,4 +669,29 @@
+       }
+     }
+   })
++  .addBatch({
++    "Issue #282 - Prototype pollution": {
++      "when setting a cookie with the domain __proto__": {
++        topic: function() {
++          const jar = new tough.CookieJar(undefined, {
++            rejectPublicSuffixes: false
++          });
++          // try to pollute the prototype
++          jar.setCookieSync(
++            "Slonser=polluted; Domain=__proto__; Path=/notauth",
++            "https://__proto__/admin"
++          );
++          jar.setCookieSync(
++            "Auth=Lol; Domain=google.com; Path=/notauth",
++            "https://google.com/"
++          );
++          this.callback();
++        },
++        "results in a cookie that is not affected by the attempted prototype pollution": function() {
++          const pollutedObject = {};
++          assert(pollutedObject["/notauth"] === undefined);
++        }
++      }
++    }
++  })
+   .export(module);
diff -Nru node-tough-cookie-4.0.0/debian/patches/series node-tough-cookie-4.0.0/debian/patches/series
--- node-tough-cookie-4.0.0/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ node-tough-cookie-4.0.0/debian/patches/series	2023-07-09 04:32:32.000000000 +0000
@@ -0,0 +1 @@
+CVE-2023-26136.patch