Version in base suite: 12.22.12~dfsg-1~deb11u3

Base version: nodejs_12.22.12~dfsg-1~deb11u3
Target version: nodejs_12.22.12~dfsg-1~deb11u4
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nodejs/nodejs_12.22.12~dfsg-1~deb11u3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nodejs/nodejs_12.22.12~dfsg-1~deb11u4.dsc

 changelog                    |    8 ++++++++
 patches/cve-2023-23920.patch |   32 ++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 41 insertions(+)

diff -Nru nodejs-12.22.12~dfsg/debian/changelog nodejs-12.22.12~dfsg/debian/changelog
--- nodejs-12.22.12~dfsg/debian/changelog	2023-01-19 12:10:10.000000000 +0000
+++ nodejs-12.22.12~dfsg/debian/changelog	2023-04-26 14:52:32.000000000 +0000
@@ -1,3 +1,11 @@
+nodejs (12.22.12~dfsg-1~deb11u4) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2023-23920: insecure loading of ICU data through ICU_DATA environment
+    variable.
+
+ -- Aron Xu <aron@debian.org>  Wed, 26 Apr 2023 22:52:32 +0800
+
 nodejs (12.22.12~dfsg-1~deb11u3) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru nodejs-12.22.12~dfsg/debian/patches/cve-2023-23920.patch nodejs-12.22.12~dfsg/debian/patches/cve-2023-23920.patch
--- nodejs-12.22.12~dfsg/debian/patches/cve-2023-23920.patch	1970-01-01 00:00:00.000000000 +0000
+++ nodejs-12.22.12~dfsg/debian/patches/cve-2023-23920.patch	2023-04-26 14:49:52.000000000 +0000
@@ -0,0 +1,32 @@
+From: RafaelGSS <rafael.nunu@hotmail.com>
+Date: Wed, 18 Jan 2023 17:37:37 -0300
+Subject: build: build ICU with ICU_NO_USER_DATA_OVERRIDE
+
+Origin: https://github.com/nodejs/node/commit/97a0443f1369e65cf656a529b2f5433bfd56ad92
+Bug: https://security-tracker.debian.org/tracker/CVE-2023-23920
+Bug-Debian: https://bugs.debian.org/1031834
+CVE-ID: CVE-2023-23920
+Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/377
+PR-URL: https://github.com/nodejs-private/node-private/pull/374
+Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1625036
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: Richard Lau <rlau@redhat.com>
+Reviewed-By: Michael Dawson <midawson@redhat.com>
+---
+ configure.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/configure.py b/configure.py
+index 5d446a5..d3ffa87 100755
+--- a/configure.py
++++ b/configure.py
+@@ -1391,6 +1391,9 @@ def configure_intl(o):
+   # always set icu_small, node.gyp depends on it being defined.
+   o['variables']['icu_small'] = b(False)
+ 
++  # prevent data override
++  o['defines'] += ['ICU_NO_USER_DATA_OVERRIDE']
++
+   with_intl = options.with_intl
+   with_icu_source = options.with_icu_source
+   have_icu_path = bool(options.with_icu_path)
diff -Nru nodejs-12.22.12~dfsg/debian/patches/series nodejs-12.22.12~dfsg/debian/patches/series
--- nodejs-12.22.12~dfsg/debian/patches/series	2023-01-07 11:27:22.000000000 +0000
+++ nodejs-12.22.12~dfsg/debian/patches/series	2023-04-26 14:50:12.000000000 +0000
@@ -24,3 +24,4 @@
 cve-2022-35255.patch
 cve-2022-43548.patch
 cve-llhttp.patch
+cve-2023-23920.patch