Version in base suite: 3.0.9+~cs2.0.4-1

Base version: node-tar-fs_3.0.9+~cs2.0.4-1
Target version: node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-tar-fs/node-tar-fs_3.0.9+~cs2.0.4-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-tar-fs/node-tar-fs_3.0.9+~cs2.0.4-1+deb13u1.dsc

 changelog                    |    7 +++++++
 patches/CVE-2025-59343.patch |   27 +++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 35 insertions(+)

diff: /srv/release.debian.org/tmp/jVdF41RFji/node-tar-fs-3.0.9+~cs2.0.4/test/fixtures/e/symlink: Too many levels of symbolic links
diff: /srv/release.debian.org/tmp/JG1mDYez2R/node-tar-fs-3.0.9+~cs2.0.4/test/fixtures/e/symlink: Too many levels of symbolic links
diff -Nru node-tar-fs-3.0.9+~cs2.0.4/debian/changelog node-tar-fs-3.0.9+~cs2.0.4/debian/changelog
--- node-tar-fs-3.0.9+~cs2.0.4/debian/changelog	2025-06-03 15:33:46.000000000 +0000
+++ node-tar-fs-3.0.9+~cs2.0.4/debian/changelog	2025-09-25 20:58:19.000000000 +0000
@@ -1,3 +1,10 @@
+node-tar-fs (3.0.9+~cs2.0.4-1+deb13u1) trixie-security; urgency=medium
+
+  * Team upload
+  * Apply fix for CVE-2025-59343 (Closes: #1116338)
+
+ -- Yadd <yadd@debian.org>  Thu, 25 Sep 2025 22:58:19 +0200
+
 node-tar-fs (3.0.9+~cs2.0.4-1) unstable; urgency=medium
 
   * Team upload
diff -Nru node-tar-fs-3.0.9+~cs2.0.4/debian/patches/CVE-2025-59343.patch node-tar-fs-3.0.9+~cs2.0.4/debian/patches/CVE-2025-59343.patch
--- node-tar-fs-3.0.9+~cs2.0.4/debian/patches/CVE-2025-59343.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-tar-fs-3.0.9+~cs2.0.4/debian/patches/CVE-2025-59343.patch	2025-09-25 20:58:19.000000000 +0000
@@ -0,0 +1,27 @@
+Description: expand check
+ tar-fs provides filesystem bindings for tar-stream. Versions prior
+ to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation
+ bypass if the destination directory is predictable with a specific
+ tarball. This issue has been patched in version 3.1.1, 2.1.4, and
+ 1.16.6. A workaround involves using the ignore option on non
+ files/directories.
+Author: Mathias Buus <mathiasbuus@gmail.com>
+Origin: upstream, https://github.com/mafintosh/tar-fs/commit/0bd54cdf
+Bug: https://github.com/roddhjav/apparmor.d/tree/main/debian
+Bug-Debian: https://bugs.debian.org/1116338
+Forwarded: not-needed
+Applied-Upstream: 3.1.1, commit:0bd54cdf
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2025-09-25
+
+--- a/index.js
++++ b/index.js
+@@ -246,7 +246,7 @@
+     }
+ 
+     function inCwd (dst) {
+-      return dst.startsWith(cwd)
++      return dst === cwd || dst.startsWith(cwd + path.sep)
+     }
+ 
+     function onfile () {
diff -Nru node-tar-fs-3.0.9+~cs2.0.4/debian/patches/series node-tar-fs-3.0.9+~cs2.0.4/debian/patches/series
--- node-tar-fs-3.0.9+~cs2.0.4/debian/patches/series	2025-03-31 05:41:23.000000000 +0000
+++ node-tar-fs-3.0.9+~cs2.0.4/debian/patches/series	2025-09-25 20:58:19.000000000 +0000
@@ -1 +1,2 @@
 keep-test-with-tape.patch
+CVE-2025-59343.patch