Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:wget2
User: [email protected]
Usertags: pu
This fixes two minor security issues. debdiff below.
Cheers,
Moritz
diff -Nru wget2-2.2.0+ds/debian/changelog wget2-2.2.0+ds/debian/changelog
--- wget2-2.2.0+ds/debian/changelog 2025-03-04 08:03:02.000000000 +0100
+++ wget2-2.2.0+ds/debian/changelog 2026-01-18 19:55:34.000000000 +0100
@@ -1,3 +1,10 @@
+wget2 (2.2.0+ds-1+deb13u1) trixie; urgency=medium
+
+ * CVE-2025-69194 (Closes: #1124378)
+ * CVE-2025-69195 (Closes: #1124377)
+
+ -- Moritz Mühlenhoff <[email protected]> Sun, 18 Jan 2026 19:56:28 +0100
+
wget2 (2.2.0+ds-1) unstable; urgency=medium
* Team upload to unstable (salsa debian group).
diff -Nru wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch
wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch
--- wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch 1970-01-01
01:00:00.000000000 +0100
+++ wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch 2026-01-06
09:06:22.000000000 +0100
@@ -0,0 +1,98 @@
+From 684be4785280fbe6b8666080bbdd87e7e5299ac5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]>
+Date: Fri, 26 Dec 2025 19:03:35 +0100
+Subject: [PATCH] Fix file overwrite issue with metalink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+--- wget2-2.2.0+ds.orig/libwget/metalink.c
++++ wget2-2.2.0+ds/libwget/metalink.c
+@@ -169,6 +169,25 @@ static void add_mirror(metalink_context
+ ctx->priority = 999999;
+ }
+
++static const char *sanitized_filename(const char *in)
++{
++ // RFC 5854:
++ // The path MUST NOT contain any directory traversal
++ // directives or information. The path MUST be relative. The path
++ // MUST NOT begin with a "/", "./", or "../"; contain "/../"; or end
++ // with "/..".
++ if (*in == '/'
++ || !strncmp(in, "./", 2)
++ || !strncmp(in, "../", 3)
++ || strstr(in, "/../")
++ || wget_match_tail(in, "/../"))
++ {
++ return NULL;
++ }
++
++ return wget_strdup(in);
++}
++
+ static void metalink_parse(void *context, int flags, const char *dir, const
char *attr, const char *val, size_t len, size_t pos WGET_GCC_UNUSED)
+ {
+ metalink_context *ctx = context;
+@@ -194,7 +213,7 @@ static void metalink_parse(void *context
+ if (attr) {
+ if (*dir == 0) { // /metalink/file
+ if (!ctx->metalink->name &&
!wget_strcasecmp_ascii(attr, "name")) {
+- ctx->metalink->name =
wget_strdup(value);
++ ctx->metalink->name =
sanitized_filename(value);
+ }
+ } else if (!wget_strcasecmp_ascii(dir,
"/verification/pieces")) {
+ if (!wget_strcasecmp_ascii(attr, "type")) {
+@@ -239,7 +258,7 @@ static void metalink_parse(void *context
+ if (attr) {
+ if (*dir == 0) { // /metalink/file
+ if (!ctx->metalink->name &&
!wget_strcasecmp_ascii(attr, "name")) {
+- ctx->metalink->name =
wget_strdup(value);
++ ctx->metalink->name =
sanitized_filename(value);
+ }
+ } else if (!wget_strcasecmp_ascii(dir, "/pieces")) {
+ if (!wget_strcasecmp_ascii(attr, "type")) {
+--- wget2-2.2.0+ds.orig/src/wget.c
++++ wget2-2.2.0+ds/src/wget.c
+@@ -2178,18 +2178,26 @@ static void process_response(wget_http_r
+ error_printf(_("File length %llu - remove
job\n"), (unsigned long long)job->metalink->size);
+ } else if (!job->metalink->mirrors) {
+ error_printf(_("No download mirrors found -
remove job\n"));
++ } else if (!job->metalink->name ||
!*job->metalink->name) {
++ error_printf(_("Metalink file name is invalid,
missing or empty - remove job\n"));
+ } else {
+ // just loaded a metalink description, create
parts and sort mirrors
+
+ // start or resume downloading
+ if (!job_validate_file(job)) {
+- // sort mirrors by priority to download
from highest priority first
+-
wget_metalink_sort_mirrors(job->metalink);
++ // Account for retries
++ if (config.tries && ++job->failures >
config.tries) {
++ error_printf(_("Metalink
validation failed: max tries reached - remove job\n"));
++ job->done = 1;
++ } else {
++ // sort mirrors by priority to
download from highest priority first
++
wget_metalink_sort_mirrors(job->metalink);
+
+- // wake up sleeping workers
+- wget_thread_cond_signal(worker_cond);
++ // wake up sleeping workers
++
wget_thread_cond_signal(worker_cond);
+
+- job->done = 0; // do not remove this
job from queue yet
++ job->done = 0; // do not remove
this job from queue yet
++ }
+ } // else file already downloaded and checksum
ok
+ }
+ return;
+@@ -3100,6 +3108,9 @@ void metalink_parse_localfile(const char
+ } else if (!metalink->mirrors) {
+ error_printf(_("No download mirrors found\n"));
+ wget_metalink_free(&metalink);
++ } else if (!metalink->name || !*metalink->name) {
++ error_printf(_("Metalink file name is missing or
empty\n"));
++ wget_metalink_free(&metalink);
+ } else {
+ // create parts and sort mirrors
+ JOB job = { .metalink = metalink };
diff -Nru wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch
wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch
--- wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch 1970-01-01
01:00:00.000000000 +0100
+++ wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch 2026-01-06
09:06:55.000000000 +0100
@@ -0,0 +1,18 @@
+From fc7fcbc00e0a2c8606d44ab216195afb3f08cc98 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]>
+Date: Fri, 26 Dec 2025 18:27:24 +0100
+Subject: [PATCH] Fix remote buffer overflow in get_local_filename_real()
+
+--- wget2-2.2.0+ds.orig/src/blacklist.c
++++ wget2-2.2.0+ds/src/blacklist.c
+@@ -135,8 +135,8 @@ static char * get_local_filename_real(co
+ char tmp[1024];
+
+ char *fname_esc = (sizeof(tmp) < buf.length * 3 + 1)
+- ? tmp
+- : wget_malloc(buf.length * 3 + 1);
++ ? wget_malloc(buf.length * 3 + 1)
++ : tmp;
+
+ if (wget_restrict_file_name(fname, fname_esc,
config.restrict_file_names) != fname) {
+ // escaping was really done, replace fname
diff -Nru wget2-2.2.0+ds/debian/patches/series
wget2-2.2.0+ds/debian/patches/series
--- wget2-2.2.0+ds/debian/patches/series 2025-03-03 12:24:45.000000000
+0100
+++ wget2-2.2.0+ds/debian/patches/series 2026-01-06 09:06:41.000000000
+0100
@@ -4,3 +4,5 @@
# no_need_to_depend_from_git.patch
disable-flaky-tests.patch
remove_git_from_doxygen.patch
+CVE-2025-69194.patch
+CVE-2025-69195.patch
