Your message dated Sat, 14 Mar 2026 11:48:36 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1125913,
regarding trixie-pu: package wget2/2.2.0+ds-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125913: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125913
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:wget2
User: [email protected]
Usertags: pu
This fixes two minor security issues. debdiff below.
Cheers,
Moritz
diff -Nru wget2-2.2.0+ds/debian/changelog wget2-2.2.0+ds/debian/changelog
--- wget2-2.2.0+ds/debian/changelog 2025-03-04 08:03:02.000000000 +0100
+++ wget2-2.2.0+ds/debian/changelog 2026-01-18 19:55:34.000000000 +0100
@@ -1,3 +1,10 @@
+wget2 (2.2.0+ds-1+deb13u1) trixie; urgency=medium
+
+ * CVE-2025-69194 (Closes: #1124378)
+ * CVE-2025-69195 (Closes: #1124377)
+
+ -- Moritz Mühlenhoff <[email protected]> Sun, 18 Jan 2026 19:56:28 +0100
+
wget2 (2.2.0+ds-1) unstable; urgency=medium
* Team upload to unstable (salsa debian group).
diff -Nru wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch
wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch
--- wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch 1970-01-01
01:00:00.000000000 +0100
+++ wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch 2026-01-06
09:06:22.000000000 +0100
@@ -0,0 +1,98 @@
+From 684be4785280fbe6b8666080bbdd87e7e5299ac5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]>
+Date: Fri, 26 Dec 2025 19:03:35 +0100
+Subject: [PATCH] Fix file overwrite issue with metalink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+--- wget2-2.2.0+ds.orig/libwget/metalink.c
++++ wget2-2.2.0+ds/libwget/metalink.c
+@@ -169,6 +169,25 @@ static void add_mirror(metalink_context
+ ctx->priority = 999999;
+ }
+
++static const char *sanitized_filename(const char *in)
++{
++ // RFC 5854:
++ // The path MUST NOT contain any directory traversal
++ // directives or information. The path MUST be relative. The path
++ // MUST NOT begin with a "/", "./", or "../"; contain "/../"; or end
++ // with "/..".
++ if (*in == '/'
++ || !strncmp(in, "./", 2)
++ || !strncmp(in, "../", 3)
++ || strstr(in, "/../")
++ || wget_match_tail(in, "/../"))
++ {
++ return NULL;
++ }
++
++ return wget_strdup(in);
++}
++
+ static void metalink_parse(void *context, int flags, const char *dir, const
char *attr, const char *val, size_t len, size_t pos WGET_GCC_UNUSED)
+ {
+ metalink_context *ctx = context;
+@@ -194,7 +213,7 @@ static void metalink_parse(void *context
+ if (attr) {
+ if (*dir == 0) { // /metalink/file
+ if (!ctx->metalink->name &&
!wget_strcasecmp_ascii(attr, "name")) {
+- ctx->metalink->name =
wget_strdup(value);
++ ctx->metalink->name =
sanitized_filename(value);
+ }
+ } else if (!wget_strcasecmp_ascii(dir,
"/verification/pieces")) {
+ if (!wget_strcasecmp_ascii(attr, "type")) {
+@@ -239,7 +258,7 @@ static void metalink_parse(void *context
+ if (attr) {
+ if (*dir == 0) { // /metalink/file
+ if (!ctx->metalink->name &&
!wget_strcasecmp_ascii(attr, "name")) {
+- ctx->metalink->name =
wget_strdup(value);
++ ctx->metalink->name =
sanitized_filename(value);
+ }
+ } else if (!wget_strcasecmp_ascii(dir, "/pieces")) {
+ if (!wget_strcasecmp_ascii(attr, "type")) {
+--- wget2-2.2.0+ds.orig/src/wget.c
++++ wget2-2.2.0+ds/src/wget.c
+@@ -2178,18 +2178,26 @@ static void process_response(wget_http_r
+ error_printf(_("File length %llu - remove
job\n"), (unsigned long long)job->metalink->size);
+ } else if (!job->metalink->mirrors) {
+ error_printf(_("No download mirrors found -
remove job\n"));
++ } else if (!job->metalink->name ||
!*job->metalink->name) {
++ error_printf(_("Metalink file name is invalid,
missing or empty - remove job\n"));
+ } else {
+ // just loaded a metalink description, create
parts and sort mirrors
+
+ // start or resume downloading
+ if (!job_validate_file(job)) {
+- // sort mirrors by priority to download
from highest priority first
+-
wget_metalink_sort_mirrors(job->metalink);
++ // Account for retries
++ if (config.tries && ++job->failures >
config.tries) {
++ error_printf(_("Metalink
validation failed: max tries reached - remove job\n"));
++ job->done = 1;
++ } else {
++ // sort mirrors by priority to
download from highest priority first
++
wget_metalink_sort_mirrors(job->metalink);
+
+- // wake up sleeping workers
+- wget_thread_cond_signal(worker_cond);
++ // wake up sleeping workers
++
wget_thread_cond_signal(worker_cond);
+
+- job->done = 0; // do not remove this
job from queue yet
++ job->done = 0; // do not remove
this job from queue yet
++ }
+ } // else file already downloaded and checksum
ok
+ }
+ return;
+@@ -3100,6 +3108,9 @@ void metalink_parse_localfile(const char
+ } else if (!metalink->mirrors) {
+ error_printf(_("No download mirrors found\n"));
+ wget_metalink_free(&metalink);
++ } else if (!metalink->name || !*metalink->name) {
++ error_printf(_("Metalink file name is missing or
empty\n"));
++ wget_metalink_free(&metalink);
+ } else {
+ // create parts and sort mirrors
+ JOB job = { .metalink = metalink };
diff -Nru wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch
wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch
--- wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch 1970-01-01
01:00:00.000000000 +0100
+++ wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch 2026-01-06
09:06:55.000000000 +0100
@@ -0,0 +1,18 @@
+From fc7fcbc00e0a2c8606d44ab216195afb3f08cc98 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <[email protected]>
+Date: Fri, 26 Dec 2025 18:27:24 +0100
+Subject: [PATCH] Fix remote buffer overflow in get_local_filename_real()
+
+--- wget2-2.2.0+ds.orig/src/blacklist.c
++++ wget2-2.2.0+ds/src/blacklist.c
+@@ -135,8 +135,8 @@ static char * get_local_filename_real(co
+ char tmp[1024];
+
+ char *fname_esc = (sizeof(tmp) < buf.length * 3 + 1)
+- ? tmp
+- : wget_malloc(buf.length * 3 + 1);
++ ? wget_malloc(buf.length * 3 + 1)
++ : tmp;
+
+ if (wget_restrict_file_name(fname, fname_esc,
config.restrict_file_names) != fname) {
+ // escaping was really done, replace fname
diff -Nru wget2-2.2.0+ds/debian/patches/series
wget2-2.2.0+ds/debian/patches/series
--- wget2-2.2.0+ds/debian/patches/series 2025-03-03 12:24:45.000000000
+0100
+++ wget2-2.2.0+ds/debian/patches/series 2026-01-06 09:06:41.000000000
+0100
@@ -4,3 +4,5 @@
# no_need_to_depend_from_git.patch
disable-flaky-tests.patch
remove_git_from_doxygen.patch
+CVE-2025-69194.patch
+CVE-2025-69195.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
