Version in base suite: 2.2.0+ds-1

Base version: wget2_2.2.0+ds-1
Target version: wget2_2.2.0+ds-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/w/wget2/wget2_2.2.0+ds-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/w/wget2/wget2_2.2.0+ds-1+deb13u1.dsc

 changelog                    |    7 +++
 patches/CVE-2025-69194.patch |   98 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2025-69195.patch |   18 +++++++
 patches/series               |    2 
 4 files changed, 125 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbhjdtsb8/wget2_2.2.0+ds-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbhjdtsb8/wget2_2.2.0+ds-1+deb13u1.dsc: no acceptable signature found
diff -Nru wget2-2.2.0+ds/debian/changelog wget2-2.2.0+ds/debian/changelog
--- wget2-2.2.0+ds/debian/changelog	2025-03-04 07:03:02.000000000 +0000
+++ wget2-2.2.0+ds/debian/changelog	2026-01-18 18:55:34.000000000 +0000
@@ -1,3 +1,10 @@
+wget2 (2.2.0+ds-1+deb13u1) trixie; urgency=medium
+
+  * CVE-2025-69194 (Closes: #1124378)
+  * CVE-2025-69195 (Closes: #1124377)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sun, 18 Jan 2026 19:56:28 +0100
+
 wget2 (2.2.0+ds-1) unstable; urgency=medium
 
   * Team upload to unstable (salsa debian group).
diff -Nru wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch
--- wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch	1970-01-01 00:00:00.000000000 +0000
+++ wget2-2.2.0+ds/debian/patches/CVE-2025-69194.patch	2026-01-06 08:06:22.000000000 +0000
@@ -0,0 +1,98 @@
+From 684be4785280fbe6b8666080bbdd87e7e5299ac5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Fri, 26 Dec 2025 19:03:35 +0100
+Subject: [PATCH] Fix file overwrite issue with metalink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+--- wget2-2.2.0+ds.orig/libwget/metalink.c
++++ wget2-2.2.0+ds/libwget/metalink.c
+@@ -169,6 +169,25 @@ static void add_mirror(metalink_context
+ 	ctx->priority = 999999;
+ }
+ 
++static const char *sanitized_filename(const char *in)
++{
++	// RFC 5854:
++	//   The path MUST NOT contain any directory traversal
++	//   directives or information.  The path MUST be relative.  The path
++	//   MUST NOT begin with a "/", "./", or "../"; contain "/../"; or end
++	//   with "/..".
++	if (*in == '/'
++	    || !strncmp(in, "./", 2)
++	    || !strncmp(in, "../", 3)
++	    || strstr(in, "/../")
++	    || wget_match_tail(in, "/../"))
++	{
++		return NULL;
++	}
++
++	return wget_strdup(in);
++}
++
+ static void metalink_parse(void *context, int flags, const char *dir, const char *attr, const char *val, size_t len, size_t pos WGET_GCC_UNUSED)
+ {
+ 	metalink_context *ctx = context;
+@@ -194,7 +213,7 @@ static void metalink_parse(void *context
+ 		if (attr) {
+ 			if (*dir == 0) { // /metalink/file
+ 				if (!ctx->metalink->name && !wget_strcasecmp_ascii(attr, "name")) {
+-					ctx->metalink->name = wget_strdup(value);
++					ctx->metalink->name = sanitized_filename(value);
+ 				}
+ 			} else if (!wget_strcasecmp_ascii(dir, "/verification/pieces")) {
+ 				if (!wget_strcasecmp_ascii(attr, "type")) {
+@@ -239,7 +258,7 @@ static void metalink_parse(void *context
+ 		if (attr) {
+ 			if (*dir == 0) { // /metalink/file
+ 				if (!ctx->metalink->name && !wget_strcasecmp_ascii(attr, "name")) {
+-					ctx->metalink->name = wget_strdup(value);
++					ctx->metalink->name = sanitized_filename(value);
+ 				}
+ 			} else if (!wget_strcasecmp_ascii(dir, "/pieces")) {
+ 				if (!wget_strcasecmp_ascii(attr, "type")) {
+--- wget2-2.2.0+ds.orig/src/wget.c
++++ wget2-2.2.0+ds/src/wget.c
+@@ -2178,18 +2178,26 @@ static void process_response(wget_http_r
+ 				error_printf(_("File length %llu - remove job\n"), (unsigned long long)job->metalink->size);
+ 			} else if (!job->metalink->mirrors) {
+ 				error_printf(_("No download mirrors found - remove job\n"));
++			} else if (!job->metalink->name || !*job->metalink->name) {
++				error_printf(_("Metalink file name is invalid, missing or empty - remove job\n"));
+ 			} else {
+ 				// just loaded a metalink description, create parts and sort mirrors
+ 
+ 				// start or resume downloading
+ 				if (!job_validate_file(job)) {
+-					// sort mirrors by priority to download from highest priority first
+-					wget_metalink_sort_mirrors(job->metalink);
++					// Account for retries
++					if (config.tries && ++job->failures > config.tries) {
++						error_printf(_("Metalink validation failed: max tries reached - remove job\n"));
++						job->done = 1;
++					} else {
++						// sort mirrors by priority to download from highest priority first
++						wget_metalink_sort_mirrors(job->metalink);
+ 
+-					// wake up sleeping workers
+-					wget_thread_cond_signal(worker_cond);
++						// wake up sleeping workers
++						wget_thread_cond_signal(worker_cond);
+ 
+-					job->done = 0; // do not remove this job from queue yet
++						job->done = 0; // do not remove this job from queue yet
++					}
+ 				} // else file already downloaded and checksum ok
+ 			}
+ 			return;
+@@ -3100,6 +3108,9 @@ void metalink_parse_localfile(const char
+ 		} else if (!metalink->mirrors) {
+ 			error_printf(_("No download mirrors found\n"));
+ 			wget_metalink_free(&metalink);
++		} else if (!metalink->name || !*metalink->name) {
++			error_printf(_("Metalink file name is missing or empty\n"));
++			wget_metalink_free(&metalink);
+ 		} else {
+ 			// create parts and sort mirrors
+ 			JOB job = { .metalink = metalink };
diff -Nru wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch
--- wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch	1970-01-01 00:00:00.000000000 +0000
+++ wget2-2.2.0+ds/debian/patches/CVE-2025-69195.patch	2026-01-06 08:06:55.000000000 +0000
@@ -0,0 +1,18 @@
+From fc7fcbc00e0a2c8606d44ab216195afb3f08cc98 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Fri, 26 Dec 2025 18:27:24 +0100
+Subject: [PATCH] Fix remote buffer overflow in get_local_filename_real()
+
+--- wget2-2.2.0+ds.orig/src/blacklist.c
++++ wget2-2.2.0+ds/src/blacklist.c
+@@ -135,8 +135,8 @@ static char * get_local_filename_real(co
+ 		char tmp[1024];
+ 
+ 		char *fname_esc = (sizeof(tmp) < buf.length * 3 + 1)
+-			? tmp
+-			: wget_malloc(buf.length * 3 + 1);
++			? wget_malloc(buf.length * 3 + 1)
++			: tmp;
+ 
+ 		if (wget_restrict_file_name(fname, fname_esc, config.restrict_file_names) != fname) {
+ 			// escaping was really done, replace fname
diff -Nru wget2-2.2.0+ds/debian/patches/series wget2-2.2.0+ds/debian/patches/series
--- wget2-2.2.0+ds/debian/patches/series	2025-03-03 11:24:45.000000000 +0000
+++ wget2-2.2.0+ds/debian/patches/series	2026-01-06 08:06:41.000000000 +0000
@@ -4,3 +4,5 @@
 # no_need_to_depend_from_git.patch
 disable-flaky-tests.patch
 remove_git_from_doxygen.patch
+CVE-2025-69194.patch
+CVE-2025-69195.patch