Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package weblate for openSUSE:Factory checked in at 2025-12-30 12:01:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/weblate (Old) and /work/SRC/openSUSE:Factory/.weblate.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "weblate" Tue Dec 30 12:01:48 2025 rev:28 rq:1324753 version:5.14.3 Changes: -------- --- /work/SRC/openSUSE:Factory/weblate/weblate.changes 2025-11-12 21:15:39.389325649 +0100 +++ /work/SRC/openSUSE:Factory/.weblate.new.1928/weblate.changes 2025-12-30 12:02:18.093333726 +0100 @@ -1,0 +2,6 @@ +Mon Dec 29 16:11:28 UTC 2025 - Markéta Machová <[email protected]> + +- Add upstream patches CVE-2025-68398_1.patch and CVE-2025-68398_2.patch + to fix bsc#1255374 + +------------------------------------------------------------------- New: ---- CVE-2025-68398_1.patch CVE-2025-68398_2.patch ----------(New B)---------- New: - Add upstream patches CVE-2025-68398_1.patch and CVE-2025-68398_2.patch to fix bsc#1255374 New: - Add upstream patches CVE-2025-68398_1.patch and CVE-2025-68398_2.patch to fix bsc#1255374 ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ weblate.spec ++++++ --- /var/tmp/diff_new_pack.sn6mBJ/_old 2025-12-30 12:02:19.269382019 +0100 +++ /var/tmp/diff_new_pack.sn6mBJ/_new 2025-12-30 12:02:19.273382183 +0100 @@ -21,6 +21,7 @@ %define WLETCDIR %{_sysconfdir}/weblate %define _name Weblate Name: weblate +# version 5.14.3 is the last to support Python 3.11 Version: 5.14.3 Release: 0 Summary: Web-based translation tool @@ -37,6 +38,10 @@ Patch: skip-test_ocr.patch # PATCH-FIX-UPSTREAM https://github.com/WeblateOrg/weblate/pull/16891 fix: make add_site_url filter more robust Patch: site-url.patch +# PATCH-FIX-UPSTREAM https://github.com/WeblateOrg/weblate/pull/17330 fix(validators): reject certain paths from being used +Patch: CVE-2025-68398_1.patch +# PATCH-FIX-UPSTREAM https://github.com/WeblateOrg/weblate/pull/17345 fix(vcs): use GIT_SSH_COMMAND to override ssh command +Patch: CVE-2025-68398_2.patch BuildRequires: bitstream-vera BuildRequires: borgbackup >= 1.4.0 BuildRequires: fdupes ++++++ CVE-2025-68398_1.patch ++++++ >From 4837a4154390f7c1d03c0e398aa6439dcfa361b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <[email protected]> Date: Tue, 16 Dec 2025 08:25:17 +0100 Subject: [PATCH] fix(validators): reject certain paths from being used Restrict based on the translation-finder blacklist which covers files we do not want to touch. --- weblate/trans/backups.py | 2 +- weblate/utils/files.py | 2 +- weblate/utils/tests/test_validators.py | 10 ++++++++++ weblate/utils/validators.py | 5 ++++- 4 files changed, 16 insertions(+), 3 deletions(-) Index: weblate-weblate-5.14.3/weblate/trans/backups.py =================================================================== --- weblate-weblate-5.14.3.orig/weblate/trans/backups.py +++ weblate-weblate-5.14.3/weblate/trans/backups.py @@ -525,7 +525,7 @@ class ProjectBackup: self.load_memory(zipfile) self.load_components(zipfile) for name in zipfile.namelist(): - validate_filename(name) + validate_filename(name, check_prohibited=False) def restore_unit( self, Index: weblate-weblate-5.14.3/weblate/utils/files.py =================================================================== --- weblate-weblate-5.14.3.orig/weblate/utils/files.py +++ weblate-weblate-5.14.3/weblate/utils/files.py @@ -90,7 +90,7 @@ def should_skip(location): ) -def is_excluded(path): +def is_excluded(path: str) -> bool: """Whether path should be excluded from zip extraction.""" return any(exclude in f"/{path}/" for exclude in PATH_EXCLUDES) or ".." in path Index: weblate-weblate-5.14.3/weblate/utils/tests/test_validators.py =================================================================== --- weblate-weblate-5.14.3.orig/weblate/utils/tests/test_validators.py +++ weblate-weblate-5.14.3/weblate/utils/tests/test_validators.py @@ -106,6 +106,16 @@ class FilenameTest(SimpleTestCase): def test_empty(self) -> None: validate_filename("") + def test_prohibited(self) -> None: + with self.assertRaises(ValidationError): + validate_filename(".git/config") + validate_filename(".git/config", check_prohibited=False) + + def test_prohibited_subdir(self) -> None: + with self.assertRaises(ValidationError): + validate_filename("path/.git/config") + validate_filename("path/.git/config", check_prohibited=False) + class RegexTest(SimpleTestCase): def test_empty(self) -> None: Index: weblate-weblate-5.14.3/weblate/utils/validators.py =================================================================== --- weblate-weblate-5.14.3.orig/weblate/utils/validators.py +++ weblate-weblate-5.14.3/weblate/utils/validators.py @@ -26,6 +26,7 @@ from django.utils.translation import get from weblate.trans.util import cleanup_path from weblate.utils.data import data_dir +from weblate.utils.files import is_excluded USERNAME_MATCHER = re.compile(r"^[\w@+-][\w.@+-]*$") @@ -214,7 +215,7 @@ def validate_plural_formula(value) -> No ) from error -def validate_filename(value) -> None: +def validate_filename(value: str, *, check_prohibited: bool = True) -> None: if "../" in value or "..\\" in value: raise ValidationError( gettext("The filename can not contain reference to a parent directory.") @@ -230,6 +231,8 @@ def validate_filename(value) -> None: "Maybe you want to use: {}" ).format(cleaned) ) + if check_prohibited and is_excluded(cleaned): + raise ValidationError(gettext("The filename contains a prohibited folder.")) def validate_backup_path(value: str) -> None: ++++++ CVE-2025-68398_2.patch ++++++ >From dd8c9d7b00eebe28770fa0e2cd96126791765ea7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <[email protected]> Date: Wed, 17 Dec 2025 08:48:29 +0100 Subject: [PATCH] fix(vcs): use GIT_SSH_COMMAND to override ssh command This has priority over GIT_SSH and the configuration, so is better alternative for us, we don't want outside GIT_SSH_COMMAND or configuration to override Weblate behavior. --- weblate/vcs/base.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weblate/vcs/base.py b/weblate/vcs/base.py index f0fd60d462d5..edd54c113b6d 100644 --- a/weblate/vcs/base.py +++ b/weblate/vcs/base.py @@ -190,7 +190,7 @@ def _getenv(environment: dict[str, str] | None = None) -> dict[str, str]: # Avoid Git traversing outside the data dir "GIT_CEILING_DIRECTORIES": data_path("vcs").as_posix(), # Use ssh wrapper - "GIT_SSH": SSH_WRAPPER.filename.as_posix(), + "GIT_SSH_COMMAND": SSH_WRAPPER.filename.as_posix(), "SVN_SSH": SSH_WRAPPER.filename.as_posix(), } if environment:
