Bug 1227273 (CVE-2024-39303)

Summary: VUL-0: CVE-2024-39303: Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ...
Product: [openSUSE] openSUSE Tumbleweed Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Markéta Machová <mmachova>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mmachova, stoyan.manolov
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412574/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-02 08:35:16 UTC 
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39303
https://www.cve.org/CVERecord?id=CVE-2024-39303
https://github.com/WeblateOrg/weblate/commit/b6a7eace155fa0feaf01b4ac36165a9c5e63bfdd
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-jfgp-674x-6q4p
Comment 1 Markéta Machová 2024-07-09 09:52:48 UTC 
Hi all, there is no weblate in Leap 15.6. Yes, it used to be built for Leap, but it wasn't in the supported stack, it was only for an in-house use. I think the "Product" field should be corrected to "openSUSE Tumbleweed", if it is possible.
Comment 2 Markéta Machová 2024-07-09 11:59:16 UTC 
Update in progress in my home project.
Comment 3 Markéta Machová 2024-07-19 07:46:14 UTC 
sent to Factory: https://build.opensuse.org/request/show/1188419