Your message dated Sat, 10 Jan 2026 21:47:06 +0000
with message-id <[email protected]>
and subject line Bug#1123510: fixed in python-filelock 3.18.0-1+deb13u1
has caused the Debian Bug report #1123510,
regarding python-filelock: CVE-2025-68146
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1123510: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123510
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-filelock
Version: 3.20.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/tox-dev/filelock/pull/461
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-filelock.
CVE-2025-68146[0]:
| filelock is a platform-independent file lock for Python. In versions
| prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition
| allows local attackers to corrupt or truncate arbitrary user files
| through symlink attacks. The vulnerability exists in both Unix and
| Windows lock file creation where filelock checks if a file exists
| before opening it with O_TRUNC. An attacker can create a symlink
| pointing to a victim file in the time gap between the check and
| open, causing os.open() to follow the symlink and truncate the
| target file. All users of filelock on Unix, Linux, macOS, and
| Windows systems are impacted. The vulnerability cascades to
| dependent libraries. The attack requires local filesystem access and
| ability to create symlinks (standard user permissions on Unix;
| Developer Mode on Windows 10+). Exploitation succeeds within 1-3
| attempts when lock file paths are predictable. The issue is fixed in
| version 3.20.1. If immediate upgrade is not possible, use
| SoftFileLock instead of UnixFileLock/WindowsFileLock (note:
| different locking semantics, may not be suitable for all use cases);
| ensure lock file directories have restrictive permissions (chmod
| 0700) to prevent untrusted users from creating symlinks; and/or
| monitor lock file directories for suspicious symlinks before running
| trusted applications. These workarounds provide only partial
| mitigation. The race condition remains exploitable. Upgrading to
| version 3.20.1 is strongly recommended.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68146
https://www.cve.org/CVERecord?id=CVE-2025-68146
[1] https://github.com/tox-dev/filelock/pull/461
[2] https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f
[3]
https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-filelock
Source-Version: 3.18.0-1+deb13u1
Done: Sascha Steinbiss <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-filelock, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sascha Steinbiss <[email protected]> (supplier of updated python-filelock
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 07 Jan 2026 14:16:28 +0100
Source: python-filelock
Architecture: source
Version: 3.18.0-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Sascha Steinbiss <[email protected]>
Changed-By: Sascha Steinbiss <[email protected]>
Closes: 1123510
Changes:
python-filelock (3.18.0-1+deb13u1) trixie; urgency=medium
.
* Add patch: cve-2025-68146.patch
This addresses CVE-2025-68146 by including the patch from upstream.
(commit e84510eac948b5b6027b24025f421a650cbd9749)
Closes: #1123510
Checksums-Sha1:
75c61783cf0b18dc998dbbb07e3c11c2b18fd2e1 2207
python-filelock_3.18.0-1+deb13u1.dsc
6bf5439cf851d2f9d127e3576a40e937245c82f6 18075
python-filelock_3.18.0.orig.tar.gz
c5b6a95c9edfe10795131be3310c57bc2e51f745 5260
python-filelock_3.18.0-1+deb13u1.debian.tar.xz
1b0f7075054fe43c56d5482d7e06008584ca3d4b 7515
python-filelock_3.18.0-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
1161c5f9e89aebd34fc0bb8242139fd8707492951d557cbf2a02965f46a4a9a0 2207
python-filelock_3.18.0-1+deb13u1.dsc
adbc88eabb99d2fec8c9c1b229b171f18afa655400173ddc653d5d01501fb9f2 18075
python-filelock_3.18.0.orig.tar.gz
7f4d94d33f39c03ef070a95da027ab7268b028b804675333165f4f95f87ab2eb 5260
python-filelock_3.18.0-1+deb13u1.debian.tar.xz
33ab518c7309e63550efde718fe014fa11b7b99b1b3e8e4845e197b055a21721 7515
python-filelock_3.18.0-1+deb13u1_amd64.buildinfo
Files:
4673aa0996ae78003dd37faf540ddcf3 2207 python optional
python-filelock_3.18.0-1+deb13u1.dsc
164180bf691720ae8c29b6326d63ddf0 18075 python optional
python-filelock_3.18.0.orig.tar.gz
63815db160969b6671f4d43530c55e15 5260 python optional
python-filelock_3.18.0-1+deb13u1.debian.tar.xz
aecf557b9d1c615bdba9a9211dd7268d 7515 python optional
python-filelock_3.18.0-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWzS6WqtVB+kDQm6F6NN64vCfSHIFAmlg5isACgkQ6NN64vCf
SHKtUA/9E6ZiJKYAIVjSOR3IRiumHy4ct6oNEqYIT+juhVc7he1JQp/0XD4/YS9m
/faohL0VdJBpfuJRO6cS1mv9nzw2/l5EesOFclj5m2NgXA1L0PQUgKYkzJ0rjAiI
cQaT6WfqhrBm7++kFgcFZmP6j7M7uOUg0XNL+Jiv0w3wNV3WwdECs0hyEL77RIhN
A6c8fmL3LhzqwGfVNROO6UfeTH/NgWrhbtHm2tA6ETd1amAwTCeBb+3pmRd9CKZX
I0RxRU/SyKnWfNGuqtCYyPaYNt9HF0qhWOy93j1yZv0XZpE54SoU55edZP1haaeV
RgmYAMDVv9x7Brx0v3N4XStzqCO+sG+fFXQ5L0x21U9hX9V+nDH4UO1SLl8iUked
nIKSakkg1gkfpsiTI9NMmdT+ym14xY5PR8QHg6pt7IFfqdHqq9rBOya8gx6OKh3z
D+UkcMVEgwv9u9i55I0qRkWGOMyjRBuD8fPP2pLscwGzbDLptXRtsY7Pt6H01Aaz
Y0RLBB4ZM7XyyGDKt2DLURu/EMFZZeIEZ1r2a68mZ9tjq7Q5QhHxTxgxN0q9smBy
OpyqqKzIrIe5a+AoP30Cw9aVWl//2n2PjkZ4uiHoIRlEw7xWoZZH3+m7AHcL7FPG
4sqWXDNNgJX41P9YeEIJlwqDeeoM8d/qPS//9Voh96BERWDRptM=
=7Pzj
-----END PGP SIGNATURE-----
pgpvGaUdaAGyW.pgp
Description: PGP signature
--- End Message ---
