Your message dated Sat, 11 Jul 2026 10:42:31 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1138693,
regarding bookworm-pu: package python-filelock/3.9.0-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1138693: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138693
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:python-filelock
User: [email protected]
Usertags: pu

[ Reason ]
Fix TOCTOU race condition vulnerabilities in filelock:
CVE-2025-68146 and CVE-2026-22701.

[ Impact ]
Local attackers may exploit a race condition when
creating lock files.

[ Tests ]
The vulnerable code paths were tested with the proposed
patches applied.

[ Risks ]
The changes are limited to lock file creation logic and
backport upstream fixes. The risk is low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Import and backport upstream patches for CVE-2025-68146
and CVE-2026-22701.

[ Other info ]
@satta has reviewed this backport and will sponsor it.
diff -Nru python-filelock-3.9.0/debian/changelog 
python-filelock-3.9.0/debian/changelog
--- python-filelock-3.9.0/debian/changelog      2023-01-02 11:17:19.000000000 
+0000
+++ python-filelock-3.9.0/debian/changelog      2026-06-02 03:24:53.000000000 
+0000
@@ -1,3 +1,14 @@
+python-filelock (3.9.0-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * d/patches: (Closes: #1123510, #1125190)
+    - CVE-2025-68146: Import and backport upstream patch
+      (A TOCTOU race condition allows local attackers)
+    - CVE-2026-22701: Import and backport upstream patch
+      (A TOCTOU race condition allows local attackers)
+
+ -- Matheus Polkorny <[email protected]>  Tue, 02 Jun 2026 00:24:53 -0300
+
 python-filelock (3.9.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch 
python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch
--- python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch   1970-01-01 
00:00:00.000000000 +0000
+++ python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch   2026-06-02 
03:23:07.000000000 +0000
@@ -0,0 +1,83 @@
+From: Bernát Gábor <[email protected]>
+Date: Mon, 15 Dec 2025 15:52:12 -0800
+Subject: Fix TOCTOU symlink vulnerability in lock file creation (#461)
+
+Origin: upstream, 
https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e
+
+Changes:
+- Refresh patch context
+- Update hunk's offset
+---
+ src/filelock/_unix.py    |  2 +-
+ src/filelock/_windows.py | 38 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/src/filelock/_unix.py b/src/filelock/_unix.py
+index 03b612c..00dfa1b 100644
+--- a/src/filelock/_unix.py
++++ b/src/filelock/_unix.py
+@@ -31,7 +31,7 @@ else:  # pragma: win32 no cover
+         """Uses the :func:`fcntl.flock` to hard lock the lock file on unix 
systems."""
+ 
+         def _acquire(self) -> None:
+-            open_mode = os.O_RDWR | os.O_CREAT | os.O_TRUNC
++            open_mode = os.O_RDWR | os.O_CREAT | os.O_TRUNC | os.O_NOFOLLOW
+             fd = os.open(self._lock_file, open_mode)
+             try:
+                 fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
+diff --git a/src/filelock/_windows.py b/src/filelock/_windows.py
+index 60e68cb..f7df863 100644
+--- a/src/filelock/_windows.py
++++ b/src/filelock/_windows.py
+@@ -9,13 +9,51 @@ from ._api import BaseFileLock
+ from ._util import raise_on_exist_ro_file
+ 
+ if sys.platform == "win32":  # pragma: win32 cover
++    import ctypes
+     import msvcrt
++    from ctypes import wintypes
++
++    # Windows API constants for reparse point detection
++    FILE_ATTRIBUTE_REPARSE_POINT = 0x00000400
++    INVALID_FILE_ATTRIBUTES = 0xFFFFFFFF
++
++    # Load kernel32.dll
++    _kernel32 = ctypes.WinDLL("kernel32", use_last_error=True)
++    _kernel32.GetFileAttributesW.argtypes = [wintypes.LPCWSTR]
++    _kernel32.GetFileAttributesW.restype = wintypes.DWORD
++
++    def _is_reparse_point(path: str) -> bool:
++        """
++        Check if a path is a reparse point (symlink, junction, etc.) on 
Windows.
++
++        :param path: Path to check
++        :return: True if path is a reparse point, False otherwise
++        :raises OSError: If GetFileAttributesW fails for reasons other than 
file-not-found
++        """
++        attrs = _kernel32.GetFileAttributesW(path)
++        if attrs == INVALID_FILE_ATTRIBUTES:
++            # File doesn't exist yet - that's fine, we'll create it
++            err = ctypes.get_last_error()
++            if err == 2:  # noqa: PLR2004  # ERROR_FILE_NOT_FOUND
++                return False
++            if err == 3:  # noqa: PLR2004 # ERROR_PATH_NOT_FOUND
++                return False
++            # Some other error - let caller handle it
++            return False
++        return bool(attrs & FILE_ATTRIBUTE_REPARSE_POINT)
+ 
+     class WindowsFileLock(BaseFileLock):
+         """Uses the :func:`msvcrt.locking` function to hard lock the lock 
file on windows systems."""
+ 
+         def _acquire(self) -> None:
+             raise_on_exist_ro_file(self._lock_file)
++
++            # Security check: Refuse to open reparse points (symlinks, 
junctions)
++            # This prevents TOCTOU symlink attacks (CVE-TBD)
++            if _is_reparse_point(self.lock_file):
++                msg = f"Lock file is a reparse point (symlink/junction): 
{self.lock_file}"
++                raise OSError(msg)
++
+             mode = (
+                 os.O_RDWR  # open for read and write
+                 | os.O_CREAT  # create file if not exists
diff -Nru python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch 
python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch
--- python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch   1970-01-01 
00:00:00.000000000 +0000
+++ python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch   2026-06-02 
03:24:53.000000000 +0000
@@ -0,0 +1,30 @@
+From: Bernát Gábor <[email protected]>
+Date: Fri, 9 Jan 2026 09:53:50 -0800
+Subject: Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
+
+Co-authored-by: Claude <[email protected]>
+
+Origin: upstream, 
https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5
+
+Changes:
+- Refresh patch context
+- Use "mode" instead of "flags" as used in this version
+- Drop docs/index.rst
+---
+ src/filelock/_soft.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/filelock/_soft.py b/src/filelock/_soft.py
+index cb09799..f6632f8 100644
+--- a/src/filelock/_soft.py
++++ b/src/filelock/_soft.py
+@@ -20,6 +20,9 @@ class SoftFileLock(BaseFileLock):
+             | os.O_EXCL  # together with above raise EEXIST if the file 
specified by filename exists
+             | os.O_TRUNC  # truncate the file to zero byte
+         )
++        o_nofollow = getattr(os, "O_NOFOLLOW", None)
++        if o_nofollow is not None:
++            mode |= o_nofollow
+         try:
+             fd = os.open(self._lock_file, mode)
+         except OSError as exception:
diff -Nru python-filelock-3.9.0/debian/patches/series 
python-filelock-3.9.0/debian/patches/series
--- python-filelock-3.9.0/debian/patches/series 1970-01-01 00:00:00.000000000 
+0000
+++ python-filelock-3.9.0/debian/patches/series 2026-06-02 03:23:32.000000000 
+0000
@@ -0,0 +1,2 @@
+CVE-2025-68146.patch
+CVE-2026-22701.patch

--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to