Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:python-filelock User: [email protected] Usertags: pu
[ Reason ] Fix TOCTOU race condition vulnerabilities in filelock: CVE-2025-68146 and CVE-2026-22701. [ Impact ] Local attackers may exploit a race condition when creating lock files. [ Tests ] The vulnerable code paths were tested with the proposed patches applied. [ Risks ] The changes are limited to lock file creation logic and backport upstream fixes. The risk is low. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Import and backport upstream patches for CVE-2025-68146 and CVE-2026-22701. [ Other info ] @satta has reviewed this backport and will sponsor it.
diff -Nru python-filelock-3.9.0/debian/changelog python-filelock-3.9.0/debian/changelog --- python-filelock-3.9.0/debian/changelog 2023-01-02 11:17:19.000000000 +0000 +++ python-filelock-3.9.0/debian/changelog 2026-06-02 03:24:53.000000000 +0000 @@ -1,3 +1,14 @@ +python-filelock (3.9.0-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * d/patches: (Closes: #1123510, #1125190) + - CVE-2025-68146: Import and backport upstream patch + (A TOCTOU race condition allows local attackers) + - CVE-2026-22701: Import and backport upstream patch + (A TOCTOU race condition allows local attackers) + + -- Matheus Polkorny <[email protected]> Tue, 02 Jun 2026 00:24:53 -0300 + python-filelock (3.9.0-1) unstable; urgency=medium * New upstream release. diff -Nru python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch --- python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch 2026-06-02 03:23:07.000000000 +0000 @@ -0,0 +1,83 @@ +From: Bernát Gábor <[email protected]> +Date: Mon, 15 Dec 2025 15:52:12 -0800 +Subject: Fix TOCTOU symlink vulnerability in lock file creation (#461) + +Origin: upstream, https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e + +Changes: +- Refresh patch context +- Update hunk's offset +--- + src/filelock/_unix.py | 2 +- + src/filelock/_windows.py | 38 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/src/filelock/_unix.py b/src/filelock/_unix.py +index 03b612c..00dfa1b 100644 +--- a/src/filelock/_unix.py ++++ b/src/filelock/_unix.py +@@ -31,7 +31,7 @@ else: # pragma: win32 no cover + """Uses the :func:`fcntl.flock` to hard lock the lock file on unix systems.""" + + def _acquire(self) -> None: +- open_mode = os.O_RDWR | os.O_CREAT | os.O_TRUNC ++ open_mode = os.O_RDWR | os.O_CREAT | os.O_TRUNC | os.O_NOFOLLOW + fd = os.open(self._lock_file, open_mode) + try: + fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB) +diff --git a/src/filelock/_windows.py b/src/filelock/_windows.py +index 60e68cb..f7df863 100644 +--- a/src/filelock/_windows.py ++++ b/src/filelock/_windows.py +@@ -9,13 +9,51 @@ from ._api import BaseFileLock + from ._util import raise_on_exist_ro_file + + if sys.platform == "win32": # pragma: win32 cover ++ import ctypes + import msvcrt ++ from ctypes import wintypes ++ ++ # Windows API constants for reparse point detection ++ FILE_ATTRIBUTE_REPARSE_POINT = 0x00000400 ++ INVALID_FILE_ATTRIBUTES = 0xFFFFFFFF ++ ++ # Load kernel32.dll ++ _kernel32 = ctypes.WinDLL("kernel32", use_last_error=True) ++ _kernel32.GetFileAttributesW.argtypes = [wintypes.LPCWSTR] ++ _kernel32.GetFileAttributesW.restype = wintypes.DWORD ++ ++ def _is_reparse_point(path: str) -> bool: ++ """ ++ Check if a path is a reparse point (symlink, junction, etc.) on Windows. ++ ++ :param path: Path to check ++ :return: True if path is a reparse point, False otherwise ++ :raises OSError: If GetFileAttributesW fails for reasons other than file-not-found ++ """ ++ attrs = _kernel32.GetFileAttributesW(path) ++ if attrs == INVALID_FILE_ATTRIBUTES: ++ # File doesn't exist yet - that's fine, we'll create it ++ err = ctypes.get_last_error() ++ if err == 2: # noqa: PLR2004 # ERROR_FILE_NOT_FOUND ++ return False ++ if err == 3: # noqa: PLR2004 # ERROR_PATH_NOT_FOUND ++ return False ++ # Some other error - let caller handle it ++ return False ++ return bool(attrs & FILE_ATTRIBUTE_REPARSE_POINT) + + class WindowsFileLock(BaseFileLock): + """Uses the :func:`msvcrt.locking` function to hard lock the lock file on windows systems.""" + + def _acquire(self) -> None: + raise_on_exist_ro_file(self._lock_file) ++ ++ # Security check: Refuse to open reparse points (symlinks, junctions) ++ # This prevents TOCTOU symlink attacks (CVE-TBD) ++ if _is_reparse_point(self.lock_file): ++ msg = f"Lock file is a reparse point (symlink/junction): {self.lock_file}" ++ raise OSError(msg) ++ + mode = ( + os.O_RDWR # open for read and write + | os.O_CREAT # create file if not exists diff -Nru python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch --- python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch 1970-01-01 00:00:00.000000000 +0000 +++ python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch 2026-06-02 03:24:53.000000000 +0000 @@ -0,0 +1,30 @@ +From: Bernát Gábor <[email protected]> +Date: Fri, 9 Jan 2026 09:53:50 -0800 +Subject: Fix TOCTOU symlink vulnerability in SoftFileLock (#465) + +Co-authored-by: Claude <[email protected]> + +Origin: upstream, https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5 + +Changes: +- Refresh patch context +- Use "mode" instead of "flags" as used in this version +- Drop docs/index.rst +--- + src/filelock/_soft.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/filelock/_soft.py b/src/filelock/_soft.py +index cb09799..f6632f8 100644 +--- a/src/filelock/_soft.py ++++ b/src/filelock/_soft.py +@@ -20,6 +20,9 @@ class SoftFileLock(BaseFileLock): + | os.O_EXCL # together with above raise EEXIST if the file specified by filename exists + | os.O_TRUNC # truncate the file to zero byte + ) ++ o_nofollow = getattr(os, "O_NOFOLLOW", None) ++ if o_nofollow is not None: ++ mode |= o_nofollow + try: + fd = os.open(self._lock_file, mode) + except OSError as exception: diff -Nru python-filelock-3.9.0/debian/patches/series python-filelock-3.9.0/debian/patches/series --- python-filelock-3.9.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ python-filelock-3.9.0/debian/patches/series 2026-06-02 03:23:32.000000000 +0000 @@ -0,0 +1,2 @@ +CVE-2025-68146.patch +CVE-2026-22701.patch
