pool/python-filelock
SHA256
17
0
Fork 3
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2
...
pull from: pool:slfo-main
Branches Tags
pool:slfo-main pool:factory pool:slfo-1.2

2 Commits
factory ... slfo-main

Author SHA256 Message Date
nkrapp
f4c5858363 Add CVE-2026-22701.patch to fix CVE-2026-22701 (bsc#1256457) 2026-01-15 13:56:37 +01:00
nkrapp
c4a8737406 Add CVE-2025-68146.patch to fix CVE-2025-68146 (bsc#1255244) 2026-01-07 10:13:13 +01:00
4 changed files with 92 additions and 1 deletions
Expand all files Collapse all files

14
CVE-2025-68146.patch Normal file
View File

@@ -0,0 +1,14 @@
Index: filelock-3.18.0/src/filelock/_unix.py
===================================================================
--- filelock-3.18.0.orig/src/filelock/_unix.py
+++ filelock-3.18.0/src/filelock/_unix.py
@@ -39,6 +39,9 @@ else: # pragma: win32 no cover
def _acquire(self) -> None:
ensure_directory_exists(self.lock_file)
open_flags = os.O_RDWR | os.O_TRUNC
+ o_nofollow = getattr(os, "O_NOFOLLOW", None)
+ if o_nofollow is not None:
+ open_flags |= o_nofollow
if not Path(self.lock_file).exists():
open_flags |= os.O_CREAT
fd = os.open(self.lock_file, open_flags, self._context.mode)

63
CVE-2026-22701.patch Normal file
View File

@@ -0,0 +1,63 @@
From 255ed068bc85d1ef406e50a135e1459170dd1bf0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <bgabor8@bloomberg.net>
Date: Fri, 9 Jan 2026 09:23:12 -0800
Subject: [PATCH] Fix TOCTOU symlink vulnerability in SoftFileLock
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add O_NOFOLLOW flag to prevent symlink attacks. The vulnerability existed
between the permission check and the actual file creation, allowing an
attacker to create a symlink at the lock path.
How the fix prevents the attack:
1. raise_on_not_writable_file() validates permissions (doesn't follow symlinks)
2. RACE WINDOW: attacker creates symlink to target file
3. os.open() with O_NOFOLLOW refuses to follow the symlink
4. Attack is prevented - the symlink won't help attacker
Changes:
- Add conditional O_NOFOLLOW flag (like UnixFileLock does in commit 5088854)
- Gracefully degrade on platforms without O_NOFOLLOW (e.g., GraalPy)
- No behavioral changes to existing code
Security improvement:
- Platforms with O_NOFOLLOW: ✅ Symlink attacks completely prevented
- Platforms without O_NOFOLLOW: ⚠️ TOCTOU window remains but documented
The pre-check (raise_on_not_writable_file) is safe from TOCTOU itself because
it only reads metadata. The attack only works if a symlink is followed by a
write operation. By preventing symlink following in os.open() with O_NOFOLLOW,
the attack is blocked even if the symlink is created during the race window.
Reported by George Tsigourakos (@tsigouris007)
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
---
docs/index.rst | 16 ++++++++++++++++
src/filelock/_soft.py | 4 +++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/filelock/_soft.py b/src/filelock/_soft.py
index 28c67f74..93709c5c 100644
--- a/src/filelock/_soft.py
+++ b/src/filelock/_soft.py
@@ -16,13 +16,15 @@ class SoftFileLock(BaseFileLock):
def _acquire(self) -> None:
raise_on_not_writable_file(self.lock_file)
ensure_directory_exists(self.lock_file)
- # first check for exists and read-only mode as the open will mask this case as EEXIST
flags = (
os.O_WRONLY # open for writing only
| os.O_CREAT
| os.O_EXCL # together with above raise EEXIST if the file specified by filename exists
| os.O_TRUNC # truncate the file to zero byte
)
+ o_nofollow = getattr(os, "O_NOFOLLOW", None)
+ if o_nofollow is not None:
+ flags |= o_nofollow
try:
file_handler = os.open(self.lock_file, flags, self._context.mode)
except OSError as exception: # re-raise unless expected exception

10
python-filelock.changes
View File

@@ -1,3 +1,13 @@
-------------------------------------------------------------------
Wed Jan 14 13:09:53 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
- Add CVE-2026-22701.patch to fix CVE-2026-22701 (bsc#1256457)
-------------------------------------------------------------------
Wed Jan 7 09:12:08 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
- Add CVE-2025-68146.patch to fix CVE-2025-68146 (bsc#1255244)
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 19 07:44:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> Wed Mar 19 07:44:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

6
python-filelock.spec
View File

@@ -33,6 +33,10 @@ Summary: Platform Independent File Lock in Python
License: Unlicense License: Unlicense
URL: https://github.com/tox-dev/py-filelock URL: https://github.com/tox-dev/py-filelock
Source: https://files.pythonhosted.org/packages/source/f/filelock/filelock-%{version}.tar.gz Source: https://files.pythonhosted.org/packages/source/f/filelock/filelock-%{version}.tar.gz
# PATCH-FIX-UPSTREAM CVE-2025-68146.patch bsc#1255244 (gh#tox-dev/filelock/pulls/461, gh#tox-dev/filelock/pulls/463)
Patch0: CVE-2025-68146.patch
# PATCH-FIX-UPSTREAM CVE-2026-22701.patch bsc#1256457 (gh#tox-dev/filelock/pulls/465)
Patch1: CVE-2026-22701.patch
BuildRequires: %{python_module asyncio} BuildRequires: %{python_module asyncio}
BuildRequires: %{python_module hatch_vcs} BuildRequires: %{python_module hatch_vcs}
BuildRequires: %{python_module hatchling} BuildRequires: %{python_module hatchling}
@@ -59,7 +63,7 @@ independent file lock in Python, which provides a simple way of
inter-process communication. inter-process communication.
%prep %prep
%setup -q -n filelock-%{version} %autosetup -p1 -n filelock-%{version}
%build %build
%pyproject_wheel %pyproject_wheel