Add CVE-2026-22701.patch to fix CVE-2026-22701 (bsc#1256457)

Add CVE-2025-68146.patch to fix CVE-2025-68146 (bsc#1255244)
2026-01-15 13:56:37 +01:00 · 2026-01-07 10:13:13 +01:00
6 changed files with 90 additions and 37 deletions
--- a/CVE-2025-68146.patch
+++ b/CVE-2025-68146.patch
@@ -0,0 +1,14 @@
 Index: filelock-3.18.0/src/filelock/_unix.py
 ===================================================================
 --- filelock-3.18.0.orig/src/filelock/_unix.py
 +++ filelock-3.18.0/src/filelock/_unix.py
@@ -39,6 +39,9 @@ else:  # pragma: win32 no cover
         def _acquire(self) -> None:
             ensure_directory_exists(self.lock_file)
             open_flags = os.O_RDWR | os.O_TRUNC
 +            o_nofollow = getattr(os, "O_NOFOLLOW", None)
 +            if o_nofollow is not None:
 +                open_flags |= o_nofollow
             if not Path(self.lock_file).exists():
                 open_flags |= os.O_CREAT
             fd = os.open(self.lock_file, open_flags, self._context.mode)
--- a/CVE-2026-22701.patch
+++ b/CVE-2026-22701.patch
@@ -0,0 +1,63 @@
 From 255ed068bc85d1ef406e50a135e1459170dd1bf0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <bgabor8@bloomberg.net>
 Date: Fri, 9 Jan 2026 09:23:12 -0800
 Subject: [PATCH] Fix TOCTOU symlink vulnerability in SoftFileLock
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Add O_NOFOLLOW flag to prevent symlink attacks. The vulnerability existed
 between the permission check and the actual file creation, allowing an
 attacker to create a symlink at the lock path.
 How the fix prevents the attack:
 1. raise_on_not_writable_file() validates permissions (doesn't follow symlinks)
 2. RACE WINDOW: attacker creates symlink to target file
 3. os.open() with O_NOFOLLOW refuses to follow the symlink
 4. Attack is prevented - the symlink won't help attacker
 Changes:
 - Add conditional O_NOFOLLOW flag (like UnixFileLock does in commit 5088854)
 - Gracefully degrade on platforms without O_NOFOLLOW (e.g., GraalPy)
 - No behavioral changes to existing code
 Security improvement:
 - Platforms with O_NOFOLLOW: ✅ Symlink attacks completely prevented
 - Platforms without O_NOFOLLOW: ⚠️ TOCTOU window remains but documented
 The pre-check (raise_on_not_writable_file) is safe from TOCTOU itself because
 it only reads metadata. The attack only works if a symlink is followed by a
 write operation. By preventing symlink following in os.open() with O_NOFOLLOW,
 the attack is blocked even if the symlink is created during the race window.
 Reported by George Tsigourakos (@tsigouris007)
 🤖 Generated with Claude Code
 Co-Authored-By: Claude <noreply@anthropic.com>
 ---
 docs/index.rst        | 16 ++++++++++++++++
 src/filelock/_soft.py |  4 +++-
 2 files changed, 19 insertions(+), 1 deletion(-)
 diff --git a/src/filelock/_soft.py b/src/filelock/_soft.py
 index 28c67f74..93709c5c 100644
 --- a/src/filelock/_soft.py
 +++ b/src/filelock/_soft.py
@@ -16,13 +16,15 @@ class SoftFileLock(BaseFileLock):
     def _acquire(self) -> None:
         raise_on_not_writable_file(self.lock_file)
         ensure_directory_exists(self.lock_file)
 -        # first check for exists and read-only mode as the open will mask this case as EEXIST
         flags = (
             os.O_WRONLY  # open for writing only
             | os.O_CREAT
             | os.O_EXCL  # together with above raise EEXIST if the file specified by filename exists
             | os.O_TRUNC  # truncate the file to zero byte
         )
 +        o_nofollow = getattr(os, "O_NOFOLLOW", None)
 +        if o_nofollow is not None:
 +            flags |= o_nofollow
         try:
             file_handler = os.open(self.lock_file, flags, self._context.mode)
         except OSError as exception:  # re-raise unless expected exception
--- a/filelock-3.18.0.tar.gz
+++ b/filelock-3.18.0.tar.gz
--- a/filelock-3.20.3.tar.gz
+++ b/filelock-3.20.3.tar.gz
@@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1
 size 19485
--- a/python-filelock.changes
+++ b/python-filelock.changes
@@ -1,39 +1,12 @@
 -------------------------------------------------------------------
-Mon Jan 12 11:19:38 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
+Wed Jan 14 13:09:53 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
- Update to 3.20.3 (fixes CVE-2026-22701, bsc#1256457)
+- Add CVE-2026-22701.patch to fix CVE-2026-22701 (bsc#1256457)
  * Fix TOCTOU symlink vulnerability in SoftFileLock by @gaborbernat in #465
 -------------------------------------------------------------------
-Mon Jan  5 10:10:09 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
+Wed Jan  7 09:12:08 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
- Update to 3.20.2
+- Add CVE-2025-68146.patch to fix CVE-2025-68146 (bsc#1255244)
  * Support Unix systems without O_NOFOLLOW by @mwilliamson in #463
  * [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci[bot] in #464
 - Update to 3.20.1 (fixes CVE-2025-68146, bsc#1255244)
  * CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation
    by @gaborbernat in #461
 -------------------------------------------------------------------
 Tue Oct 21 09:31:13 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
 - Update to 3.20.0
  * Add tox.toml to sdist
  * Update docs with example
  * Add 3.14 support and drop 3.9
 -------------------------------------------------------------------
 Wed Sep 17 01:56:39 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
 - Add missing BuildRequires on pytest-timeout.
 -------------------------------------------------------------------
 Sun Sep 14 20:36:58 UTC 2025 - Dirk Müller <dmueller@suse.com>
 - update to 3.19.1:
  * add 3.14t (free threading) to matrix
 - update to 3.19.0:
  * Add support for 3.14
 -------------------------------------------------------------------
 Wed Mar 19 07:44:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
--- a/python-filelock.spec
+++ b/python-filelock.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-filelock
 #
-# Copyright (c) 2026 SUSE LLC and contributors
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2018 Matthias Fehring <buschmann23@opensuse.org>
 #
 # All modifications and additions to the file contributed by third parties
@@ -27,12 +27,16 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-filelock%{?pkg_suffix}
-Version:        3.20.3
+Version:        3.18.0
 Release:        0
 Summary:        Platform Independent File Lock in Python
 License:        Unlicense
 URL:            https://github.com/tox-dev/py-filelock
 Source:         https://files.pythonhosted.org/packages/source/f/filelock/filelock-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM CVE-2025-68146.patch bsc#1255244 (gh#tox-dev/filelock/pulls/461, gh#tox-dev/filelock/pulls/463)
 Patch0:         CVE-2025-68146.patch
 # PATCH-FIX-UPSTREAM CVE-2026-22701.patch bsc#1256457 (gh#tox-dev/filelock/pulls/465)
 Patch1:         CVE-2026-22701.patch
 BuildRequires:  %{python_module asyncio}
 BuildRequires:  %{python_module hatch_vcs}
 BuildRequires:  %{python_module hatchling}
@@ -41,7 +45,6 @@ BuildRequires:  %{python_module wheel}
 %if %{with test}
 BuildRequires:  %{python_module pytest-asyncio}
 BuildRequires:  %{python_module pytest-mock}
 BuildRequires:  %{python_module pytest-timeout}
 BuildRequires:  %{python_module pytest}
 BuildRequires:  %{python_module virtualenv}
 %endif
Author	SHA256	Message	Date
nkrapp	f4c5858363	Add CVE-2026-22701.patch to fix CVE-2026-22701 (bsc#1256457)	2026-01-15 13:56:37 +01:00
nkrapp	c4a8737406	Add CVE-2025-68146.patch to fix CVE-2025-68146 (bsc#1255244)	2026-01-07 10:13:13 +01:00