Add CVE-2025-68146.patch to fix CVE-2025-68146 (bsc#1255244)

CVE-2025-68146.patch

@@ -0,0 +1,14 @@
+Index: filelock-3.18.0/src/filelock/_unix.py
+===================================================================
+--- filelock-3.18.0.orig/src/filelock/_unix.py
++++ filelock-3.18.0/src/filelock/_unix.py
+@@ -39,6 +39,9 @@ else:  # pragma: win32 no cover
+         def _acquire(self) -> None:
+             ensure_directory_exists(self.lock_file)
+             open_flags = os.O_RDWR | os.O_TRUNC
++            o_nofollow = getattr(os, "O_NOFOLLOW", None)
++            if o_nofollow is not None:
++                open_flags |= o_nofollow
+             if not Path(self.lock_file).exists():
+                 open_flags |= os.O_CREAT
+             fd = os.open(self.lock_file, open_flags, self._context.mode)

python-filelock.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Jan  7 09:12:08 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
+
+- Add CVE-2025-68146.patch to fix CVE-2025-68146 (bsc#1255244)
+
 -------------------------------------------------------------------
 Wed Mar 19 07:44:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
 

python-filelock.spec

@@ -33,6 +33,8 @@ Summary:        Platform Independent File Lock in Python
 License:        Unlicense
 URL:            https://github.com/tox-dev/py-filelock
 Source:         https://files.pythonhosted.org/packages/source/f/filelock/filelock-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM CVE-2025-68146.patch bsc#1255244 (gh#tox-dev/filelock/pulls/461, gh#tox-dev/filelock/pulls/463)
+Patch0:         CVE-2025-68146.patch
 BuildRequires:  %{python_module asyncio}
 BuildRequires:  %{python_module hatch_vcs}
 BuildRequires:  %{python_module hatchling}
@@ -59,7 +61,7 @@ independent file lock in Python, which provides a simple way of
 inter-process communication.
 
 %prep
-%setup -q -n filelock-%{version}
+%autosetup -p1 -n filelock-%{version}
 
 %build
 %pyproject_wheel