Compare commits
10 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| a005b52758 | |||
| a7eff275ce | |||
| e9511a53d6 | |||
| c2f3f5ecde | |||
| b2ff2fd029 | |||
| 4a64c892ad | |||
| 7469842c8b | |||
| 54c9059814 | |||
| 48824c5482 | |||
| 70a977d77d |
@@ -1,14 +0,0 @@
|
|||||||
Index: filelock-3.18.0/src/filelock/_unix.py
|
|
||||||
===================================================================
|
|
||||||
--- filelock-3.18.0.orig/src/filelock/_unix.py
|
|
||||||
+++ filelock-3.18.0/src/filelock/_unix.py
|
|
||||||
@@ -39,6 +39,9 @@ else: # pragma: win32 no cover
|
|
||||||
def _acquire(self) -> None:
|
|
||||||
ensure_directory_exists(self.lock_file)
|
|
||||||
open_flags = os.O_RDWR | os.O_TRUNC
|
|
||||||
+ o_nofollow = getattr(os, "O_NOFOLLOW", None)
|
|
||||||
+ if o_nofollow is not None:
|
|
||||||
+ open_flags |= o_nofollow
|
|
||||||
if not Path(self.lock_file).exists():
|
|
||||||
open_flags |= os.O_CREAT
|
|
||||||
fd = os.open(self.lock_file, open_flags, self._context.mode)
|
|
||||||
@@ -1,63 +0,0 @@
|
|||||||
From 255ed068bc85d1ef406e50a135e1459170dd1bf0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <bgabor8@bloomberg.net>
|
|
||||||
Date: Fri, 9 Jan 2026 09:23:12 -0800
|
|
||||||
Subject: [PATCH] Fix TOCTOU symlink vulnerability in SoftFileLock
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Add O_NOFOLLOW flag to prevent symlink attacks. The vulnerability existed
|
|
||||||
between the permission check and the actual file creation, allowing an
|
|
||||||
attacker to create a symlink at the lock path.
|
|
||||||
|
|
||||||
How the fix prevents the attack:
|
|
||||||
1. raise_on_not_writable_file() validates permissions (doesn't follow symlinks)
|
|
||||||
2. RACE WINDOW: attacker creates symlink to target file
|
|
||||||
3. os.open() with O_NOFOLLOW refuses to follow the symlink
|
|
||||||
4. Attack is prevented - the symlink won't help attacker
|
|
||||||
|
|
||||||
Changes:
|
|
||||||
- Add conditional O_NOFOLLOW flag (like UnixFileLock does in commit 5088854)
|
|
||||||
- Gracefully degrade on platforms without O_NOFOLLOW (e.g., GraalPy)
|
|
||||||
- No behavioral changes to existing code
|
|
||||||
|
|
||||||
Security improvement:
|
|
||||||
- Platforms with O_NOFOLLOW: ✅ Symlink attacks completely prevented
|
|
||||||
- Platforms without O_NOFOLLOW: ⚠️ TOCTOU window remains but documented
|
|
||||||
|
|
||||||
The pre-check (raise_on_not_writable_file) is safe from TOCTOU itself because
|
|
||||||
it only reads metadata. The attack only works if a symlink is followed by a
|
|
||||||
write operation. By preventing symlink following in os.open() with O_NOFOLLOW,
|
|
||||||
the attack is blocked even if the symlink is created during the race window.
|
|
||||||
|
|
||||||
Reported by George Tsigourakos (@tsigouris007)
|
|
||||||
|
|
||||||
🤖 Generated with Claude Code
|
|
||||||
|
|
||||||
Co-Authored-By: Claude <noreply@anthropic.com>
|
|
||||||
---
|
|
||||||
docs/index.rst | 16 ++++++++++++++++
|
|
||||||
src/filelock/_soft.py | 4 +++-
|
|
||||||
2 files changed, 19 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/filelock/_soft.py b/src/filelock/_soft.py
|
|
||||||
index 28c67f74..93709c5c 100644
|
|
||||||
--- a/src/filelock/_soft.py
|
|
||||||
+++ b/src/filelock/_soft.py
|
|
||||||
@@ -16,13 +16,15 @@ class SoftFileLock(BaseFileLock):
|
|
||||||
def _acquire(self) -> None:
|
|
||||||
raise_on_not_writable_file(self.lock_file)
|
|
||||||
ensure_directory_exists(self.lock_file)
|
|
||||||
- # first check for exists and read-only mode as the open will mask this case as EEXIST
|
|
||||||
flags = (
|
|
||||||
os.O_WRONLY # open for writing only
|
|
||||||
| os.O_CREAT
|
|
||||||
| os.O_EXCL # together with above raise EEXIST if the file specified by filename exists
|
|
||||||
| os.O_TRUNC # truncate the file to zero byte
|
|
||||||
)
|
|
||||||
+ o_nofollow = getattr(os, "O_NOFOLLOW", None)
|
|
||||||
+ if o_nofollow is not None:
|
|
||||||
+ flags |= o_nofollow
|
|
||||||
try:
|
|
||||||
file_handler = os.open(self.lock_file, flags, self._context.mode)
|
|
||||||
except OSError as exception: # re-raise unless expected exception
|
|
||||||
@@ -1,13 +1,3 @@
|
|||||||
-------------------------------------------------------------------
|
|
||||||
Wed Jan 14 13:09:53 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
|
|
||||||
|
|
||||||
- Add CVE-2026-22701.patch to fix CVE-2026-22701 (bsc#1256457)
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
|
||||||
Wed Jan 7 09:12:08 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
|
|
||||||
|
|
||||||
- Add CVE-2025-68146.patch to fix CVE-2025-68146 (bsc#1255244)
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Mar 19 07:44:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
Wed Mar 19 07:44:21 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||||
|
|
||||||
|
|||||||
@@ -33,10 +33,6 @@ Summary: Platform Independent File Lock in Python
|
|||||||
License: Unlicense
|
License: Unlicense
|
||||||
URL: https://github.com/tox-dev/py-filelock
|
URL: https://github.com/tox-dev/py-filelock
|
||||||
Source: https://files.pythonhosted.org/packages/source/f/filelock/filelock-%{version}.tar.gz
|
Source: https://files.pythonhosted.org/packages/source/f/filelock/filelock-%{version}.tar.gz
|
||||||
# PATCH-FIX-UPSTREAM CVE-2025-68146.patch bsc#1255244 (gh#tox-dev/filelock/pulls/461, gh#tox-dev/filelock/pulls/463)
|
|
||||||
Patch0: CVE-2025-68146.patch
|
|
||||||
# PATCH-FIX-UPSTREAM CVE-2026-22701.patch bsc#1256457 (gh#tox-dev/filelock/pulls/465)
|
|
||||||
Patch1: CVE-2026-22701.patch
|
|
||||||
BuildRequires: %{python_module asyncio}
|
BuildRequires: %{python_module asyncio}
|
||||||
BuildRequires: %{python_module hatch_vcs}
|
BuildRequires: %{python_module hatch_vcs}
|
||||||
BuildRequires: %{python_module hatchling}
|
BuildRequires: %{python_module hatchling}
|
||||||
@@ -63,7 +59,7 @@ independent file lock in Python, which provides a simple way of
|
|||||||
inter-process communication.
|
inter-process communication.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1 -n filelock-%{version}
|
%setup -q -n filelock-%{version}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%pyproject_wheel
|
%pyproject_wheel
|
||||||
|
|||||||
Reference in New Issue
Block a user