pool/python-virtualenv
SHA256
17
0
Fork 2
Code Issues Pull Requests Activity

Compare commits

base: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
..
compare: pool:slfo-main
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

1 Commits
slfo-1.2 ... slfo-main

Author SHA256 Message Date
Daniel Garcia Moreno
082aeeb204 Convert to libalternatives, bsc#1245883 2025-11-03 15:11:26 +01:00
3 changed files with 22 additions and 82 deletions
Expand all files Collapse all files

70
CVE-2026-22702.patch
View File

@@ -1,70 +0,0 @@
From b338d8cee138c2fd98f788ec295f8f2f719f53c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <bgabor8@bloomberg.net>
Date: Fri, 9 Jan 2026 09:49:49 -0800
Subject: [PATCH] fix: resolve TOCTOU vulnerabilities in app_data and lock
directory creation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use atomic os.makedirs(..., exist_ok=True) operations instead of
check-then-act pattern to prevent symlink-based TOCTOU attacks.
Reported by: tsigouris007
Signed-off-by: Bernát Gábor <bgabor8@bloomberg.net>
---
docs/changelog/3013.bugfix.rst | 1 +
src/virtualenv/app_data/__init__.py | 11 +++++------
src/virtualenv/util/lock.py | 7 +++----
3 files changed, 9 insertions(+), 10 deletions(-)
create mode 100644 docs/changelog/3013.bugfix.rst
diff --git a/src/virtualenv/app_data/__init__.py b/src/virtualenv/app_data/__init__.py
index d7f148023..7a9d38e92 100644
--- a/src/virtualenv/app_data/__init__.py
+++ b/src/virtualenv/app_data/__init__.py
@@ -36,12 +36,11 @@ def make_app_data(folder, **kwargs):
if is_read_only:
return ReadOnlyAppData(folder)
- if not os.path.isdir(folder):
- try:
- os.makedirs(folder)
- LOGGER.debug("created app data folder %s", folder)
- except OSError as exception:
- LOGGER.info("could not create app data folder %s due to %r", folder, exception)
+ try:
+ os.makedirs(folder, exist_ok=True)
+ LOGGER.debug("created app data folder %s", folder)
+ except OSError as exception:
+ LOGGER.info("could not create app data folder %s due to %r", folder, exception)
if os.access(folder, os.W_OK):
return AppDataDiskFolder(folder)
diff --git a/src/virtualenv/util/lock.py b/src/virtualenv/util/lock.py
index b250e032f..82c8eed65 100644
--- a/src/virtualenv/util/lock.py
+++ b/src/virtualenv/util/lock.py
@@ -17,9 +17,8 @@
class _CountedFileLock(FileLock):
def __init__(self, lock_file) -> None:
parent = os.path.dirname(lock_file)
- if not os.path.isdir(parent):
- with suppress(OSError):
- os.makedirs(parent)
+ with suppress(OSError):
+ os.makedirs(parent, exist_ok=True)
super().__init__(lock_file)
self.count = 0
@@ -117,7 +116,7 @@ def _lock_file(self, lock, no_block=False): # noqa: FBT002
# a lock, but that lock might then become expensive, and it's not clear where that lock should live.
# Instead here we just ignore if we fail to create the directory.
with suppress(OSError):
- os.makedirs(str(self.path))
+ os.makedirs(str(self.path), exist_ok=True)
try:
lock.acquire(0.0001)

4
python-virtualenv.changes
View File

@@ -1,7 +1,7 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jan 13 15:21:00 UTC 2026 - Nico Krapp <nico.krapp@suse.com> Tue Aug 26 09:28:27 UTC 2025 - Markéta Machová <mmachova@suse.com>
- Add patch CVE-2026-22702.patch to fix CVE-2026-22702 (bsc#1256458) - Convert to libalternatives on SLE-16-based and newer systems
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Mar 30 07:54:04 UTC 2025 - Dirk Müller <dmueller@suse.com> Sun Mar 30 07:54:04 UTC 2025 - Dirk Müller <dmueller@suse.com>

30
python-virtualenv.spec
View File

@@ -1,7 +1,7 @@
# #
# spec file for package python-virtualenv # spec file for package python-virtualenv
# #
# Copyright (c) 2025 SUSE LLC # Copyright (c) 2025 SUSE LLC and contributors
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,11 @@
%define psuffix %{nil} %define psuffix %{nil}
%bcond_with test %bcond_with test
%endif %endif
%if 0%{?suse_version} > 1500
%bcond_without libalternatives
%else
%bcond_with libalternatives
%endif
%{?sle15_python_module_pythons} %{?sle15_python_module_pythons}
Name: python-virtualenv%{psuffix} Name: python-virtualenv%{psuffix}
Version: 20.29.3 Version: 20.29.3
@@ -34,19 +38,19 @@ License: MIT
URL: https://virtualenv.pypa.io/ URL: https://virtualenv.pypa.io/
# SourceRepository: https://github.com/pypa/virtualenv # SourceRepository: https://github.com/pypa/virtualenv
Source: https://files.pythonhosted.org/packages/source/v/virtualenv/virtualenv-%{version}.tar.gz Source: https://files.pythonhosted.org/packages/source/v/virtualenv/virtualenv-%{version}.tar.gz
# PATCH-FIX-UPSTREAM CVE-2026-22702.patch bsc#1256458 gh#pypa/virtualenv#3013
Patch0: CVE-2026-22702.patch
BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module base >= 3.7}
BuildRequires: %{python_module pip} BuildRequires: %{python_module pip}
BuildRequires: python-rpm-macros BuildRequires: python-rpm-macros
Requires: (python-distlib >= 0.3.7 with python-distlib < 1)
Requires: (python-filelock >= 3.12.2 with python-filelock < 4)
Requires: (python-platformdirs >= 3.9.1 with python-platformdirs < 5)
BuildArch: noarch
%if !%{with test} %if !%{with test}
# Don't install the build requirements during testing, see setuptools_scm comment below # Don't install the build requirements during testing, see setuptools_scm comment below
BuildRequires: %{python_module hatch-vcs >= 0.3} BuildRequires: %{python_module hatch-vcs >= 0.3}
BuildRequires: %{python_module hatchling >= 1.17.1} BuildRequires: %{python_module hatchling >= 1.17.1}
BuildRequires: fdupes BuildRequires: fdupes
%else %else
# Conflict with setuptools_scm giving a warning, https://github.com/pypa/virtualenv/issues/2668
BuildConflicts: %{python_module setuptools_scm}
BuildRequires: %{python_module devel} BuildRequires: %{python_module devel}
BuildRequires: %{python_module flaky >= 3.7} BuildRequires: %{python_module flaky >= 3.7}
BuildRequires: %{python_module packaging >= 23.1} BuildRequires: %{python_module packaging >= 23.1}
@@ -58,13 +62,16 @@ BuildRequires: %{python_module setuptools >= 68}
BuildRequires: %{python_module setuptools-wheel >= 68} BuildRequires: %{python_module setuptools-wheel >= 68}
BuildRequires: %{python_module time-machine >= 2.10} BuildRequires: %{python_module time-machine >= 2.10}
BuildRequires: %{python_module virtualenv = %{version}} BuildRequires: %{python_module virtualenv = %{version}}
# Conflict with setuptools_scm giving a warning, https://github.com/pypa/virtualenv/issues/2668
BuildConflicts: %{python_module setuptools_scm}
%endif %endif
Requires: (python-distlib >= 0.3.7 with python-distlib < 1) %if %{with libalternatives}
Requires: (python-filelock >= 3.12.2 with python-filelock < 4) BuildRequires: alts
Requires: (python-platformdirs >= 3.9.1 with python-platformdirs < 5) Requires: alts
%else
Requires(post): update-alternatives Requires(post): update-alternatives
Requires(postun): update-alternatives Requires(postun): update-alternatives
BuildArch: noarch %endif
%if 0%{python_version_nodots} < 38 %if 0%{python_version_nodots} < 38
Requires: python-importlib-metadata >= 6.6 Requires: python-importlib-metadata >= 6.6
%endif %endif
@@ -118,6 +125,9 @@ donttest+=" or test_embed_wheel_versions"
%pytest -k "not ($donttest)" %pytest -k "not ($donttest)"
%endif %endif
%pre
%python_libalternatives_reset_alternative virtualenv
%post %post
%python_install_alternative virtualenv %python_install_alternative virtualenv