Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/python-filelock: fix CVE-2025-68146

Browse Source 
Fixes the following vulnerability:

- CVE-2025-68146

A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local
attackers to corrupt or truncate arbitrary user files through symlink
attacks.

For more informations, see:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-68146
  - 18a9988008

(cherry picked from commit d9c1379d1f7651951d00ce59b588d74aad049573)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit is contained in:
Thomas Perale
2025-12-27 16:19:15 +01:00
parent 9a315994a6
commit 70072dc0e2
2 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
package/python-filelock/0001-Fix-TOCTOU-symlink-vulnerability-in-lock-file-creation.patch Normal file
View File

@@ -0,0 +1,27 @@
From 4724d7f8c3393ec1f048c93933e6e3e6ec321f0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= <gaborjbernat@gmail.com>
Date: Mon, 15 Dec 2025 15:52:12 -0800
Subject: [PATCH] Fix TOCTOU symlink vulnerability in lock file creation (#461)
CVE: CVE-2025-68146
Upstream: https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e
[thomas: Dropped the windows part of the patch]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
src/filelock/_unix.py | 2 +-
src/filelock/_windows.py | 38 ++++++++++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/src/filelock/_unix.py b/src/filelock/_unix.py
index b2fd0f33..25cbeca6 100644
--- a/src/filelock/_unix.py
+++ b/src/filelock/_unix.py
@@ -38,7 +38,7 @@ class UnixFileLock(BaseFileLock):
def _acquire(self) -> None:
ensure_directory_exists(self.lock_file)
- open_flags = os.O_RDWR | os.O_TRUNC
+ open_flags = os.O_RDWR | os.O_TRUNC | os.O_NOFOLLOW
if not Path(self.lock_file).exists():
open_flags |= os.O_CREAT
fd = os.open(self.lock_file, open_flags, self._context.mode)

3
package/python-filelock/python-filelock.mk
View File

@@ -12,4 +12,7 @@ PYTHON_FILELOCK_LICENSE = Public Domain
PYTHON_FILELOCK_LICENSE_FILES = LICENSE
PYTHON_FILELOCK_DEPENDENCIES = host-python-hatch-vcs
# 0001-Fix-TOCTOU-symlink-vulnerability-in-lock-file-creation.patch
PYTHON_FILELOCK_IGNORE_CVES += CVE-2025-68146
$(eval $(python-package))