Source: python-filelock Version: 3.20.0-1 Severity: important Tags: security upstream Forwarded: https://github.com/tox-dev/filelock/pull/461 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-filelock. CVE-2025-68146[0]: | filelock is a platform-independent file lock for Python. In versions | prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition | allows local attackers to corrupt or truncate arbitrary user files | through symlink attacks. The vulnerability exists in both Unix and | Windows lock file creation where filelock checks if a file exists | before opening it with O_TRUNC. An attacker can create a symlink | pointing to a victim file in the time gap between the check and | open, causing os.open() to follow the symlink and truncate the | target file. All users of filelock on Unix, Linux, macOS, and | Windows systems are impacted. The vulnerability cascades to | dependent libraries. The attack requires local filesystem access and | ability to create symlinks (standard user permissions on Unix; | Developer Mode on Windows 10+). Exploitation succeeds within 1-3 | attempts when lock file paths are predictable. The issue is fixed in | version 3.20.1. If immediate upgrade is not possible, use | SoftFileLock instead of UnixFileLock/WindowsFileLock (note: | different locking semantics, may not be suitable for all use cases); | ensure lock file directories have restrictive permissions (chmod | 0700) to prevent untrusted users from creating symlinks; and/or | monitor lock file directories for suspicious symlinks before running | trusted applications. These workarounds provide only partial | mitigation. The race condition remains exploitable. Upgrading to | version 3.20.1 is strongly recommended. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-68146 https://www.cve.org/CVERecord?id=CVE-2025-68146 [1] https://github.com/tox-dev/filelock/pull/461 [2] https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f [3] https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e Please adjust the affected versions in the BTS as needed. Regards, Salvatore
