Source: python-filelock Version: 3.20.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-filelock. CVE-2026-22701[0]: | filelock is a platform-independent file lock for Python. Prior to | version 3.20.3, a TOCTOU race condition vulnerability exists in the | SoftFileLock implementation of the filelock package. An attacker | with local filesystem access and permission to create symlinks can | exploit a race condition between the permission validation and file | creation to cause lock operations to fail or behave unexpectedly. | The vulnerability occurs in the _acquire() method between | raise_on_not_writable_file() (permission check) and os.open() (file | creation). During this race window, an attacker can create a symlink | at the lock file path, potentially causing the lock to operate on an | unintended target file or leading to denial of service. This issue | has been patched in version 3.20.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-22701 https://www.cve.org/CVERecord?id=CVE-2026-22701 [1] https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw [2] https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
