Version in base suite: 3.9.0-1

Base version: python-filelock_3.9.0-1
Target version: python-filelock_3.9.0-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-filelock/python-filelock_3.9.0-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-filelock/python-filelock_3.9.0-1+deb12u1.dsc

 changelog                    |   11 +++++
 patches/CVE-2025-68146.patch |   83 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2026-22701.patch |   30 +++++++++++++++
 patches/series               |    2 +
 4 files changed, 126 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjdpwezrd/python-filelock_3.9.0-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjdpwezrd/python-filelock_3.9.0-1+deb12u1.dsc: no acceptable signature found
diff -Nru python-filelock-3.9.0/debian/changelog python-filelock-3.9.0/debian/changelog
--- python-filelock-3.9.0/debian/changelog	2023-01-02 11:17:19.000000000 +0000
+++ python-filelock-3.9.0/debian/changelog	2026-06-02 03:24:53.000000000 +0000
@@ -1,3 +1,14 @@
+python-filelock (3.9.0-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * d/patches: (Closes: #1123510, #1125190)
+    - CVE-2025-68146: Import and backport upstream patch
+      (A TOCTOU race condition allows local attackers)
+    - CVE-2026-22701: Import and backport upstream patch
+      (A TOCTOU race condition allows local attackers)
+
+ -- Matheus Polkorny <mpolkorny@gmail.com>  Tue, 02 Jun 2026 00:24:53 -0300
+
 python-filelock (3.9.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch
--- python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-filelock-3.9.0/debian/patches/CVE-2025-68146.patch	2026-06-02 03:24:53.000000000 +0000
@@ -0,0 +1,83 @@
+From: Bernát Gábor <gaborjbernat@gmail.com>
+Date: Mon, 15 Dec 2025 15:52:12 -0800
+Subject: Fix TOCTOU symlink vulnerability in lock file creation (#461)
+
+Origin: upstream, https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e
+
+Changes:
+- Refresh patch context
+- Update hunk's offset
+---
+ src/filelock/_unix.py    |  2 +-
+ src/filelock/_windows.py | 38 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/src/filelock/_unix.py b/src/filelock/_unix.py
+index 03b612c..00dfa1b 100644
+--- a/src/filelock/_unix.py
++++ b/src/filelock/_unix.py
+@@ -31,7 +31,7 @@ else:  # pragma: win32 no cover
+         """Uses the :func:`fcntl.flock` to hard lock the lock file on unix systems."""
+ 
+         def _acquire(self) -> None:
+-            open_mode = os.O_RDWR | os.O_CREAT | os.O_TRUNC
++            open_mode = os.O_RDWR | os.O_CREAT | os.O_TRUNC | os.O_NOFOLLOW
+             fd = os.open(self._lock_file, open_mode)
+             try:
+                 fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
+diff --git a/src/filelock/_windows.py b/src/filelock/_windows.py
+index 60e68cb..f7df863 100644
+--- a/src/filelock/_windows.py
++++ b/src/filelock/_windows.py
+@@ -9,13 +9,51 @@ from ._api import BaseFileLock
+ from ._util import raise_on_exist_ro_file
+ 
+ if sys.platform == "win32":  # pragma: win32 cover
++    import ctypes
+     import msvcrt
++    from ctypes import wintypes
++
++    # Windows API constants for reparse point detection
++    FILE_ATTRIBUTE_REPARSE_POINT = 0x00000400
++    INVALID_FILE_ATTRIBUTES = 0xFFFFFFFF
++
++    # Load kernel32.dll
++    _kernel32 = ctypes.WinDLL("kernel32", use_last_error=True)
++    _kernel32.GetFileAttributesW.argtypes = [wintypes.LPCWSTR]
++    _kernel32.GetFileAttributesW.restype = wintypes.DWORD
++
++    def _is_reparse_point(path: str) -> bool:
++        """
++        Check if a path is a reparse point (symlink, junction, etc.) on Windows.
++
++        :param path: Path to check
++        :return: True if path is a reparse point, False otherwise
++        :raises OSError: If GetFileAttributesW fails for reasons other than file-not-found
++        """
++        attrs = _kernel32.GetFileAttributesW(path)
++        if attrs == INVALID_FILE_ATTRIBUTES:
++            # File doesn't exist yet - that's fine, we'll create it
++            err = ctypes.get_last_error()
++            if err == 2:  # noqa: PLR2004  # ERROR_FILE_NOT_FOUND
++                return False
++            if err == 3:  # noqa: PLR2004 # ERROR_PATH_NOT_FOUND
++                return False
++            # Some other error - let caller handle it
++            return False
++        return bool(attrs & FILE_ATTRIBUTE_REPARSE_POINT)
+ 
+     class WindowsFileLock(BaseFileLock):
+         """Uses the :func:`msvcrt.locking` function to hard lock the lock file on windows systems."""
+ 
+         def _acquire(self) -> None:
+             raise_on_exist_ro_file(self._lock_file)
++
++            # Security check: Refuse to open reparse points (symlinks, junctions)
++            # This prevents TOCTOU symlink attacks (CVE-TBD)
++            if _is_reparse_point(self.lock_file):
++                msg = f"Lock file is a reparse point (symlink/junction): {self.lock_file}"
++                raise OSError(msg)
++
+             mode = (
+                 os.O_RDWR  # open for read and write
+                 | os.O_CREAT  # create file if not exists
diff -Nru python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch
--- python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-filelock-3.9.0/debian/patches/CVE-2026-22701.patch	2026-06-02 03:24:53.000000000 +0000
@@ -0,0 +1,30 @@
+From: Bernát Gábor <gaborjbernat@gmail.com>
+Date: Fri, 9 Jan 2026 09:53:50 -0800
+Subject: Fix TOCTOU symlink vulnerability in SoftFileLock (#465)
+
+Co-authored-by: Claude <noreply@anthropic.com>
+
+Origin: upstream, https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5
+
+Changes:
+- Refresh patch context
+- Use "mode" instead of "flags" as used in this version
+- Drop docs/index.rst
+---
+ src/filelock/_soft.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/filelock/_soft.py b/src/filelock/_soft.py
+index cb09799..f6632f8 100644
+--- a/src/filelock/_soft.py
++++ b/src/filelock/_soft.py
+@@ -20,6 +20,9 @@ class SoftFileLock(BaseFileLock):
+             | os.O_EXCL  # together with above raise EEXIST if the file specified by filename exists
+             | os.O_TRUNC  # truncate the file to zero byte
+         )
++        o_nofollow = getattr(os, "O_NOFOLLOW", None)
++        if o_nofollow is not None:
++            mode |= o_nofollow
+         try:
+             fd = os.open(self._lock_file, mode)
+         except OSError as exception:
diff -Nru python-filelock-3.9.0/debian/patches/series python-filelock-3.9.0/debian/patches/series
--- python-filelock-3.9.0/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ python-filelock-3.9.0/debian/patches/series	2026-06-02 03:24:53.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2025-68146.patch
+CVE-2026-22701.patch