Version in base suite: 20.31.2+ds-1

Base version: python-virtualenv_20.31.2+ds-1
Target version: python-virtualenv_20.31.2+ds-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-virtualenv/python-virtualenv_20.31.2+ds-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-virtualenv/python-virtualenv_20.31.2+ds-1+deb13u1.dsc

 changelog                                                           |    8 +
 patches/0001-Merge-pull-request-3013-from-gaborbernat-fix-sec.patch |   60 ++++++++++
 patches/series                                                      |    1 
 3 files changed, 69 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp72warl7q/python-virtualenv_20.31.2+ds-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp72warl7q/python-virtualenv_20.31.2+ds-1+deb13u1.dsc: no acceptable signature found
diff -Nru python-virtualenv-20.31.2+ds/debian/changelog python-virtualenv-20.31.2+ds/debian/changelog
--- python-virtualenv-20.31.2+ds/debian/changelog	2025-05-09 13:08:14.000000000 +0000
+++ python-virtualenv-20.31.2+ds/debian/changelog	2026-06-28 15:25:34.000000000 +0000
@@ -1,3 +1,11 @@
+python-virtualenv (20.31.2+ds-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-22702: Time-of-Check-Time-of-Use Vulnerabilities
+    in Directory Creation (Closes: #1125191)
+
+ -- Adrian Bunk <bunk@debian.org>  Sun, 28 Jun 2026 18:25:34 +0300
+
 python-virtualenv (20.31.2+ds-1) unstable; urgency=medium
 
   [ Stefano Rivera ]
diff -Nru python-virtualenv-20.31.2+ds/debian/patches/0001-Merge-pull-request-3013-from-gaborbernat-fix-sec.patch python-virtualenv-20.31.2+ds/debian/patches/0001-Merge-pull-request-3013-from-gaborbernat-fix-sec.patch
--- python-virtualenv-20.31.2+ds/debian/patches/0001-Merge-pull-request-3013-from-gaborbernat-fix-sec.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-virtualenv-20.31.2+ds/debian/patches/0001-Merge-pull-request-3013-from-gaborbernat-fix-sec.patch	2026-06-28 14:40:26.000000000 +0000
@@ -0,0 +1,60 @@
+From 8e8cb1e67337f5d20184a71e7cf1164a0a45ce36 Mon Sep 17 00:00:00 2001
+From: Bernát Gábor <gaborjbernat@gmail.com>
+Date: Fri, 9 Jan 2026 10:19:39 -0800
+Subject: Merge pull request #3013 from gaborbernat/fix-sec
+
+---
+ src/virtualenv/app_data/__init__.py | 11 +++++------
+ src/virtualenv/util/lock.py         |  7 +++----
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/src/virtualenv/app_data/__init__.py b/src/virtualenv/app_data/__init__.py
+index d7f14802..7a9d38e9 100644
+--- a/src/virtualenv/app_data/__init__.py
++++ b/src/virtualenv/app_data/__init__.py
+@@ -36,12 +36,11 @@ def make_app_data(folder, **kwargs):
+     if is_read_only:
+         return ReadOnlyAppData(folder)
+ 
+-    if not os.path.isdir(folder):
+-        try:
+-            os.makedirs(folder)
+-            LOGGER.debug("created app data folder %s", folder)
+-        except OSError as exception:
+-            LOGGER.info("could not create app data folder %s due to %r", folder, exception)
++    try:
++        os.makedirs(folder, exist_ok=True)
++        LOGGER.debug("created app data folder %s", folder)
++    except OSError as exception:
++        LOGGER.info("could not create app data folder %s due to %r", folder, exception)
+ 
+     if os.access(folder, os.W_OK):
+         return AppDataDiskFolder(folder)
+diff --git a/src/virtualenv/util/lock.py b/src/virtualenv/util/lock.py
+index b8c9cf83..b003d2c5 100644
+--- a/src/virtualenv/util/lock.py
++++ b/src/virtualenv/util/lock.py
+@@ -17,9 +17,8 @@ LOGGER = logging.getLogger(__name__)
+ class _CountedFileLock(FileLock):
+     def __init__(self, lock_file) -> None:
+         parent = os.path.dirname(lock_file)
+-        if not os.path.isdir(parent):
+-            with suppress(OSError):
+-                os.makedirs(parent)
++        with suppress(OSError):
++            os.makedirs(parent, exist_ok=True)
+ 
+         super().__init__(lock_file)
+         self.count = 0
+@@ -111,7 +110,7 @@ class ReentrantFileLock(PathLockBase):
+         # a lock, but that lock might then become expensive, and it's not clear where that lock should live.
+         # Instead here we just ignore if we fail to create the directory.
+         with suppress(OSError):
+-            os.makedirs(str(self.path))
++            os.makedirs(str(self.path), exist_ok=True)
+ 
+         try:
+             lock.acquire(0.0001)
+-- 
+2.47.3
+
diff -Nru python-virtualenv-20.31.2+ds/debian/patches/series python-virtualenv-20.31.2+ds/debian/patches/series
--- python-virtualenv-20.31.2+ds/debian/patches/series	2025-05-09 13:08:14.000000000 +0000
+++ python-virtualenv-20.31.2+ds/debian/patches/series	2026-06-28 15:25:30.000000000 +0000
@@ -2,3 +2,4 @@
 debian_update_for_available_wheels.patch
 disable-periodic-update.patch
 wheel-package-error
+0001-Merge-pull-request-3013-from-gaborbernat-fix-sec.patch