microsoft · azurelinux-security · Jan 13, 2026
@@ -0,0 +1,69 @@
+From be2b84e932a4381db94d0baa3a2d2f3b707bccd5 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Tue, 13 Jan 2026 09:02:26 +0000
+Subject: [PATCH] =?UTF-8?q?fix:=20resolve=20TOCTOU=20vulnerabilities=20in?=
+ =?UTF-8?q?=20app=5Fdata=20and=20lock=20directory=20creation=20by=20using?=
+ =?UTF-8?q?=20atomic=20os.makedirs(...,=20exist=5Fok=3DTrue).=20Reported?=
+ =?UTF-8?q?=20by=20tsigouris007.=20Signed-off-by:=20Bern=C3=A1t=20G=C3=A1b?=
+ =?UTF-8?q?or=20<[email protected]>?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/pypa/virtualenv/pull/3013.patch
+---
+ src/virtualenv/app_data/__init__.py | 11 +++++------
+ src/virtualenv/util/lock.py         |  7 +++----
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/src/virtualenv/app_data/__init__.py b/src/virtualenv/app_data/__init__.py
+index 148c941..301a00f 100644
+--- a/src/virtualenv/app_data/__init__.py
++++ b/src/virtualenv/app_data/__init__.py
+@@ -34,12 +34,11 @@ def make_app_data(folder, **kwargs):
+     if is_read_only:
+         return ReadOnlyAppData(folder)
+
+-    if not os.path.isdir(folder):
+-        try:
+-            os.makedirs(folder)
+-            logging.debug("created app data folder %s", folder)
+-        except OSError as exception:
+-            logging.info("could not create app data folder %s due to %r", folder, exception)
++    try:
++        os.makedirs(folder, exist_ok=True)
++        logging.debug("created app data folder %s", folder)
++    except OSError as exception:
++        logging.info("could not create app data folder %s due to %r", folder, exception)
+
+     if os.access(folder, os.W_OK):
+         return AppDataDiskFolder(folder)
+diff --git a/src/virtualenv/util/lock.py b/src/virtualenv/util/lock.py
+index c15b5f1..8f2e73a 100644
+--- a/src/virtualenv/util/lock.py
++++ b/src/virtualenv/util/lock.py
+@@ -15,9 +15,8 @@ from filelock import FileLock, Timeout
+ class _CountedFileLock(FileLock):
+     def __init__(self, lock_file) -> None:
+         parent = os.path.dirname(lock_file)
+-        if not os.path.isdir(parent):
+-            with suppress(OSError):
+-                os.makedirs(parent)
++        with suppress(OSError):
++            os.makedirs(parent, exist_ok=True)
+
+         super().__init__(lock_file)
+         self.count = 0
+@@ -112,7 +111,7 @@ class ReentrantFileLock(PathLockBase):
+         # a lock, but that lock might then become expensive, and it's not clear where that lock should live.
+         # Instead here we just ignore if we fail to create the directory.
+         with suppress(OSError):
+-            os.makedirs(str(self.path))
++            os.makedirs(str(self.path), exist_ok=True)
+
+         try:
+             lock.acquire(0.0001)
+-- 
+2.45.4
+
@@ -1,7 +1,7 @@
 Summary:        Virtual Python Environment builder
 Name:           python-virtualenv
 Version:        20.25.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,7 @@ URL:            https://pypi.python.org/pypi/virtualenv
 Source0:        https://files.pythonhosted.org/packages/94/d7/adb787076e65dc99ef057e0118e25becf80dd05233ef4c86f07aa35f6492/virtualenv-20.25.0.tar.gz
 Patch0:         0001-replace-to-flit.patch
 Patch1:         CVE-2024-53899.patch
+Patch2:         CVE-2026-22702.patch
 BuildArch:      noarch
 
 %description
@@ -61,6 +62,9 @@ tox -e py
 %{_bindir}/virtualenv
 
 %changelog
+* Tue Jan 13 2026 Azure Linux Security Servicing Account <[email protected]> - 20.25.0-4
+- Patch for CVE-2026-22702
+
 * Wed Dec 11 2024 Sudipta Pandit <[email protected]> - 20.25.0-3
 - Backport fix for CVE-2024-53899