fix(python-virtualenv): CVE-2026-22702

[deepin-ci-robot]

CVE 修复

CVE ID: CVE-2026-22702

漏洞描述: virtualenv 20.36.1 之前版本存在 TOCTOU (Time-of-Check-Time-of-Use) 竞争条件漏洞。在目录创建过程中，由于检查目录是否存在和创建目录之间存在时间窗口，本地攻击者可通过符号链接攻击重定向 app_data 和锁目录的文件操作。

修复方案: 使用 os.makedirs(path, exist_ok=True) 替代先检查再创建的模式，消除 TOCTOU 竞争条件。

受影响版本: < 20.36.1

当前版本: 20.25.1+ds-1

验证状态: ✅ 已通过 quilt 验证

---

Upstream PR: pypa/virtualenv#3013
Upstream Release: https://github.com/pypa/virtualenv/releases/tag/20.36.1

Generated by: CVE-Fixer Agent
Co-Authored-By: hudeng hudeng@deepin.org

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign xzl01 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• https:/raw.githubusercontent.com/deepin-community/template-repository/master/debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

TAG Bot

TAG: 20.25.1+ds-1deepin1
EXISTED: no
DISTRIBUTION: unstable