Source: acl Version: 2.3.2-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 2.3.2-2 Control: found -1 2.3.1-3
Hi, The following vulnerabilities were published for acl. CVE-2026-54369[0]: | acl before version 2.4.0 contains a symlink traversal vulnerability | in the libacl pathname-based functions acl_get_file(), | acl_set_file(), acl_extended_file(), and acl_delete_def_file() that | allows local attackers to escalate privileges by replacing any | pathname component with a symbolic link. Attackers who control any | component of a pathname processed by a privileged caller can | redirect ACL read or write operations to arbitrary files or | directories, enabling unauthorized manipulation of access control | lists and local privilege escalation. CVE-2026-54370[1]: | acl before version 2.4.0 contains a time-of-check to time-of-use | (TOCTOU) race condition vulnerability that allows local attackers to | escalate privileges by replacing a pathname component with a | symbolic link between an lstat() check and subsequent symlink- | following operations such as stat(), chown(), chmod(), | acl_get_file(), and acl_set_file(). Attackers who control a pathname | component can redirect file access control list operations to | arbitrary files when getfacl, setfacl, or chacl is invoked by a | privileged process over an attacker-controlled path, resulting in | local privilege escalation. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-54369 https://www.cve.org/CVERecord?id=CVE-2026-54369 [1] https://security-tracker.debian.org/tracker/CVE-2026-54370 https://www.cve.org/CVERecord?id=CVE-2026-54370 [2] https://www.openwall.com/lists/oss-security/2026/06/29/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

