Source: acl
Version: 2.3.2-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 2.3.2-2
Control: found -1 2.3.1-3

Hi,

The following vulnerabilities were published for acl.

CVE-2026-54369[0]:
| acl before version 2.4.0 contains a symlink traversal vulnerability
| in the libacl pathname-based functions acl_get_file(),
| acl_set_file(), acl_extended_file(), and acl_delete_def_file() that
| allows local attackers to escalate privileges by replacing any
| pathname component with a symbolic link. Attackers who control any
| component of a pathname processed by a privileged caller can
| redirect ACL read or write operations to arbitrary files or
| directories, enabling unauthorized manipulation of access control
| lists and local privilege escalation.


CVE-2026-54370[1]:
| acl before version 2.4.0 contains a time-of-check to time-of-use
| (TOCTOU) race condition vulnerability that allows local attackers to
| escalate privileges by replacing a pathname component with a
| symbolic link between an lstat() check and subsequent symlink-
| following operations such as stat(), chown(), chmod(),
| acl_get_file(), and acl_set_file(). Attackers who control a pathname
| component can redirect file access control list operations to
| arbitrary files when getfacl, setfacl, or chacl is invoked by a
| privileged process over an attacker-controlled path, resulting in
| local privilege escalation.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54369
    https://www.cve.org/CVERecord?id=CVE-2026-54369
[1] https://security-tracker.debian.org/tracker/CVE-2026-54370
    https://www.cve.org/CVERecord?id=CVE-2026-54370
[2] https://www.openwall.com/lists/oss-security/2026/06/29/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to