Source: attr
Version: 1:2.5.2-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1:2.5.2-3
Control: found -1 1:2.5.1-4

Hi,

The following vulnerability was published for attr.

CVE-2026-54371[0]:
| attr before version 2.6.0 contains a symlink traversal vulnerability
| in the getfattr and setfattr utilities that allows local attackers
| to escalate privileges by replacing a pathname component with a
| symbolic link during directory hierarchy traversal. Attackers who
| control a pathname component can redirect getfattr and setfattr
| operations to arbitrary files by substituting a symlink, leading to
| local privilege escalation when getfattr or setfattr is invoked by a
| privileged process over an attacker-controlled path.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54371
    https://www.cve.org/CVERecord?id=CVE-2026-54371
[1] https://www.openwall.com/lists/oss-security/2026/06/29/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to