#1141107 attr: CVE-2026-54371

Package:
src:attr
Source:
src:attr
Submitter:
Salvatore Bonaccorso
Date:
2026-06-29 21:59:04 UTC
Severity:
normal
Tags:
#1141107#5
Date:
2026-06-29 19:37:01 UTC
From:
To:
Hi,

The following vulnerability was published for attr.

CVE-2026-54371[0]:
| attr before version 2.6.0 contains a symlink traversal vulnerability
| in the getfattr and setfattr utilities that allows local attackers
| to escalate privileges by replacing a pathname component with a
| symbolic link during directory hierarchy traversal. Attackers who
| control a pathname component can redirect getfattr and setfattr
| operations to arbitrary files by substituting a symlink, leading to
| local privilege escalation when getfattr or setfattr is invoked by a
| privileged process over an attacker-controlled path.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54371
https://www.cve.org/CVERecord?id=CVE-2026-54371
[1] https://www.openwall.com/lists/oss-security/2026/06/29/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1141107#12
Date:
2026-06-29 21:43:48 UTC
From:
To:
Hi!

Bug #1141107 that you reported in package attr has been fixed
in the debian/pkgs/attr.git git repository. You can see the changelog below,
and you can check the diff of the fix at:

https://git.hadrons.org/cgit/debian/pkgs/attr.git/diff/?id=51f5040
    New upstream release attr 2.6.0

    - Refresh local patches.
    - Remove upstream patches included in this release.
    - Update upstream OpenPGP signing certificates.
    - Fix symlink traversal vulnerability [CVE-2026-54371].

    This version is known to be non-portable to non-Linux systems. This will
    be worked on in subsequent revisions.

    Closes: #1141107

diff --git a/debian/changelog b/debian/changelog
index 23287a8..a31167f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,10 @@
-attr (1:2.5.2-5) UNRELEASED; urgency=medium
+attr (1:2.6.0-1) UNRELEASED; urgency=medium

+  * New upstream release.
+    - Refresh local patches.
+    - Remove upstream patches included in this release.
+    - Update upstream OpenPGP signing certificates.
+    - Fix symlink traversal vulnerability [CVE-2026-54371]. Closes: #1141107
   * Remove build dependency on debhelper (>= 13.10) implied by
     debhelper-compat (= 13) since Debian bookworm.
   * Remove build dependencies on automake, autoconf and libtool implied
@@ -7,7 +12,6 @@ attr (1:2.5.2-5) UNRELEASED; urgency=medium
   * Switch to Standards-Version 4.7.4 (no changes needed).
   * Refactor common synopsis into a source stanza Description field.
   * Improve and clarify package descriptions.
-  * Update upstream OpenPGP signing certificates.
   * Switch debian/watch URL to use the one not affected by mirroring,
     as that has delays of up to a day.

#1141107#19
Date:
2026-06-29 21:58:08 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
attr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1141107@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated attr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 29 Jun 2026 23:34:26 +0200
Source: attr
Architecture: source
Version: 1:2.6.0-1
Distribution: unstable
Urgency: medium
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Closes: 1141107
Changes:
 attr (1:2.6.0-1) unstable; urgency=medium
 .
   * New upstream release.
     - Refresh local patches.
     - Remove upstream patches included in this release.
     - Update upstream OpenPGP signing certificates.
     - Fix symlink traversal vulnerability [CVE-2026-54371]. Closes: #1141107
   * Remove build dependency on debhelper (>= 13.10) implied by
     debhelper-compat (= 13) since Debian bookworm.
   * Remove build dependencies on automake, autoconf and libtool implied
     by debhelper-compat (>= 10) since Debian stretch.
   * Switch to Standards-Version 4.7.4 (no changes needed).
   * Refactor common synopsis into a source stanza Description field.
   * Improve and clarify package descriptions.
   * Switch debian/watch URL to use the one not affected by mirroring,
     as that has delays of up to a day.
Checksums-Sha1:
 dd184d23dc522791cc25c3c13527135f7e3c6192 2616 attr_2.6.0-1.dsc
 48c3ec9dc5322bce4cae0719dc4e347cf0d189b3 343608 attr_2.6.0.orig.tar.xz
 169065fb78401c173473c3fefe1f61a4259d0b85 862 attr_2.6.0.orig.tar.xz.asc
 bb2a023aeb7919f6951a91a7a73d7bc6111228e7 56048 attr_2.6.0-1.debian.tar.xz
 2020a1f9cf7150acf643541d15c1f28e6ce4433e 7193 attr_2.6.0-1_amd64.buildinfo
Checksums-Sha256:
 201f355d744a87cfba8bbbcac317334ae4546ec53f37df75355fa67bf26e991b 2616 attr_2.6.0-1.dsc
 6c8a2148a7b85043b68492bce43316b0e2e214fc4e628c7ede078e76e216330b 343608 attr_2.6.0.orig.tar.xz
 2af9e7ab3f24f1b4c0ec753a788c6ba588460d80f1ef852df23e1dfa2575e0ec 862 attr_2.6.0.orig.tar.xz.asc
 b2a04e8170dbab934c5d43087deffeaa42168fdf3f31933ac28f62cb7995c6ab 56048 attr_2.6.0-1.debian.tar.xz
 ef58f7f21c21663e99d9f2f649a906169cd33721ade4389435692cd274479a9b 7193 attr_2.6.0-1_amd64.buildinfo
Files:
 9c060a77520a89c23092296cf89b9a1c 2616 utils optional attr_2.6.0-1.dsc
 c0516a99377b4938eeb7fb2699247e82 343608 utils optional attr_2.6.0.orig.tar.xz
 17530e1fd23e0bd79aef244566c2df86 862 utils optional attr_2.6.0.orig.tar.xz.asc
 0486858de7cc198e89f995ee39edee80 56048 utils optional attr_2.6.0-1.debian.tar.xz
 8d56238328605d3fa4aa801599433d60 7193 utils optional attr_2.6.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJqQubTCRC5cr8+pK5Xo0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmc8z3ctYyM0QoOoF5z0oTWqy17kNadT9+iHBR1GI5nA
ExYhBE8+dPQ2BQwQ9WlldLlyvz6krlejAAALSBAAodB8ZZB2PoIFcw2cVhLKiSvB
oOOk5QAsSoXkVIv7Pm32QrR9rvuvN6CE/NVaKgPozEy8nDw8Urc/D2wpt0k3PpTQ
HAxhORIlgbAdQPEr2SMIjtMqWTX1C0Xknn88TLM2XveB1qvC25wTt9uahlLA55S4
TjrmEcTEMXfOIrzS+DHGVITL9VGmKkbuef2tHHO+fh8XAigZiftnXj6QClaqoCZ6
59zrO0oo/qvLUYN2AOYUHU0XxYPIwRK5YBgFhmHtsE4oJ/wYbCubIp+we+VlE5jP
2IeDc1HVYHZ23ZCyZ3xLbl7Ltov1LE21hMnzCvodwMFagq80lOylr3x2DJb19Gnp
2+z8NUcVnSAYRY9MgF83S1txe5/YsknmH2VK0zCtux+4H2v6Ws4fyenX2M+zRjtM
HUu2itVX7hX67ETRZXJEiAYAo59ssSjFjqYSAsNrbhhRq3J95IYfV1oPfXM8JCFg
OLlIUK9bG6MePKpCrzUPvxA/xm3yrjhfmB6YbV6ngry9bFu/CvykYP/WfTaaEPg8
LASIdAYlLZtYe4fLwvcvzp2HsFb0dlNi00a6J8fZ6hRGeVcUZvZ80d42XIIc0VMI
on5As0atJ0MmP0jZ41Z5eJ1bdQGMrxHF3q6ob1+xnzhXe9S+HA7HVG29rDJsLG4b
O9fKGIxTObyBipPSIWk=
=P7tA
-----END PGP SIGNATURE-----