Hi, The following vulnerabilities were published for acl. CVE-2026-54369[0]: | acl before version 2.4.0 contains a symlink traversal vulnerability | in the libacl pathname-based functions acl_get_file(), | acl_set_file(), acl_extended_file(), and acl_delete_def_file() that | allows local attackers to escalate privileges by replacing any | pathname component with a symbolic link. Attackers who control any | component of a pathname processed by a privileged caller can | redirect ACL read or write operations to arbitrary files or | directories, enabling unauthorized manipulation of access control | lists and local privilege escalation. CVE-2026-54370[1]: | acl before version 2.4.0 contains a time-of-check to time-of-use | (TOCTOU) race condition vulnerability that allows local attackers to | escalate privileges by replacing a pathname component with a | symbolic link between an lstat() check and subsequent symlink- | following operations such as stat(), chown(), chmod(), | acl_get_file(), and acl_set_file(). Attackers who control a pathname | component can redirect file access control list operations to | arbitrary files when getfacl, setfacl, or chacl is invoked by a | privileged process over an attacker-controlled path, resulting in | local privilege escalation. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-54369 https://www.cve.org/CVERecord?id=CVE-2026-54369 [1] https://security-tracker.debian.org/tracker/CVE-2026-54370 https://www.cve.org/CVERecord?id=CVE-2026-54370 [2] https://www.openwall.com/lists/oss-security/2026/06/29/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hi! Bug #1141110 that you reported in package acl has been fixed in the debian/pkgs/acl.git git repository. You can see the changelog below, and you can check the diff of the fix at: https://git.hadrons.org/cgit/debian/pkgs/acl.git/diff/?id=4175d71 New upstream release acl 2.4.0 - Refresh local patches. - Remove upstream patches included in this release. - Update symbols file for new upstream release. - Fix symlink traversal vulnerability [CVE-2026-54369]. - Fix time-of-check to time-of-use (TOCTOU) race condition vulnerability [CVE-2026-54370]. This version is known to be non-portable to non-Linux systems. This will be worked on in subsequent revisions. Closes: #1141110 diff --git a/debian/changelog b/debian/changelog index 65468ad..664b54c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,12 +1,20 @@ -acl (2.3.2-4) UNRELEASED; urgency=medium +acl (2.4.0-1) UNRELEASED; urgency=medium + * New upstream release. + - Refresh local patches. + - Remove upstream patches included in this release. + - Update upstream OpenPGP signing certificates. + - Update symbols file for new upstream release. + - Fix symlink traversal vulnerability [CVE-2026-54369]. + - Fix time-of-check to time-of-use (TOCTOU) race condition vulnerability + [CVE-2026-54370]. + Closes: #1141110 * Remove build dependency on debhelper (>= 13.10) implied by debhelper-compat (= 13) since Debian bookworm. * Remove build dependencies on automake, autoconf and libtool implied by debhelper-compat (>= 10) since Debian stretch. * Switch to Standards-Version 4.7.4 (no changes needed). * Refactor common synopsis into a source stanza Description field. - * Update upstream OpenPGP signing certificates. * Switch debian/watch URL to use the one not affected by mirroring, as that has delays of up to a day.
We believe that the bug you reported is fixed in the latest version of
acl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1141110@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated acl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 29 Jun 2026 23:53:15 +0200
Source: acl
Architecture: source
Version: 2.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Closes: 1141110
Changes:
acl (2.4.0-1) unstable; urgency=medium
.
* New upstream release.
- Refresh local patches.
- Remove upstream patches included in this release.
- Update upstream OpenPGP signing certificates.
- Update symbols file for new upstream release.
- Fix symlink traversal vulnerability [CVE-2026-54369].
- Fix time-of-check to time-of-use (TOCTOU) race condition vulnerability
[CVE-2026-54370].
Closes: #1141110
* Remove build dependency on debhelper (>= 13.10) implied by
debhelper-compat (= 13) since Debian bookworm.
* Remove build dependencies on automake, autoconf and libtool implied
by debhelper-compat (>= 10) since Debian stretch.
* Switch to Standards-Version 4.7.4 (no changes needed).
* Refactor common synopsis into a source stanza Description field.
* Switch debian/watch URL to use the one not affected by mirroring,
as that has delays of up to a day.
Checksums-Sha1:
1f33524e3b5a3204d856b50dfea0c5259f8f5d7e 2624 acl_2.4.0-1.dsc
194272659d2cfad5180a4cf7eb9a4b3c28a6afe9 384828 acl_2.4.0.orig.tar.xz
fef7b419cb2145cd7a38444e3a1d2af707547441 833 acl_2.4.0.orig.tar.xz.asc
aefd347db668ae1231688034d1d5179d2a056d19 47932 acl_2.4.0-1.debian.tar.xz
e8efae03b63549bcdb8d5829c837b19eb7ed008a 7194 acl_2.4.0-1_amd64.buildinfo
Checksums-Sha256:
b987ebbeb3d498794bad29cd65301b77384978493d8765c94dba8bad8fa325b6 2624 acl_2.4.0-1.dsc
e661131456d2708a01c614a0f400e11d7d1bfaeb6f3e74b75bb980b72f0161a3 384828 acl_2.4.0.orig.tar.xz
5f4f0b9b78821764fe6b88e32aef6ec519628522c211c36706bcb78d6f3f036b 833 acl_2.4.0.orig.tar.xz.asc
65931c2fb3e821bda67f8d8d72d77e99ac61502748dcdf38b6805fe89339085e 47932 acl_2.4.0-1.debian.tar.xz
79d9fed2c06c422f5ac6d8196aaf41a6651ee12036d26de0fd1a20194f79067d 7194 acl_2.4.0-1_amd64.buildinfo
Files:
ca4b57f6628d7988b8136afbda546f9c 2624 utils optional acl_2.4.0-1.dsc
e289f370161698a96f50b2a3fdadf411 384828 utils optional acl_2.4.0.orig.tar.xz
4960e8d2777b7fda213c732481fb2bbe 833 utils optional acl_2.4.0.orig.tar.xz.asc
f612f0d0529429b83ad8ce48f2a774ab 47932 utils optional acl_2.4.0-1.debian.tar.xz
927da5e6be863de0b51d5c7357bfbd87 7194 utils optional acl_2.4.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJqQun4CRC5cr8+pK5Xo0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmcx9r1BvhkEczGo41B023mWSQqnLtpgupyJQf5T051u
vRYhBE8+dPQ2BQwQ9WlldLlyvz6krlejAABC1hAA3/PdyEXiseMkikzsATR9aoLJ
NLXE7N1U4PW85kAfcFzyN5BpZi66mDLePFxRIOX7M7FVAAh8jrguEEYqe0w7lzOP
sBaesnqIUfAz0yWnT20QMxwp439QacI98O83kJyaFtRWbIoDBA7rvt0nneZdysqF
88z1kpOL1e8B2Wy/wj/5G6GKXOi5VSdBx8yx/oWpSJfxM3Lg4tSkSLcMEfqGd9cx
uEsyUyz+kiFYVXjsdm+3n9fkaE7VPvtLgI6qYzWnjNZBJAD+ch4xfD8aVRT+5ZTq
xu+o86wffrC+qZ17PCK1IUVt/Bd0xIlAhO8she0BXacDsP2QMVci6FBeajC9IaEH
lSb0ACF8nDU/KVe1HZ3ie9PXySxVcHyr4M3WAFPmSd/zW5GDDyn6qL1/5GGQYQOd
Hmstz+RYYjiqHVS/BfbhedRZhZzH6+V32MuSKL8qYWFSQ2W6l94cBEoVnujeTHF5
arPn5J+vyj40RlwuZkMuEd6xwwN49HU1p66dfTQmAK/HORWHbw/c7WckfL4CB/gE
i+Bjs1gM9C/tVwWlxUlYpeUV0Wwx87m3vgks5VMG9x0OwTCMFeUq9p1vr8tE7/S7
T+Z2X1zwSZJr6PXpZFdGE5t6nz8iac9F6ub2bOAklegSxHcYQbvp+owpWgc00Axz
yelEqaqfw7Ko+On/5F0=
=uf26
-----END PGP SIGNATURE-----