diff --git a/0004-acl-2.3.1-libobj-declare-s_str-directly-in-string_obj_tag.patch b/0004-acl-2.3.1-libobj-declare-s_str-directly-in-string_obj_tag.patch
new file mode 100644
index 0000000..74bc52e
--- /dev/null
+++ b/0004-acl-2.3.1-libobj-declare-s_str-directly-in-string_obj_tag.patch
@@ -0,0 +1,81 @@
+From 6f9b9246ee91eaf09c3774ff95950624ef818476 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= <lzaoral@redhat.com>
+Date: Tue, 31 Oct 2023 10:02:52 +0100
+Subject: libobj: declare s_str directly in string_obj_tag
+
+... to make libacl compatible with -D_FORTIFY_SOURCE=3.  Otherwise, any call
+to __acl_to_any_text would terminate the given process because the
+fortification has a limited support for zero-length arrays nested in structs,
+as noted in the linked GCC Bugzilla.  GCC devs suggested that this should be
+fixed in libacl rather than in GCC itself.
+
+Related: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104964#c15
+Resolves: https://savannah.nongnu.org/bugs/index.php?62519
+---
+ libacl/__acl_to_any_text.c | 10 +++++-----
+ libacl/libobj.h            |  7 +------
+ 2 files changed, 6 insertions(+), 11 deletions(-)
+
+diff --git a/libacl/__acl_to_any_text.c b/libacl/__acl_to_any_text.c
+index f2b8088..bfad12d 100644
+--- a/libacl/__acl_to_any_text.c
++++ b/libacl/__acl_to_any_text.c
+@@ -64,7 +64,7 @@ __acl_to_any_text(acl_t acl, ssize_t *len_p, const char *prefix,
+ 	FOREACH_ACL_ENTRY(entry_obj_p, acl_obj_p) {
+ 	repeat:
+ 		entry_len = acl_entry_to_any_str(int2ext(entry_obj_p),
+-		                                 string_obj_p->sstr + len,
++		                                 string_obj_p->s_str + len,
+ 						 size-len,
+ 						 int2ext(mask_obj_p),
+ 						 prefix,
+@@ -81,20 +81,20 @@ __acl_to_any_text(acl_t acl, ssize_t *len_p, const char *prefix,
+ 			goto repeat;
+ 		} else
+ 			len += entry_len;
+-		string_obj_p->sstr[len] = separator;
++		string_obj_p->s_str[len] = separator;
+ 		len++;
+ 	}
+ 	if (len)
+ 		len--;
+ 	if (len && suffix) {
+-		strcpy(string_obj_p->sstr + len, suffix);
++		strcpy(string_obj_p->s_str + len, suffix);
+ 		len += suffix_len;
+ 	} else
+-		string_obj_p->sstr[len] = '\0';
++		string_obj_p->s_str[len] = '\0';
+ 
+ 	if (len_p)
+ 		*len_p = len;
+-	return (char *)int2ext(string_obj_p);
++	return string_obj_p ? string_obj_p->s_str : NULL;
+ 
+ fail:
+ 	free_obj_p(string_obj_p);
+diff --git a/libacl/libobj.h b/libacl/libobj.h
+index c41d5f9..84929cf 100644
+--- a/libacl/libobj.h
++++ b/libacl/libobj.h
+@@ -76,16 +76,11 @@ struct string_obj_tag;
+ typedef struct string_obj_tag string_obj;
+ 
+ /* string object */
+-struct __string_ext {
+-	char			s_str[0];
+-};
+ struct string_obj_tag {
+ 	obj_prefix		o_prefix;
+-	struct __string_ext	i;
++	char			s_str[0];
+ };
+ 
+-#define sstr i.s_str
+-
+ /* object creation, destruction, conversion and validation */
+ void *__new_var_obj_p(int magic, size_t size) hidden;
+ void __new_obj_p_here(int magic, void *here) hidden;
+-- 
+cgit v1.1
+
diff --git a/acl.spec b/acl.spec
index 9928575..0a9b6e4 100644
--- a/acl.spec
+++ b/acl.spec
@@ -1,10 +1,7 @@
-# https://savannah.nongnu.org/bugs/index.php?62519
-%define _fortify_level 2
-
 Summary: Access control list utilities
 Name: acl
 Version: 2.3.1
-Release: 10%{?dist}
+Release: 11%{?dist}
 BuildRequires: gawk
 BuildRequires: gcc
 BuildRequires: gettext
@@ -29,6 +26,10 @@ Patch2: 0002-add-georgian.patch
 # https://git.savannah.nongnu.org/cgit/acl.git/commit/?id=7ce89c695e76ec41fcebd83f8b728f63b0361a2d
 Patch3: 0003-acl-2.3.1-setfacl-preserve-failed-status.patch
 
+# make acl compatible with -D_FORTIFY_SOURCE=3 (rhbz#2249839)
+# https://git.savannah.nongnu.org/cgit/acl.git/commit/?id=6f9b9246ee91eaf09c3774ff95950624ef818476
+Patch4: 0004-acl-2.3.1-libobj-declare-s_str-directly-in-string_obj_tag.patch
+
 License: GPL-2.0-or-later AND LGPL-2.1-or-later
 URL: https://savannah.nongnu.org/projects/acl
 
@@ -137,6 +138,9 @@ rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name}*
 %{_libdir}/libacl.so.*
 
 %changelog
+* Fri Dec 01 2023 Lukáš Zaoral <lzaoral@redhat.com> - 2.3.1-11
+- make acl compatible with -D_FORTIFY_SOURCE=3 (rhbz#2249839)
+
 * Fri Oct 06 2023 Lukáš Zaoral <lzaoral@redhat.com> - 2.3.1-10
 - preserve failed setfacl return code (RHEL-3909)
 - make the license tag more precise