rebase to 2.6.0 to fix the following CVEs

- CVE-2026-54371 - Symlink Traversal Privilege Escalation via getfattr

Resolves: RHEL-186129
This commit is contained in:
Lukáš Zaoral 2026-07-13 14:56:39 +02:00
parent 4b5ba62b0b
commit cc2e000746
No known key found for this signature in database
GPG Key ID: 39157506DD67752D
4 changed files with 15 additions and 13 deletions

6
.gitignore vendored
View File

@ -1,3 +1,3 @@
/attr-2.[45].*.tar.gz
/attr-2.5.*.tar.xz
/attr-2.5.*.tar.xz.sig
/attr-2.*.*.tar.gz
/attr-2.*.*.tar.xz
/attr-2.*.*.tar.xz.sig

View File

@ -24,7 +24,7 @@ index dcbc12c..7361fbd 100644
+# regardless of the specified action.
system.nfs4_acl permissions
system.nfs4acl permissions
system.posix_acl_access permissions
--
2.20.1
@ -50,12 +50,11 @@ diff --git a/xattr.conf b/xattr.conf
index 7361fbd..1ac5b2f 100644
--- a/xattr.conf
+++ b/xattr.conf
@@ -11,8 +11,6 @@
@@ -11,7 +11,6 @@
# skip all extended attributes that are matched by any of the below patterns,
# regardless of the specified action.
-system.nfs4_acl permissions
-system.nfs4acl permissions
system.posix_acl_access permissions
system.posix_acl_default permissions
trusted.SGI_ACL_DEFAULT skip # xfs specific

View File

@ -1,13 +1,13 @@
Summary: Utilities for managing filesystem extended attributes
Name: attr
Version: 2.5.2
Release: 5%{?dist}
Version: 2.6.0
Release: 2%{?dist}
Source0: https://download.savannah.nongnu.org/releases/attr/attr-%{version}.tar.xz
Source1: https://download.savannah.nongnu.org/releases/attr/attr-%{version}.tar.xz.sig
# Retreived from https://savannah.nongnu.org/people/viewgpg.php?user_id=15000
# Source2: agruen-key.gpg
Source2: agruen-key.gpg
# Retrieved from https://savannah.nongnu.org/people/viewgpg.php?user_id=42032
Source2: vapier-key.gpg
# Source2: vapier-key.gpg
# xattr.conf: remove entries for NFSv4 ACLs namespaces (#1031423)
# https://lists.nongnu.org/archive/html/acl-devel/2019-03/msg00000.html
@ -77,7 +77,6 @@ sed -e 's|test/root/getfattr.test||' \
%build
%configure
%make_build -C po ka.gmo
%make_build
%check
@ -125,6 +124,10 @@ ln -fs ../sys/xattr.h $RPM_BUILD_ROOT%{_includedir}/attr/xattr.h
%config(noreplace) %{_sysconfdir}/xattr.conf
%changelog
* Mon Jul 13 2026 Lukáš Zaoral <lzaoral@redhat.com> - 2.6.0-2
- rebase to 2.6.0 to fix the following CVEs:
- CVE-2026-54371 - Symlink Traversal Privilege Escalation via getfattr
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.5.2-5
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018

View File

@ -1,2 +1,2 @@
SHA512 (attr-2.5.2.tar.xz) = f587ea544effb7cfed63b3027bf14baba2c2dbe3a9b6c0c45fc559f7e8cb477b3e9a4a826eae30f929409468c50d11f3e7dc6d2500f41e1af8662a7e96a30ef3
SHA512 (attr-2.5.2.tar.xz.sig) = 36a816b8b8bcb392efb153f92a687688526195942011469dca48a317336f7be84cb607d74c5336e7b383a304151a81508606e7ac39731ea50b5f75b8e9102724
SHA512 (attr-2.6.0.tar.xz) = 870d0c34fbaa7520aad058ecd6509fe8eddd17430781a16d1e80484d4947307a7c641f0449183cbac1da611a85f82c9bee2d2d7bff76170fc2195b123100d22e
SHA512 (attr-2.6.0.tar.xz.sig) = 4db494f751a1c99d100593b7405e419275e5763cb9af335f3a26a098c7fd87710e36df9055148525c4072be77971f41552d7d9a8de09f01807270ea10d40b513