From cc2e0007466abfc552cd1ef9152fe4cea26717b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Mon, 13 Jul 2026 14:56:39 +0200 Subject: [PATCH] rebase to 2.6.0 to fix the following CVEs - CVE-2026-54371 - Symlink Traversal Privilege Escalation via getfattr Resolves: RHEL-186129 --- .gitignore | 6 +++--- 0003-attr-2.4.48-xattr-conf-nfs4-acls.patch | 5 ++--- attr.spec | 13 ++++++++----- sources | 4 ++-- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.gitignore b/.gitignore index 1579492..8002172 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -/attr-2.[45].*.tar.gz -/attr-2.5.*.tar.xz -/attr-2.5.*.tar.xz.sig +/attr-2.*.*.tar.gz +/attr-2.*.*.tar.xz +/attr-2.*.*.tar.xz.sig diff --git a/0003-attr-2.4.48-xattr-conf-nfs4-acls.patch b/0003-attr-2.4.48-xattr-conf-nfs4-acls.patch index 1b77c5c..4d16c53 100644 --- a/0003-attr-2.4.48-xattr-conf-nfs4-acls.patch +++ b/0003-attr-2.4.48-xattr-conf-nfs4-acls.patch @@ -24,7 +24,7 @@ index dcbc12c..7361fbd 100644 +# regardless of the specified action. system.nfs4_acl permissions - system.nfs4acl permissions + system.posix_acl_access permissions -- 2.20.1 @@ -50,12 +50,11 @@ diff --git a/xattr.conf b/xattr.conf index 7361fbd..1ac5b2f 100644 --- a/xattr.conf +++ b/xattr.conf -@@ -11,8 +11,6 @@ +@@ -11,7 +11,6 @@ # skip all extended attributes that are matched by any of the below patterns, # regardless of the specified action. -system.nfs4_acl permissions --system.nfs4acl permissions system.posix_acl_access permissions system.posix_acl_default permissions trusted.SGI_ACL_DEFAULT skip # xfs specific diff --git a/attr.spec b/attr.spec index 5862719..3f370f0 100644 --- a/attr.spec +++ b/attr.spec @@ -1,13 +1,13 @@ Summary: Utilities for managing filesystem extended attributes Name: attr -Version: 2.5.2 -Release: 5%{?dist} +Version: 2.6.0 +Release: 2%{?dist} Source0: https://download.savannah.nongnu.org/releases/attr/attr-%{version}.tar.xz Source1: https://download.savannah.nongnu.org/releases/attr/attr-%{version}.tar.xz.sig # Retreived from https://savannah.nongnu.org/people/viewgpg.php?user_id=15000 -# Source2: agruen-key.gpg +Source2: agruen-key.gpg # Retrieved from https://savannah.nongnu.org/people/viewgpg.php?user_id=42032 -Source2: vapier-key.gpg +# Source2: vapier-key.gpg # xattr.conf: remove entries for NFSv4 ACLs namespaces (#1031423) # https://lists.nongnu.org/archive/html/acl-devel/2019-03/msg00000.html @@ -77,7 +77,6 @@ sed -e 's|test/root/getfattr.test||' \ %build %configure -%make_build -C po ka.gmo %make_build %check @@ -125,6 +124,10 @@ ln -fs ../sys/xattr.h $RPM_BUILD_ROOT%{_includedir}/attr/xattr.h %config(noreplace) %{_sysconfdir}/xattr.conf %changelog +* Mon Jul 13 2026 Lukáš Zaoral - 2.6.0-2 +- rebase to 2.6.0 to fix the following CVEs: + - CVE-2026-54371 - Symlink Traversal Privilege Escalation via getfattr + * Tue Oct 29 2024 Troy Dawson - 2.5.2-5 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018 diff --git a/sources b/sources index 2408d75..c66b312 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (attr-2.5.2.tar.xz) = f587ea544effb7cfed63b3027bf14baba2c2dbe3a9b6c0c45fc559f7e8cb477b3e9a4a826eae30f929409468c50d11f3e7dc6d2500f41e1af8662a7e96a30ef3 -SHA512 (attr-2.5.2.tar.xz.sig) = 36a816b8b8bcb392efb153f92a687688526195942011469dca48a317336f7be84cb607d74c5336e7b383a304151a81508606e7ac39731ea50b5f75b8e9102724 +SHA512 (attr-2.6.0.tar.xz) = 870d0c34fbaa7520aad058ecd6509fe8eddd17430781a16d1e80484d4947307a7c641f0449183cbac1da611a85f82c9bee2d2d7bff76170fc2195b123100d22e +SHA512 (attr-2.6.0.tar.xz.sig) = 4db494f751a1c99d100593b7405e419275e5763cb9af335f3a26a098c7fd87710e36df9055148525c4072be77971f41552d7d9a8de09f01807270ea10d40b513