acl-2.4.0

[Bruce Dubbs]

New minor version.

[Bruce Dubbs]

acl 2.4.0 (29 June 2026)

• Major security and robustness improvements:
  • Fix multiple security vulnerabilities: CVE-2026-54369 and CVE-2026-54370
  • Harden setfacl, getfacl, and chacl against malicious input
  • Prevent NULL pointer dereferences and memory corruption
  • Fix setfacl --restore for pathnames beginning with whitespace
  • Prevent setfacl --restore --test from changing file permissions
• New library functions:
  • Add acl_get_file_at(), acl_set_file_at(), acl_delete_def_file_at() for safer file operations using file descriptors and to control symlink following
  • acl_delete_def_file_at() allows removing default ACLs via file descriptor
• API improvements and bug fixes:
  • Remove libacl dependency on libattr
  • Reject invalid numeric UIDs and GIDs in libacl
  • Fix memory wasting loop when user does not exist
  • Retry harder in acl_get_file/acl_get_fd operations
  • Improve errno handling in acl permission functions
  • Fix compiler warnings and sequence point issues
• Build system and code organization:
  • Rename internal symbols with acl_ prefix to avoid conflicts
  • Internalize walk_tree API and replace with hardened version
  • Mark local variables and functions static where appropriate
  • Remove unnecessary dependencies and dead code
• Test suite improvements:
  • Fix test compatibility issues with getpwnam/getgrnam functions
  • Add comprehensive restore.run test for --restore functionality
  • Fix shell quoting errors in test scripts
  • Improve test lookup library accessibility
• Documentation updates:
  • Clarify symlink following behavior in manual pages
  • Document new _at function variants
  • Clarify that on Linux, acl_perm_t is a bitset
• Translation updates

[Bruce Dubbs]

Fixed at commit 4a56fb5d78.

Leaving open for security advisories.