attr-2.6.0

[Bruce Dubbs]

New minor version.

[Bruce Dubbs]

attr-2.6.0 (29 June 2026)

• Security fixes for CVE-2026-54371:
  • Fix symlink traversal privilege escalation vulnerability in getfattr and setfattr
  • Harden getfattr to properly handle symlinks with -h/--no-dereference option
  • Harden setfattr --restore with new -P/--physical option for safe restoring
  • Add warnings for potentially unsafe restore operations (can be disabled with the --disable-unsafe-restore-warnings configure option)
• New extended attribute system call support:
  • Add wrappers for new xattrat() system calls (getxattrat, setxattrat, listxattrat, removexattrat) introduced in kernel 6.13
  • Add backwards compatibility layer for older systems without xattrat() support
  • Add openat2() syscall wrapper support for enhanced security (kernel 5.6+)
• Code improvements and fixes:
  • Add new walk_tree helper, remove old implementation
  • Fix multiple memory management issues in attr_copy_* functions
  • Fix race conditions in listxattr and lgetxattr operations
  • Fix buffer overflow and use-after-free bugs in setfattr --restore
  • Remove dead code and improve compiler warning handling
  • Add visibility attribute support for better library symbol management
• Build system and compatibility:
  • Improve test suite for SELinux environments
  • Add License variable to pkg-config file
  • Fix various compiler warnings with -Wall, -Wextra, -Wmissing-prototypes
  • Add missing header includes and mark local functions static
• Translation updates:
  • Update the German translation
• Configuration updates:
  • Remove obsolete system.nfs4acl entry from xattr.conf
  • Add configure option --disable-unsafe-restore-warnings