The libacl library functions acl_get_file(), acl_set_file(), acl_extended_file(), and acl_delete_def_file() follow symbolic links when processing pathnames. This allows attackers to control a pathname component and replace a file/directory with a symbolic link, redirecting operations to unintended files and enabling local privilege escalation. Version 2.4.0 introduces new functions (e.g., acl_get_file_at()) with AT_SYMLINK_NOFOLLOW and AT_EMPTY_PATH flags to mitigate this behavior.
| Vendor | Product | Versions |
|---|---|---|
| non-gnu acl project | libacl | < 2.4.0 |