A set of tools for manipulating extended attributes on file system objects, in particular getfattr(1) and setfattr(1). An attr(1) command is also provided, which is largely compatible with the SGI IRIX tool of the same name.
Security Fix(es):
attr before version 2.6.0 contains a symlink traversal vulnerability in the getfattr and setfattr utilities that allows local attackers to escalate privileges by replacing a pathname component with a symbolic link during directory hierarchy traversal. Attackers who control a pathname component can redirect getfattr and setfattr operations to arbitrary files by substituting a symlink, leading to local privilege escalation when getfattr or setfattr is invoked by a privileged process over an attacker-controlled path.(CVE-2026-54371)
{
"severity": "High"
}{
"x86_64": [
"attr-2.5.1-7.oe2403sp1.x86_64.rpm",
"attr-debuginfo-2.5.1-7.oe2403sp1.x86_64.rpm",
"attr-debugsource-2.5.1-7.oe2403sp1.x86_64.rpm",
"attr-help-2.5.1-7.oe2403sp1.x86_64.rpm",
"libattr-devel-2.5.1-7.oe2403sp1.x86_64.rpm"
],
"src": [
"attr-2.5.1-7.oe2403sp1.src.rpm"
],
"aarch64": [
"attr-2.5.1-7.oe2403sp1.aarch64.rpm",
"attr-debuginfo-2.5.1-7.oe2403sp1.aarch64.rpm",
"attr-debugsource-2.5.1-7.oe2403sp1.aarch64.rpm",
"attr-help-2.5.1-7.oe2403sp1.aarch64.rpm",
"libattr-devel-2.5.1-7.oe2403sp1.aarch64.rpm"
]
}