From 8d45ffe845fb15d4ed62f275e014a27f13f9e370 Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <kanbansal@microsoft.com>
Date: Mon, 29 Jun 2026 15:11:56 +0000
Subject: [PATCH] Upgrade acl to 2.4.0 for CVE-2026-54369, CVE-2026-54370,
 CVE-2026-54371

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
---
 SPECS/acl/acl.signatures.json                 |  2 +-
 SPECS/acl/acl.spec                            | 20 ++++++++++++-------
 cgmanifest.json                               |  4 ++--
 .../manifests/package/pkggen_core_aarch64.txt |  2 +-
 .../manifests/package/pkggen_core_x86_64.txt  |  2 +-
 .../manifests/package/toolchain_aarch64.txt   |  8 ++++----
 .../manifests/package/toolchain_x86_64.txt    |  8 ++++----
 7 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/SPECS/acl/acl.signatures.json b/SPECS/acl/acl.signatures.json
index 0718bbddee5..26a8634e4d4 100644
--- a/SPECS/acl/acl.signatures.json
+++ b/SPECS/acl/acl.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "acl-2.3.1.tar.gz": "760c61c68901b37fdd5eefeeaf4c0c7a26bdfdd8ac747a1edff1ce0e243c11af"
+  "acl-2.4.0.tar.gz": "73c853c3d44e1f693e5a96a986f1bd19d3d0dac2c7d453e796177774bc4e5f6a"
  }
 }
diff --git a/SPECS/acl/acl.spec b/SPECS/acl/acl.spec
index 6147e7e1ea3..061ef5bb31c 100644
--- a/SPECS/acl/acl.spec
+++ b/SPECS/acl/acl.spec
@@ -1,7 +1,7 @@
 Summary:        Access control list utilities
 Name:           acl
-Version:        2.3.1
-Release:        2%{?dist}
+Version:        2.4.0
+Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -59,10 +59,10 @@ chmod 0755 %{buildroot}%{_libdir}/libacl.so.*.*.*
 %check
 # Skip following four tests which fail due to lack of ACL support in tools like cp from coreutils
 # As noted in coreutils build log: "configure: WARNING: GNU coreutils will be built without ACL support."
-sed -e 's|test/cp.test||' -i test/Makemodule.am Makefile.in Makefile
-sed -e 's|test/root/permissions.test||' -i test/Makemodule.am Makefile.in Makefile
-sed -e 's|test/root/setfacl.test||' -i test/Makemodule.am Makefile.in Makefile
-sed -e 's|test/misc.test||' -i test/Makemodule.am Makefile.in Makefile
+sed -e 's|test/cp.run||' -i test/Makemodule.am Makefile.in Makefile
+sed -e 's|test/root/permissions.run||' -i test/Makemodule.am Makefile.in Makefile
+sed -e 's|test/root/setfacl.run||' -i test/Makemodule.am Makefile.in Makefile
+sed -e 's|test/missc.run||' -i test/Makemodule.am Makefile.in Makefile
 %make_build check
 
 %ldconfig_scriptlets -n libacl
@@ -78,11 +78,14 @@ sed -e 's|test/misc.test||' -i test/Makemodule.am Makefile.in Makefile
 %{_mandir}/man5/acl.5*
 
 %files -n libacl-devel
+%license doc/COPYING doc/COPYING.LGPL
 %{_libdir}/libacl.so
 %{_includedir}/acl
 %{_includedir}/sys/acl.h
 %{_mandir}/man3/acl_*
 %{_libdir}/libacl.a
+%exclude %{_docdir}/acl/COPYING
+%exclude %{_docdir}/acl/COPYING.LGPL
 %{_docdir}/acl/*
 %{_libdir}/pkgconfig/libacl.pc
 
@@ -90,6 +93,9 @@ sed -e 's|test/misc.test||' -i test/Makemodule.am Makefile.in Makefile
 %{_libdir}/libacl.so.*
 
 %changelog
+* Mon Jun 29 2026 Kanishk Bansal <kanbansal@microsoft.com> - 2.4.0-1
+- Upgrade to 2.4.0 for CVE-2026-54369, CVE-2026-54370, CVE-2026-54371
+
 * Wed Sep 20 2023 Jon Slobodzian <joslobo@microsoft.com> - 2.3.1-2
 - Recompile with stack-protection fixed gcc version (CVE-2023-4039)
 
@@ -102,7 +108,7 @@ sed -e 's|test/misc.test||' -i test/Makemodule.am Makefile.in Makefile
 * Tue Apr 14 2020 Henry Beberman <henry.beberman@microsoft.com> - 2.2.53-4
 - Update files to include license
 
-* Fri Mar 03 2020 Jon Slobodzian <joslobo@microsoft.com> - 2.2.53-3
+* Tue Mar 03 2020 Jon Slobodzian <joslobo@microsoft.com> - 2.2.53-3
 - Replaced dead link. Fixed Source URL. Verified license.
 
 * Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 2.2.53-2
diff --git a/cgmanifest.json b/cgmanifest.json
index 9289d9460c7..48905072a6c 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -45,8 +45,8 @@
         "type": "other",
         "other": {
           "name": "acl",
-          "version": "2.3.1",
-          "downloadUrl": "https://download.savannah.nongnu.org/releases/acl/acl-2.3.1.tar.gz"
+          "version": "2.4.0",
+          "downloadUrl": "https://download.savannah.nongnu.org/releases/acl/acl-2.4.0.tar.gz"
         }
       }
     },
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index 878b878cce1..65a9b520404 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -43,7 +43,7 @@ readline-8.2-2.azl3.aarch64.rpm
 readline-devel-8.2-2.azl3.aarch64.rpm
 libattr-2.5.2-1.azl3.aarch64.rpm
 attr-2.5.2-1.azl3.aarch64.rpm
-libacl-2.3.1-2.azl3.aarch64.rpm
+libacl-2.4.0-1.azl3.aarch64.rpm
 coreutils-9.4-6.azl3.aarch64.rpm
 coreutils-lang-9.4-6.azl3.aarch64.rpm
 bash-5.2.15-3.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 876c1bc7c1c..1e031f0716f 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -43,7 +43,7 @@ readline-8.2-2.azl3.x86_64.rpm
 readline-devel-8.2-2.azl3.x86_64.rpm
 libattr-2.5.2-1.azl3.x86_64.rpm
 attr-2.5.2-1.azl3.x86_64.rpm
-libacl-2.3.1-2.azl3.x86_64.rpm
+libacl-2.4.0-1.azl3.x86_64.rpm
 coreutils-9.4-6.azl3.x86_64.rpm
 coreutils-lang-9.4-6.azl3.x86_64.rpm
 bash-5.2.15-3.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 11da6015d83..14bc1637f87 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -1,5 +1,5 @@
-acl-2.3.1-2.azl3.aarch64.rpm
-acl-debuginfo-2.3.1-2.azl3.aarch64.rpm
+acl-2.4.0-1.azl3.aarch64.rpm
+acl-debuginfo-2.4.0-1.azl3.aarch64.rpm
 asciidoc-10.2.0-3.azl3.noarch.rpm
 attr-2.5.2-1.azl3.aarch64.rpm
 attr-debuginfo-2.5.2-1.azl3.aarch64.rpm
@@ -166,8 +166,8 @@ krb5-1.21.3-5.azl3.aarch64.rpm
 krb5-debuginfo-1.21.3-5.azl3.aarch64.rpm
 krb5-devel-1.21.3-5.azl3.aarch64.rpm
 krb5-lang-1.21.3-5.azl3.aarch64.rpm
-libacl-2.3.1-2.azl3.aarch64.rpm
-libacl-devel-2.3.1-2.azl3.aarch64.rpm
+libacl-2.4.0-1.azl3.aarch64.rpm
+libacl-devel-2.4.0-1.azl3.aarch64.rpm
 libarchive-3.7.7-6.azl3.aarch64.rpm
 libarchive-debuginfo-3.7.7-6.azl3.aarch64.rpm
 libarchive-devel-3.7.7-6.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 23d405cf17f..1c6462f0965 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -1,5 +1,5 @@
-acl-2.3.1-2.azl3.x86_64.rpm
-acl-debuginfo-2.3.1-2.azl3.x86_64.rpm
+acl-2.4.0-1.azl3.x86_64.rpm
+acl-debuginfo-2.4.0-1.azl3.x86_64.rpm
 asciidoc-10.2.0-3.azl3.noarch.rpm
 attr-2.5.2-1.azl3.x86_64.rpm
 attr-debuginfo-2.5.2-1.azl3.x86_64.rpm
@@ -174,8 +174,8 @@ krb5-1.21.3-5.azl3.x86_64.rpm
 krb5-debuginfo-1.21.3-5.azl3.x86_64.rpm
 krb5-devel-1.21.3-5.azl3.x86_64.rpm
 krb5-lang-1.21.3-5.azl3.x86_64.rpm
-libacl-2.3.1-2.azl3.x86_64.rpm
-libacl-devel-2.3.1-2.azl3.x86_64.rpm
+libacl-2.4.0-1.azl3.x86_64.rpm
+libacl-devel-2.4.0-1.azl3.x86_64.rpm
 libarchive-3.7.7-6.azl3.x86_64.rpm
 libarchive-debuginfo-3.7.7-6.azl3.x86_64.rpm
 libarchive-devel-3.7.7-6.azl3.x86_64.rpm