Current stable version sys-apps/acl-2.2.47 has a critical bug about symlink handling. This leads to infinite loops and security problems. See bug #265425 about info. So please stabilize version 2.2.47-r1 which contains this fix for half a year now.
base-system, are you okay with stabilization? Also, acl has a new home and version 2.2.49: http://savannah.nongnu.org/projects/acl
CVE-2009-4411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4411): The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.
some people seem to think the symlink fix didnt work completely in 2.2.47-r1 (see the referenced bug report) at any rate, 2.2.49 is in the tree now
Archs, please stabilize 2.2.49, targets: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
x86 stable
amd64/arm stable
Stable for HPPA.
alpha/ia64/m68k/s390/sh/sparc stable
ppc and ppc64 done
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle).