diff --git a/acl.spec b/acl.spec
index 37009ee14fcf400327546bce56ec42272edcf950..2e51c68eeafe712d090e09c77b2db5d2b20290cf 100644
--- a/acl.spec
+++ b/acl.spec
@@ -1,6 +1,6 @@
 Name:          acl
 Version:       2.3.1
-Release:       3
+Release:       4
 Summary:       Commands for manipulating POSIX access control lists
 
 License:       GPLv2+
@@ -11,6 +11,8 @@ Source1:       http://download.savannah.nongnu.org/releases/acl/%{name}-%{versio
 Source2:       agruen-key.gpg
 
 Patch1:    backport-acl_copy_entry-Prevent-accidental-NULL-pointer-deref.patch
+# From https://cgit.git.savannah.gnu.org/cgit/acl.git/commit/?id=6f9b9246ee91eaf09c3774ff95950624ef818476
+Patch2:    backport-libobj-declare-s_str-directory-in-string_obj_tag.patch
 
 BuildRequires: libattr-devel gawk libtool gettext
 BuildRequires: chrpath
@@ -98,6 +100,9 @@ fi
 %{_mandir}/man5/*
 
 %changelog
+* Thu Aug 28 2025 liweigang <liweiganga@gmail.com> - 2.3.1-4
+- Backport upstream patch to declare s_str directly in string_obj_tag
+
 * Wed Jul 10 2024 yixiangzhike <yixiangzhike007@163.com> - 2.3.1-3
 - Backport upstream patch to avoid NULL dereferences
 
diff --git a/backport-libobj-declare-s_str-directory-in-string_obj_tag.patch b/backport-libobj-declare-s_str-directory-in-string_obj_tag.patch
new file mode 100644
index 0000000000000000000000000000000000000000..008b139ee1b8a1eec318d7ed56014447d85ba50d
--- /dev/null
+++ b/backport-libobj-declare-s_str-directory-in-string_obj_tag.patch
@@ -0,0 +1,81 @@
+From 6f9b9246ee91eaf09c3774ff95950624ef818476 Mon Sep 17 00:00:00 2001
+From: Lukáš Zaoral <lzaoral@redhat.com>
+Date: Tue, 31 Oct 2023 10:02:52 +0100
+Subject: libobj: declare s_str directly in string_obj_tag
+
+... to make libacl compatible with -D_FORTIFY_SOURCE=3.  Otherwise, any call
+to __acl_to_any_text would terminate the given process because the
+fortification has a limited support for zero-length arrays nested in structs,
+as noted in the linked GCC Bugzilla.  GCC devs suggested that this should be
+fixed in libacl rather than in GCC itself.
+
+Related: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104964#c15
+Resolves: https://savannah.nongnu.org/bugs/index.php?62519
+---
+ libacl/__acl_to_any_text.c | 10 +++++-----
+ libacl/libobj.h            |  7 +------
+ 2 files changed, 6 insertions(+), 11 deletions(-)
+
+diff --git a/libacl/__acl_to_any_text.c b/libacl/__acl_to_any_text.c
+index f2b8088..bfad12d 100644
+--- a/libacl/__acl_to_any_text.c
++++ b/libacl/__acl_to_any_text.c
+@@ -64,7 +64,7 @@ __acl_to_any_text(acl_t acl, ssize_t *len_p, const char *prefix,
+ 	FOREACH_ACL_ENTRY(entry_obj_p, acl_obj_p) {
+ 	repeat:
+ 		entry_len = acl_entry_to_any_str(int2ext(entry_obj_p),
+-		                                 string_obj_p->sstr + len,
++		                                 string_obj_p->s_str + len,
+ 						 size-len,
+ 						 int2ext(mask_obj_p),
+ 						 prefix,
+@@ -81,20 +81,20 @@ __acl_to_any_text(acl_t acl, ssize_t *len_p, const char *prefix,
+ 			goto repeat;
+ 		} else
+ 			len += entry_len;
+-		string_obj_p->sstr[len] = separator;
++		string_obj_p->s_str[len] = separator;
+ 		len++;
+ 	}
+ 	if (len)
+ 		len--;
+ 	if (len && suffix) {
+-		strcpy(string_obj_p->sstr + len, suffix);
++		strcpy(string_obj_p->s_str + len, suffix);
+ 		len += suffix_len;
+ 	} else
+-		string_obj_p->sstr[len] = '\0';
++		string_obj_p->s_str[len] = '\0';
+ 
+ 	if (len_p)
+ 		*len_p = len;
+-	return (char *)int2ext(string_obj_p);
++	return string_obj_p ? string_obj_p->s_str : NULL;
+ 
+ fail:
+ 	free_obj_p(string_obj_p);
+diff --git a/libacl/libobj.h b/libacl/libobj.h
+index c41d5f9..84929cf 100644
+--- a/libacl/libobj.h
++++ b/libacl/libobj.h
+@@ -76,16 +76,11 @@ struct string_obj_tag;
+ typedef struct string_obj_tag string_obj;
+ 
+ /* string object */
+-struct __string_ext {
+-	char			s_str[0];
+-};
+ struct string_obj_tag {
+ 	obj_prefix		o_prefix;
+-	struct __string_ext	i;
++	char			s_str[0];
+ };
+ 
+-#define sstr i.s_str
+-
+ /* object creation, destruction, conversion and validation */
+ void *__new_var_obj_p(int magic, size_t size) hidden;
+ void __new_obj_p_here(int magic, void *here) hidden;
+-- 
+cgit v1.2.3
+