CVE-2019-20044

Published: 24 February 2020

In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().

Notes

Author	Note
mdeslaur	reproducer in debian bug low priority since upstream considers this to be a "minor vulnerability"
rodrigo-zaiden	affects versions prior to 5.8, so only xenial and bionic needed to be patched.

Priority

CVSS 3 base score: 7.8

Status

Package	Release	Status
zsh Launchpad, Ubuntu, Debian	bionic	Released (5.4.2-3ubuntu3.2)
	eoan	Ignored (reached end-of-life)
	focal	Not vulnerable (5.8-3ubuntu1)
	groovy	Not vulnerable (5.8-3ubuntu1)
	hirsute	Not vulnerable (5.8-3ubuntu1)
	impish	Not vulnerable (5.8-3ubuntu1)
	jammy	Needs triage
	kinetic	Not vulnerable (5.8-3ubuntu1)
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (5.8-1)
	xenial	Released (5.1.1-1ubuntu2.3+esm1)
	Patches: upstream: https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/ upstream: https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/ upstream: https://sourceforge.net/p/zsh/code/ci/26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211/ upstream: https://sourceforge.net/p/zsh/code/ci/4ce66857b71b40a0661df3780ff557f2b0f4cb13/ upstream: https://sourceforge.net/p/zsh/code/ci/b15bd4aa590db8087d1e8f2eb1af2874f5db814d/ upstream: https://sourceforge.net/p/zsh/code/ci/048f40b68b05fdd5f3f8d60cda4e69fce2611331/ upstream: https://sourceforge.net/p/zsh/code/ci/4bec892059cf3e95ab256c3fcbc85daaa648c2d9/

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951458

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Security