Your submission was sent successfully! Close

CVE-2019-20044

Published: 24 February 2020

In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().

Notes

AuthorNote
mdeslaur
reproducer in debian bug
low priority since upstream considers this to be a
"minor vulnerability"
rodrigo-zaiden
affects versions prior to 5.8, so only xenial and bionic
needed to be patched.
Priority

Low

CVSS 3 base score: 7.8

Status

Package Release Status
zsh
Launchpad, Ubuntu, Debian
bionic
Released (5.4.2-3ubuntu3.2)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(5.8-3ubuntu1)
groovy Not vulnerable
(5.8-3ubuntu1)
hirsute Not vulnerable
(5.8-3ubuntu1)
impish Not vulnerable
(5.8-3ubuntu1)
jammy Needs triage

precise Does not exist

trusty Does not exist

upstream
Released (5.8-1)
xenial
Released (5.1.1-1ubuntu2.3+esm1)
Patches:
upstream: https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/
upstream: https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/
upstream: https://sourceforge.net/p/zsh/code/ci/26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211/
upstream: https://sourceforge.net/p/zsh/code/ci/4ce66857b71b40a0661df3780ff557f2b0f4cb13/
upstream: https://sourceforge.net/p/zsh/code/ci/b15bd4aa590db8087d1e8f2eb1af2874f5db814d/
upstream: https://sourceforge.net/p/zsh/code/ci/048f40b68b05fdd5f3f8d60cda4e69fce2611331/
upstream: https://sourceforge.net/p/zsh/code/ci/4bec892059cf3e95ab256c3fcbc85daaa648c2d9/