Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711136 (CVE-2019-20044) - <app-shells/zsh-5.8: insecure dropping of privileges when unsetting PRIVILEGED option (CVE-2019-20044)
Summary: <app-shells/zsh-5.8: insecure dropping of privileges when unsetting PRIVILEGE...
Status: RESOLVED FIXED
Alias: CVE-2019-20044
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.zsh.org/mla/zsh-announce/141
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-01 02:02 UTC by Sam James (sam_c) (security padawan)
Modified: 2020-03-25 20:24 UTC (History)
1 user (show)

See Also:
Package list:
app-shells/zsh-5.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James (sam_c) (security padawan) 2020-03-01 02:02:47 UTC
"In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid()."

MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20044
Affects: <5.8
Comment 1 Agostino Sarubbo gentoo-dev 2020-03-01 13:04:35 UTC
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-03-02 12:30:38 UTC
sparc stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-03-02 12:33:21 UTC
x86 stable
Comment 4 Sergei Trofimovich gentoo-dev 2020-03-02 12:37:04 UTC
ia64/ppc/ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-05 12:50:10 UTC
arm stable
Comment 6 Mart Raudsepp gentoo-dev 2020-03-14 21:51:52 UTC
arm64 stable
Comment 7 Rolf Eike Beer 2020-03-16 17:46:50 UTC
hppa stable
Comment 8 Sam James (sam_c) (security padawan) 2020-03-18 20:05:53 UTC
Thanks arches.

Maintainer(s), please drop the vulnerable version(s).
Comment 9 Larry the Git Cow gentoo-dev 2020-03-18 20:55:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a12520a673e400902c64889848cc413746fc87c

commit 8a12520a673e400902c64889848cc413746fc87c
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-03-18 20:55:09 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-03-18 20:55:09 +0000

    app-shells/zsh: Security cleanup
    
    Bug: https://bugs.gentoo.org/711136
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-shells/zsh/Manifest            |   2 -
 app-shells/zsh/zsh-5.7.1-r1.ebuild | 221 -------------------------------------
 2 files changed, 223 deletions(-)
Comment 10 Sam James (sam_c) (security padawan) 2020-03-19 19:00:18 UTC
Thanks all.
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-03-25 20:13:21 UTC
GLSA Vote: Yes

New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-03-25 20:24:24 UTC
This issue was resolved and addressed in
 GLSA 202003-55 at https://security.gentoo.org/glsa/202003-55
by GLSA coordinator Thomas Deutschmann (whissi).