CVE-2019-20044

NameCVE-2019-20044
DescriptionIn Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2117-1
NVD severityhigh
Debian Bugs951458

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zsh (PTS)stretch5.3.1-4vulnerable
buster5.7.1-1vulnerable
bullseye, sid5.8-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zshsourcejessie5.0.7-5+deb8u1DLA-2117-1
zshsource(unstable)5.8-1951458

Notes

[buster] - zsh <no-dsa> (Minor issue)
[stretch] - zsh <no-dsa> (Minor issue)
https://www.zsh.org/mla/zsh-announce/141
https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/
https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/
https://sourceforge.net/p/zsh/code/ci/26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211/
https://sourceforge.net/p/zsh/code/ci/4ce66857b71b40a0661df3780ff557f2b0f4cb13/
https://sourceforge.net/p/zsh/code/ci/b15bd4aa590db8087d1e8f2eb1af2874f5db814d/

Search for package or bug name: Reporting problems