[Pkg-zsh-devel] Bug#951458: zsh: CVE-2019-20044: insecure dropping of privileges when unsetting PRIVILEGED option

Axel Beckert abe at debian.org
Sun Feb 16 20:44:32 GMT 2020


Package: zsh
Version: 5.7.1-test-3-1
Severity: important
Tags: fixed-upstream security pending
Control: found -1 5.0.7-5
Control: found -1 5.3.1-4
Control: found -1 5.4.2-3
Control: found -1 5.7.1-1

>From upstream NEWS file:

CVE-2019-20044: When unsetting the PRIVILEGED option, the shell sets its
effective user and group IDs to match their respective real IDs. On some
platforms (including Linux and macOS, but not FreeBSD), when the RUID and
EUID were both non-zero, it was possible to regain the shell's former
privileges by e.g. assigning to the EUID or EGID parameter. In the course
of investigating this issue, it was also found that the setopt built-in
did not correctly report errors when unsetting the option, which
prevented users from handling them as the documentation recommended.
setopt now returns non-zero if it is unable to safely drop privileges.
[ Reported by Sam Foxman <samfoxman320 at gmail.com>. ]


How to reproduce (run as root):

# perl -e '$< = 1; $> = 2; exec("zsh", "-fc", "id; set +p; id; EUID=2; id");'

On vulnerable systems the last call to id will show that the euid is set
back to 2.


Upstream confirmed that at least zsh in Debian Jessie (5.0.7-5) and zsh
in Ubuntu 18.04 LTS Bionic Beaver are affected by this issue. (As well
as the version previous to the fixed version of course, i.e. 5.7.1-1 as
in Debian Buster.)

I also confirmed that zsh 5.3.1-4 in Debian Stretch is affected as well.

			Regards, Axel

P.S.: This bug report is mostly for reference and for tracking
vulnerable and fixed versions besides
https://security-tracker.debian.org/tracker/CVE-2019-20044

P.P.S.: Only severity important, because upstream declared it as "minor
vulnerability".



More information about the Pkg-zsh-devel mailing list