CVE-2019-20044

NameCVE-2019-20044
DescriptionIn Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2117-1, DLA-2470-1
Debian Bugs951458

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zsh (PTS)jessie, jessie (lts)5.0.7-5+deb8u4fixed
stretch (security), stretch (lts), stretch5.3.1-4+deb9u5fixed
buster (security), buster, buster (lts)5.7.1-1+deb10u1vulnerable
bullseye (security), bullseye5.8-6+deb11u1fixed
bookworm5.9-4fixed
sid, trixie5.9-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zshsourcejessie5.0.7-5+deb8u1DLA-2117-1
zshsourcestretch5.3.1-4+deb9u1DLA-2470-1
zshsource(unstable)5.8-1951458

Notes

[buster] - zsh <no-dsa> (Minor issue)
https://www.zsh.org/mla/zsh-announce/141
https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/
https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/
https://sourceforge.net/p/zsh/code/ci/26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211/
https://sourceforge.net/p/zsh/code/ci/4ce66857b71b40a0661df3780ff557f2b0f4cb13/
https://sourceforge.net/p/zsh/code/ci/b15bd4aa590db8087d1e8f2eb1af2874f5db814d/

Search for package or bug name: Reporting problems