| Name | CVE-2019-20044 |
| Description | In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid(). |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2117-1, DLA-2470-1 |
| Debian Bugs | 951458 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| zsh (PTS) | jessie, jessie (lts) | 5.0.7-5+deb8u4 | fixed |
| stretch (security), stretch (lts), stretch | 5.3.1-4+deb9u5 | fixed | |
| buster (security), buster, buster (lts) | 5.7.1-1+deb10u1 | vulnerable | |
| bullseye (security), bullseye | 5.8-6+deb11u1 | fixed | |
| bookworm | 5.9-4 | fixed | |
| sid, trixie | 5.9-8 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| zsh | source | wheezy | (unfixed) | end-of-life | ||
| zsh | source | jessie | 5.0.7-5+deb8u1 | DLA-2117-1 | ||
| zsh | source | stretch | 5.3.1-4+deb9u1 | DLA-2470-1 | ||
| zsh | source | (unstable) | 5.8-1 | 951458 |
[buster] - zsh <no-dsa> (Minor issue)
https://www.zsh.org/mla/zsh-announce/141
https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/
https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/
https://sourceforge.net/p/zsh/code/ci/26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211/
https://sourceforge.net/p/zsh/code/ci/4ce66857b71b40a0661df3780ff557f2b0f4cb13/
https://sourceforge.net/p/zsh/code/ci/b15bd4aa590db8087d1e8f2eb1af2874f5db814d/