Bug 1804859 (CVE-2019-20044)
| Summary: | CVE-2019-20044 zsh: insecure dropping of privileges when unsetting PRIVILEGED option | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | dmaphy, fkrska, james.antill, j, kdudka, mbenatto, rmetrich, svashisht, thoger |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | zsh-5.8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in zsh. When unsetting the PRIVILEGED option, the shell sets its effective user and group IDs to match their respective real IDs. When the RUID and EUID were both non-zero, it is possible to regain the shell's former privileges. Also, the setopt built-in did not correctly report errors when unsetting the option, which prevented users from handling them as the documentation recommended. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-17 22:31:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1804860, 1807900, 1807901, 1807902, 1807903, 1807904, 1807905, 1807982 | ||
| Bug Blocks: | 1804861 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-02-19 18:50:52 UTC
Created zsh tracking bugs for this issue: Affects: fedora-all [bug 1804860] External References: http://zsh.sourceforge.net/releases.html Upstream commits for this issue: https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/ https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/ https://sourceforge.net/p/zsh/code/ci/26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211/ https://sourceforge.net/p/zsh/code/ci/4ce66857b71b40a0661df3780ff557f2b0f4cb13/ https://sourceforge.net/p/zsh/code/ci/b15bd4aa590db8087d1e8f2eb1af2874f5db814d/ Ack. Those are exactly the commits I picked for f30/f31:
https://src.fedoraproject.org/rpms/zsh/blob/84fbd7d6/f/0002-zsh-5.7.1-CVE-2019-20044.patch
I am not sure how they apply to older supported releases of zsh though.
We need to pick also the following upstream commit to improve the error message: https://sourceforge.net/p/zsh/code/ci/81185f4c (In reply to Kamil Dudka from comment #20) > We need to pick also the following upstream commit to improve the error message: > > https://sourceforge.net/p/zsh/code/ci/81185f4c ... and https://sourceforge.net/p/zsh/code/ci/ed21a7b7 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0853 https://access.redhat.com/errata/RHSA-2020:0853 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20044 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0892 https://access.redhat.com/errata/RHSA-2020:0892 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0903 https://access.redhat.com/errata/RHSA-2020:0903 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0978 https://access.redhat.com/errata/RHSA-2020:0978 |