When unsetting the PRIVILEGED option, the shell sets its effective user and group IDs to match their respective real IDs. On some platforms (including Linux and macOS, but not FreeBSD), when the RUID and EUID were both non-zero, it was possible to regain the shell's former privileges by e.g. assigning to the EUID or EGID parameter. In the course of investigating this issue, it was also found that the setopt built-in did not correctly report errors when unsetting the option, which prevented users from handling them as the documentation recommended. setopt now returns non-zero if it is unable to safely drop privileges. References: http://zsh.sourceforge.net/releases.html https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1727336.html
Created zsh tracking bugs for this issue: Affects: fedora-all [bug 1804860]
External References: http://zsh.sourceforge.net/releases.html
Upstream commits for this issue: https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/ https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/ https://sourceforge.net/p/zsh/code/ci/26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211/ https://sourceforge.net/p/zsh/code/ci/4ce66857b71b40a0661df3780ff557f2b0f4cb13/ https://sourceforge.net/p/zsh/code/ci/b15bd4aa590db8087d1e8f2eb1af2874f5db814d/
Ack. Those are exactly the commits I picked for f30/f31: https://src.fedoraproject.org/rpms/zsh/blob/84fbd7d6/f/0002-zsh-5.7.1-CVE-2019-20044.patch I am not sure how they apply to older supported releases of zsh though.
We need to pick also the following upstream commit to improve the error message: https://sourceforge.net/p/zsh/code/ci/81185f4c
(In reply to Kamil Dudka from comment #20) > We need to pick also the following upstream commit to improve the error message: > > https://sourceforge.net/p/zsh/code/ci/81185f4c ... and https://sourceforge.net/p/zsh/code/ci/ed21a7b7
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0853 https://access.redhat.com/errata/RHSA-2020:0853
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20044
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0892 https://access.redhat.com/errata/RHSA-2020:0892
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0903 https://access.redhat.com/errata/RHSA-2020:0903
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0978 https://access.redhat.com/errata/RHSA-2020:0978