1804859 – (CVE-2019-20044) CVE-2019-20044 zsh: insecure dropping of privileges when unsetting PRIVILEGED option

Bug 1804859 (CVE-2019-20044) - CVE-2019-20044 zsh: insecure dropping of privileges when unsetting PRIVILEGED option

Summary: CVE-2019-20044 zsh: insecure dropping of privileges when unsetting PRIVILEGED...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-20044
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1804860 1807900 1807901 1807902 1807903 1807904 1807905 1807982
Blocks:	1804861
TreeView+	depends on / blocked

Reported:	2020-02-19 18:50 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-02-16 20:33 UTC (History)
CC List:	9 users (show)
Fixed In Version:	zsh-5.8
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in zsh. When unsetting the PRIVILEGED option, the shell sets its effective user and group IDs to match their respective real IDs. When the RUID and EUID were both non-zero, it is possible to regain the shell's former privileges. Also, the setopt built-in did not correctly report errors when unsetting the option, which prevented users from handling them as the documentation recommended. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2020-03-17 22:31:52 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:0853	None	None	None	2020-03-17 16:18:54 UTC
Red Hat Product Errata	RHSA-2020:0892	None	None	None	2020-03-18 14:18:19 UTC
Red Hat Product Errata	RHSA-2020:0903	None	None	None	2020-03-19 11:27:39 UTC
Red Hat Product Errata	RHSA-2020:0978	None	None	None	2020-03-26 08:07:48 UTC

Description Guilherme de Almeida Suckevicz 2020-02-19 18:50:52 UTC

When unsetting the PRIVILEGED option, the shell sets its effective user and group IDs to match their respective real IDs. On some platforms (including Linux and macOS, but not FreeBSD), when the RUID and EUID were both non-zero, it was possible to regain the shell's former privileges by e.g. assigning to the EUID or EGID parameter. In the course of investigating this issue, it was also found that the setopt built-in did not correctly report errors when unsetting the option, which prevented users from handling them as the documentation recommended. setopt now returns non-zero if it is unable to safely drop privileges.

References:
http://zsh.sourceforge.net/releases.html
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1727336.html

Comment 1 Guilherme de Almeida Suckevicz 2020-02-19 18:51:09 UTC

Created zsh tracking bugs for this issue:

Affects: fedora-all [bug 1804860]

Comment 2 Marco Benatto 2020-02-27 12:30:26 UTC

External References:

http://zsh.sourceforge.net/releases.html

Comment 6 Marco Benatto 2020-02-27 13:25:56 UTC

Upstream commits for this issue:
https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/
https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/
https://sourceforge.net/p/zsh/code/ci/26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211/
https://sourceforge.net/p/zsh/code/ci/4ce66857b71b40a0661df3780ff557f2b0f4cb13/
https://sourceforge.net/p/zsh/code/ci/b15bd4aa590db8087d1e8f2eb1af2874f5db814d/

Comment 7 Kamil Dudka 2020-02-27 14:00:46 UTC

Ack.  Those are exactly the commits I picked for f30/f31:

    https://src.fedoraproject.org/rpms/zsh/blob/84fbd7d6/f/0002-zsh-5.7.1-CVE-2019-20044.patch

I am not sure how they apply to older supported releases of zsh though.

Comment 20 Kamil Dudka 2020-03-02 16:58:06 UTC

We need to pick also the following upstream commit to improve the error message:

https://sourceforge.net/p/zsh/code/ci/81185f4c

Comment 24 Kamil Dudka 2020-03-03 11:36:35 UTC

(In reply to Kamil Dudka from comment #20)
> We need to pick also the following upstream commit to improve the error message:
> 
> https://sourceforge.net/p/zsh/code/ci/81185f4c

... and https://sourceforge.net/p/zsh/code/ci/ed21a7b7

Comment 28 errata-xmlrpc 2020-03-17 16:18:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0853 https://access.redhat.com/errata/RHSA-2020:0853

Comment 29 Product Security DevOps Team 2020-03-17 22:31:52 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20044

Comment 30 errata-xmlrpc 2020-03-18 14:18:17 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0892 https://access.redhat.com/errata/RHSA-2020:0892

Comment 31 errata-xmlrpc 2020-03-19 11:27:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0903 https://access.redhat.com/errata/RHSA-2020:0903

Comment 32 errata-xmlrpc 2020-03-26 08:07:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0978 https://access.redhat.com/errata/RHSA-2020:0978

Note You need to log in before you can comment on or make changes to this bug.