Bug 26252 - zsh new security issue CVE-2019-20044
Summary: zsh new security issue CVE-2019-20044
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-02-24 23:35 CET by David Walser
Modified: 2020-02-29 14:43 CET (History)
6 users (show)

See Also:
Source RPM: zsh-5.7.1-2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-02-24 23:35:03 CET 
Debian-LTS has issued an advisory today (February 24):
https://www.debian.org/lts/security/2020/dla-2117

The issue is fixed upstream in 5.8.

Mageia 7 is also affected.
David Walser 2020-02-24 23:35:15 CET

Status comment: (none) => Fixed upstream in 5.8
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-02-25 19:46:45 CET 
Various committers, so assigning globally; CC Shlomi as the registered maintainer.

Assignee: bugsquad => pkg-bugs
CC: (none) => shlomif

Comment 2 David GEIGER 2020-02-27 06:06:58 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2020-02-27 13:58:37 CET 
Advisory:
========================

Updated zsh packages fix security vulnerability:

A privilege escalation vulnerability was discovered in zsh, whereby a user
could regain a formerly elevated privelege level even when such an action
should not be permitted (CVE-2019-20044).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20044
https://www.debian.org/lts/security/2020/dla-2117
========================

Updated packages in core/updates_testing:
========================
zsh-5.7.1-1.1.mga7
zsh-doc-5.7.1-1.1.mga7

from zsh-5.7.1-1.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7
Status comment: Fixed upstream in 5.8 => (none)
Whiteboard: MGA7TOO => (none)

Comment 4 Herman Viaene 2020-02-28 11:40:31 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
ref bug 22846 for testing:
changed the user's shell to zsh, logged off and on again.
Run konsole and fill out the options for history and completion.
$ more .zshrc 
# Lines configured by zsh-newuser-install
HISTFILE=~/.histfile
HISTSIZE=1000
SAVEHIST=1000
# End of lines configured by zsh-newuser-install
# The following lines were added by compinstall
zstyle :compinstall filename '/home/tester7/.zshrc'

autoload -Uz compinit
compinit
# End of lines added by compinstall

$ echo $SHELL
/bin/zsh

Run a series of ls and cd commands using history an completion, all OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-02-28 17:53:05 CET 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-02-29 13:51:00 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-02-29 14:43:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0107.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.