CLSA-2022-1648138003

See a problem?

Import Source

https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2022-1648138003.json

JSON Data

https://api.osv.dev/v1/vulns/CLSA-2022-1648138003

Upstream

CVE-2019-20044

CVE-2021-45444

Published

2022-03-24T16:06:43Z

Modified

2026-06-04T09:45:42.225236904Z

Summary

Fix CVE(s): CVE-2019-20044, CVE-2021-45444

Details

SECURITY UPDATE: Regain dropped privileges
- debian/patches/CVE-2019-20044-pre.patch: change the order of the calls to setgid (this should go first) and setuid in Src/options.c.
- debian/patches/CVE-2019-20044-1.patch: add extra checks to drop privileges securely in Src/options.c.
- debian/patches/CVE-2019-20044-2.patch: add Src/opensshbsdsetresid.c and its object file to Src/zsh.mdd, fix some of the checks from the previous patch in Src/options.c, update compatibility wrappers in Src/zshsystem.h, update the uid/gid methods in ACCHECKFUNCS in configure.ac and add a test in Test/E01options.ztst.
- debian/patches/CVE-2019-20044-3.patch: improve Src/options.c changes from above two patches.
- debian/patches/CVE-2019-20044-4.patch: clean up white spaces in Src/options.c.
- debian/patches/CVE-2019-20044-5.patch: add privileged tests to Test/P01privileged.ztst, remove the notes on privileged test in Test/E01options.ztst and add the prilived tests to the Test/README.
- CVE-2019-20044
SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2021-45444.patch: save PROMPTSUBST option before the call to promptexpand() in b/Src/prompt.c and restore after it is executed.
- CVE-2021-45444

References

https://errata.cloudlinux.com/ubuntu16_04/CLSA-2022-1648138003

Affected packages

TuxCare:Ubuntu:16.04 / zsh

Package

Name: zsh
Purl: pkg:deb/tuxcare/zsh?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.1.1-1ubuntu2.3+tuxcare.els1

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2022-1648138003.json"

TuxCare:Ubuntu:16.04 / zsh-common

Package

Name: zsh-common
Purl: pkg:deb/tuxcare/zsh-common?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.1.1-1ubuntu2.3+tuxcare.els1

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2022-1648138003.json"

TuxCare:Ubuntu:16.04 / zsh-dev

Package

Name: zsh-dev
Purl: pkg:deb/tuxcare/zsh-dev?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.1.1-1ubuntu2.3+tuxcare.els1

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2022-1648138003.json"

TuxCare:Ubuntu:16.04 / zsh-doc

Package

Name: zsh-doc
Purl: pkg:deb/tuxcare/zsh-doc?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.1.1-1ubuntu2.3+tuxcare.els1

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2022-1648138003.json"

TuxCare:Ubuntu:16.04 / zsh-static

Package

Name: zsh-static
Purl: pkg:deb/tuxcare/zsh-static?distro=ubuntu-16.04

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.1.1-1ubuntu2.3+tuxcare.els1

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu16.04els/CLSA-2022-1648138003.json"