diff -Nru zsh-5.4.2/debian/changelog zsh-5.4.2/debian/changelog --- zsh-5.4.2/debian/changelog 2018-09-10 20:02:52.000000000 +0000 +++ zsh-5.4.2/debian/changelog 2022-03-11 13:46:35.000000000 +0000 @@ -1,3 +1,31 @@ +zsh (5.4.2-3ubuntu3.2) bionic-security; urgency=medium + + * SECURITY UPDATE: Regain dropped privileges + - debian/patches/CVE-2019-20044-pre.patch: change the order of the calls to + setgid (this should go first) and setuid in Src/options.c. + - debian/patches/CVE-2019-20044-1.patch: add extra checks to drop privileges + securely in Src/options.c. + - debian/patches/CVE-2019-20044-2.patch: add Src/openssh_bsd_setres_id.c + and its object file to Src/zsh.mdd, fix some of the checks from the + previous patch in Src/options.c, update compatibility wrappers in + Src/zsh_system.h, update the uid/gid methods in AC_CHECK_FUNCS in + configure.ac and add a test in Test/E01options.ztst. + - debian/patches/CVE-2019-20044-3.patch: improve Src/options.c changes from + above two patches. + - debian/patches/CVE-2019-20044-4.patch: clean up white spaces in + Src/options.c. + - debian/patches/CVE-2019-20044-5.patch: add privileged tests to + Test/P01privileged.ztst, remove the notes on privileged test in + Test/E01options.ztst and add the prilived tests to the Test/README. + - CVE-2019-20044 + * SECURITY UPDATE: Arbitrary code execution + - debian/patches/CVE-2021-45444.patch: save PROMPTSUBST option before + the call to promptexpand() in b/Src/prompt.c and restore after it is + executed. + - CVE-2021-45444 + + -- Rodrigo Figueiredo Zaiden Fri, 11 Mar 2022 10:46:35 -0300 + zsh (5.4.2-3ubuntu3.1) bionic-security; urgency=medium * SECURITY UPDATE: Arbitrary code execution diff -Nru zsh-5.4.2/debian/patches/CVE-2019-20044-1.patch zsh-5.4.2/debian/patches/CVE-2019-20044-1.patch --- zsh-5.4.2/debian/patches/CVE-2019-20044-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ zsh-5.4.2/debian/patches/CVE-2019-20044-1.patch 2022-03-11 13:45:02.000000000 +0000 @@ -0,0 +1,237 @@ +From 24e993db62cf146fb76ebcf677a4a7aa3766fc74 Mon Sep 17 00:00:00 2001 +From: Sam Foxman +Date: Sun, 22 Dec 2019 17:30:28 -0500 +Subject: [PATCH] Drop privileges securely + +--- + Src/options.c | 161 +++++++++++++++++++++++++++++++++++++------------- + configure.ac | 4 +- + 2 files changed, 124 insertions(+), 41 deletions(-) + +--- zsh-5.4.2.orig/Src/options.c ++++ zsh-5.4.2/Src/options.c +@@ -575,6 +575,7 @@ int + bin_setopt(char *nam, char **args, UNUSED(Options ops), int isun) + { + int action, optno, match = 0; ++ int retval = 0; + + /* With no arguments or options, display options. */ + if (!*args) { +@@ -602,18 +603,28 @@ bin_setopt(char *nam, char **args, UNUSE + inittyptab(); + return 1; + } +- if(!(optno = optlookup(*args))) ++ if(!(optno = optlookup(*args))) { + zwarnnam(nam, "no such option: %s", *args); +- else if(dosetopt(optno, action, 0, opts)) +- zwarnnam(nam, "can't change option: %s", *args); ++ retval = 1; ++ } else { ++ retval = !!dosetopt(optno, action, 0, opts); ++ if (retval) { ++ zwarnnam(nam, "can't change option: %s", *args); ++ } ++ } + break; + } else if(**args == 'm') { + match = 1; + } else { +- if (!(optno = optlookupc(**args))) ++ if (!(optno = optlookupc(**args))) { + zwarnnam(nam, "bad option: -%c", **args); +- else if(dosetopt(optno, action, 0, opts)) +- zwarnnam(nam, "can't change option: -%c", **args); ++ retval = 1; ++ } else { ++ retval = !!dosetopt(optno, action, 0, opts); ++ if (retval) { ++ zwarnnam(nam, "can't change option: -%c", **args); ++ } ++ } + } + } + args++; +@@ -623,10 +634,15 @@ bin_setopt(char *nam, char **args, UNUSE + if (!match) { + /* Not globbing the arguments -- arguments are simply option names. */ + while (*args) { +- if(!(optno = optlookup(*args++))) ++ if(!(optno = optlookup(*args++))) { + zwarnnam(nam, "no such option: %s", args[-1]); +- else if(dosetopt(optno, !isun, 0, opts)) +- zwarnnam(nam, "can't change option: %s", args[-1]); ++ retval = 1; ++ } else { ++ retval = !!dosetopt(optno, !isun, 0, opts); ++ if (retval) { ++ zwarnnam(nam, "can't change option: %s", args[-1]); ++ } ++ } + } + } else { + /* Globbing option (-m) set. */ +@@ -649,7 +665,8 @@ bin_setopt(char *nam, char **args, UNUSE + tokenize(s); + if (!(pprog = patcompile(s, PAT_HEAPDUP, NULL))) { + zwarnnam(nam, "bad pattern: %s", *args); +- continue; ++ retval = 1; ++ break; + } + /* Loop over expansions. */ + scanmatchtable(optiontab, pprog, 0, 0, OPT_ALIAS, +@@ -658,7 +675,7 @@ bin_setopt(char *nam, char **args, UNUSE + } + } + inittyptab(); +- return 0; ++ return retval; + } + + /* Identify an option name */ +@@ -767,37 +784,101 @@ dosetopt(int optno, int value, int force + return -1; + } else if(optno == PRIVILEGED && !value) { + /* unsetting PRIVILEGED causes the shell to make itself unprivileged */ +-#ifdef HAVE_SETUID +- int ignore_err; +- errno = 0; +- /* +- * Set the GID first as if we set the UID to non-privileged it +- * might be impossible to restore the GID. +- * +- * Some OSes (possibly no longer around) have been known to +- * fail silently the first time, so we attempt the change twice. +- * If it fails we are guaranteed to pick this up the second +- * time, so ignore the first time. +- * +- * Some versions of gcc make it hard to ignore the results the +- * first time, hence the following. (These are probably not +- * systems that require the doubled calls.) +- */ +- ignore_err = setgid(getgid()); +- (void)ignore_err; +- ignore_err = setuid(getuid()); +- (void)ignore_err; +- if (setgid(getgid())) { +- zwarn("failed to change group ID: %e", errno); +- return -1; +- } else if (setuid(getuid())) { +- zwarn("failed to change user ID: %e", errno); +- return -1; ++ ++ int skip_setuid = 0; ++ int skip_setgid = 0; ++ ++#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID) ++ int orig_egid = getegid(); ++#endif ++ ++#if defined(HAVE_GETEUID) && defined(HAVE_GETUID) ++ if (geteuid() == getuid()) { ++ skip_setuid = 1; ++ } ++#endif ++ ++#if defined(HAVE_GETEGID) && defined(HAVE_GETGID) ++ if (getegid() == getgid()) { ++ skip_setgid = 1; ++ } ++#endif ++ ++ if (!skip_setgid) { ++ int setgid_err; ++#ifdef HAVE_SETRESGID ++ setgid_err = setresgid(getgid(), getgid(), getgid()); ++#elif defined(HAVE_SETREGID) ++#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID) ++ setgid_err = setregid(getgid(), getgid()); ++#else ++ zwarnnam("unsetopt", ++ "PRIVILEGED: can't drop privileges; setregid available, but cannot check if saved gid changed"); ++ return -1; ++#endif ++#else ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid and setregid not available"); ++ return -1; ++#endif ++ if (setgid_err) { ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno); ++ return -1; ++ } + } ++ ++ if (!skip_setuid) { ++#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) ++ int orig_euid = geteuid(); ++#endif ++ int setuid_err; ++#if defined(HAVE_GETEUID) && defined(HAVE_INITGROUPS) && defined(HAVE_GETPWUID) ++ if (geteuid() == 0) { ++ struct passwd *pw = getpwuid(getuid()); ++ if (pw == NULL) { ++ zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %d: %e", ++ getuid(), errno); ++ return -1; ++ } ++ if (initgroups(pw->pw_name, pw->pw_gid)) { ++ zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno); ++ return -1; ++ } ++ } ++#endif ++ ++#ifdef HAVE_SETRESUID ++ setuid_err = setresuid(getuid(), getuid(), getuid()); ++#elif defined(HAVE_SETREUID) ++#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID) ++ setuid_err = setreuid(getuid(), getuid()); ++#else ++ zwarnnam("unsetopt", ++ "PRIVILEGED: can't drop privileges; setreuid available, but cannot check if saved uid changed"); ++ return -1; ++#endif + #else +- zwarn("setuid not available"); +- return -1; +-#endif /* not HAVE_SETUID */ ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid and setreuid not available"); ++ return -1; ++#endif ++ if (setuid_err) { ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno); ++ return -1; ++ } ++#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID) ++ if (getuid() != 0 && !setuid(orig_euid)) { ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid"); ++ return -1; ++ } ++#endif ++ } ++ ++#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID) ++ if (getuid() != 0 && !skip_setgid && !setgid(orig_egid)) { ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid"); ++ return -1; ++ } ++#endif ++ + #ifdef JOB_CONTROL + } else if (!force && optno == MONITOR && value) { + if (new_opts[optno] == value) +--- zsh-5.4.2.orig/configure.ac ++++ zsh-5.4.2/configure.ac +@@ -1300,7 +1300,9 @@ AC_CHECK_FUNCS(strftime strptime mktime + inet_aton inet_pton inet_ntop \ + getlogin getpwent getpwnam getpwuid getgrgid getgrnam \ + initgroups nis_list \ +- setuid seteuid setreuid setresuid setsid \ ++ getuid setuid seteuid setreuid setresuid setsid \ ++ getgid setgid setegid setregid setresgid \ ++ geteuid getegid \ + memcpy memmove strstr strerror strtoul \ + getrlimit getrusage \ + setlocale \ diff -Nru zsh-5.4.2/debian/patches/CVE-2019-20044-2.patch zsh-5.4.2/debian/patches/CVE-2019-20044-2.patch --- zsh-5.4.2/debian/patches/CVE-2019-20044-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ zsh-5.4.2/debian/patches/CVE-2019-20044-2.patch 2022-03-11 13:45:15.000000000 +0000 @@ -0,0 +1,545 @@ +From 8250c5c168f07549ed646e6848e6dda118271e23 Mon Sep 17 00:00:00 2001 +From: Daniel Shahaf +Date: Thu, 26 Dec 2019 09:16:19 +0000 +Subject: [PATCH] Improve PRIVILEGED fixes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +- Fix retval handling in bin_setopt() + +- Don't skip_setuid / skip_setgid. It's not our place to optimize away noops + (that might not even _be_ noops; they might change the saved uid…). + +- Remove HAVE_* guard checks around functions that are used unguarded elsewhere. + +- Use bsd-setres_id.c from OpenSSH to provide setresuid() / setresgid() + everywhere, and thus simplify the ifdef soup. Fix some preëxisting + bugs in the macro definitions of setuid() (do we still need that one?). + +- Fix zwarning() format codes for variadic arguments type safety + +- Restored a comment from HEAD + +- Fix failure modes around initgroups() + +- Compared privilege restoration code with OpenSSH's permanently_drop_uid() and + updated as needed + +- Add E01 PRIVILEGED sanity checks +--- + Src/openssh_bsd_setres_id.c | 129 +++++++++++++++++++++++++++++++ + Src/options.c | 148 ++++++++++++++++-------------------- + Src/zsh.mdd | 3 +- + Src/zsh_system.h | 94 ++++++++++++++++++----- + Test/E01options.ztst | 15 ++++ + configure.ac | 5 +- + 6 files changed, 292 insertions(+), 102 deletions(-) + create mode 100644 Src/openssh_bsd_setres_id.c + +--- /dev/null ++++ zsh-5.4.2/Src/openssh_bsd_setres_id.c +@@ -0,0 +1,129 @@ ++/* ++ * Copyright (c) 2012 Darren Tucker (dtucker at zip com au). ++ * ++ * Permission to use, copy, modify, and distribute this software for any ++ * purpose with or without fee is hereby granted, provided that the above ++ * copyright notice and this permission notice appear in all copies. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF ++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ */ ++/* ++ * openssh_bsd_setres_id.c - setresuid() and setresgid() wrappers ++ * ++ * This file is part of zsh, the Z shell. ++ * ++ * It is based on the file openbsd-compat/bsd-setres_id.c in OpenSSH 7.9p1, ++ * which is subject to the copyright notice above. The zsh modifications are ++ * licensed as follows: ++ * ++ * Copyright (c) 2019 Daniel Shahaf ++ * All rights reserved. ++ * ++ * Permission is hereby granted, without written agreement and without ++ * license or royalty fees, to use, copy, modify, and distribute this ++ * software and to distribute modified versions of this software for any ++ * purpose, provided that the above copyright notice and the following ++ * two paragraphs appear in all copies of this software. ++ * ++ * In no event shall Daniel Shahaf or the Zsh Development Group be liable ++ * to any party for direct, indirect, special, incidental, or consequential ++ * damages arising out of the use of this software and its documentation, ++ * even if Daniel Shahaf and the Zsh Development Group have been advised of ++ * the possibility of such damage. ++ * ++ * Daniel Shahaf and the Zsh Development Group specifically disclaim any ++ * warranties, including, but not limited to, the implied warranties of ++ * merchantability and fitness for a particular purpose. The software ++ * provided hereunder is on an "as is" basis, and Daniel Shahaf and the ++ * Zsh Development Group have no obligation to provide maintenance, ++ * support, updates, enhancements, or modifications. ++ * ++ */ ++ ++ ++#include ++ ++#include ++#include ++#include ++ ++#include "zsh.mdh" ++ ++#if defined(ZSH_IMPLEMENT_SETRESGID) || defined(BROKEN_SETRESGID) ++int ++setresgid(gid_t rgid, gid_t egid, gid_t sgid) ++{ ++ int ret = 0, saved_errno; ++ ++ if (rgid != sgid) { ++ errno = ENOSYS; ++ return -1; ++ } ++#if defined(ZSH_HAVE_NATIVE_SETREGID) && !defined(BROKEN_SETREGID) ++ if (setregid(rgid, egid) < 0) { ++ saved_errno = errno; ++ zwarnnam("setregid", "to gid %L: %e", (long)rgid, errno); ++ errno = saved_errno; ++ ret = -1; ++ } ++#else ++ if (setegid(egid) < 0) { ++ saved_errno = errno; ++ zwarnnam("setegid", "to gid %L: %e", (long)(unsigned int)egid, errno); ++ errno = saved_errno; ++ ret = -1; ++ } ++ if (setgid(rgid) < 0) { ++ saved_errno = errno; ++ zwarnnam("setgid", "to gid %L: %e", (long)rgid, errno); ++ errno = saved_errno; ++ ret = -1; ++ } ++#endif ++ return ret; ++} ++#endif ++ ++#if defined(ZSH_IMPLEMENT_SETRESUID) || defined(BROKEN_SETRESUID) ++int ++setresuid(uid_t ruid, uid_t euid, uid_t suid) ++{ ++ int ret = 0, saved_errno; ++ ++ if (ruid != suid) { ++ errno = ENOSYS; ++ return -1; ++ } ++#if defined(ZSH_HAVE_NATIVE_SETREUID) && !defined(BROKEN_SETREUID) ++ if (setreuid(ruid, euid) < 0) { ++ saved_errno = errno; ++ zwarnnam("setreuid", "to uid %L: %e", (long)ruid, errno); ++ errno = saved_errno; ++ ret = -1; ++ } ++#else ++ ++# ifndef SETEUID_BREAKS_SETUID ++ if (seteuid(euid) < 0) { ++ saved_errno = errno; ++ zwarnnam("seteuid", "to uid %L: %e", (long)euid, errno); ++ errno = saved_errno; ++ ret = -1; ++ } ++# endif ++ if (setuid(ruid) < 0) { ++ saved_errno = errno; ++ zwarnnam("setuid", "to uid %L: %e", (long)ruid, errno); ++ errno = saved_errno; ++ ret = -1; ++ } ++#endif ++ return ret; ++} ++#endif +--- zsh-5.4.2.orig/Src/options.c ++++ zsh-5.4.2/Src/options.c +@@ -605,25 +605,21 @@ bin_setopt(char *nam, char **args, UNUSE + } + if(!(optno = optlookup(*args))) { + zwarnnam(nam, "no such option: %s", *args); +- retval = 1; +- } else { +- retval = !!dosetopt(optno, action, 0, opts); +- if (retval) { +- zwarnnam(nam, "can't change option: %s", *args); +- } ++ retval |= 1; ++ } else if (dosetopt(optno, action, 0, opts)) { ++ zwarnnam(nam, "can't change option: %s", *args); ++ retval |= 1; + } + break; + } else if(**args == 'm') { + match = 1; + } else { +- if (!(optno = optlookupc(**args))) { ++ if (!(optno = optlookupc(**args))) { + zwarnnam(nam, "bad option: -%c", **args); +- retval = 1; +- } else { +- retval = !!dosetopt(optno, action, 0, opts); +- if (retval) { +- zwarnnam(nam, "can't change option: -%c", **args); +- } ++ retval |= 1; ++ } else if (dosetopt(optno, action, 0, opts)) { ++ zwarnnam(nam, "can't change option: -%c", **args); ++ retval |= 1; + } + } + } +@@ -636,12 +632,10 @@ bin_setopt(char *nam, char **args, UNUSE + while (*args) { + if(!(optno = optlookup(*args++))) { + zwarnnam(nam, "no such option: %s", args[-1]); +- retval = 1; +- } else { +- retval = !!dosetopt(optno, !isun, 0, opts); +- if (retval) { +- zwarnnam(nam, "can't change option: %s", args[-1]); +- } ++ retval |= 1; ++ } else if (dosetopt(optno, !isun, 0, opts)) { ++ zwarnnam(nam, "can't change option: %s", args[-1]); ++ retval |= 1; + } + } + } else { +@@ -665,7 +659,7 @@ bin_setopt(char *nam, char **args, UNUSE + tokenize(s); + if (!(pprog = patcompile(s, PAT_HEAPDUP, NULL))) { + zwarnnam(nam, "bad pattern: %s", *args); +- retval = 1; ++ retval |= 1; + break; + } + /* Loop over expansions. */ +@@ -785,100 +779,92 @@ dosetopt(int optno, int value, int force + } else if(optno == PRIVILEGED && !value) { + /* unsetting PRIVILEGED causes the shell to make itself unprivileged */ + +- int skip_setuid = 0; +- int skip_setgid = 0; +- +-#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID) +- int orig_egid = getegid(); +-#endif +- +-#if defined(HAVE_GETEUID) && defined(HAVE_GETUID) +- if (geteuid() == getuid()) { +- skip_setuid = 1; +- } +-#endif ++ /* If set, return -1 so lastval will be non-zero. */ ++ int failed = 0; + +-#if defined(HAVE_GETEGID) && defined(HAVE_GETGID) +- if (getegid() == getgid()) { +- skip_setgid = 1; +- } ++#ifdef HAVE_SETUID ++ const int orig_euid = geteuid(); + #endif ++ const int orig_egid = getegid(); + +- if (!skip_setgid) { +- int setgid_err; +-#ifdef HAVE_SETRESGID +- setgid_err = setresgid(getgid(), getgid(), getgid()); +-#elif defined(HAVE_SETREGID) +-#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID) +- setgid_err = setregid(getgid(), getgid()); +-#else +- zwarnnam("unsetopt", +- "PRIVILEGED: can't drop privileges; setregid available, but cannot check if saved gid changed"); ++ /* ++ * Set the GID first as if we set the UID to non-privileged it ++ * might be impossible to restore the GID. ++ */ ++ { ++#ifndef HAVE_SETRESGID ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available"); + return -1; +-#endif + #else +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid and setregid not available"); +- return -1; +-#endif ++ int setgid_err; ++ setgid_err = setresgid(getgid(), getgid(), getgid()); + if (setgid_err) { + zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno); + return -1; + } ++#endif + } + +- if (!skip_setuid) { +-#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) +- int orig_euid = geteuid(); +-#endif ++ /* Set the UID second. */ ++ { ++#ifndef HAVE_SETRESUID ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available"); ++ return -1; ++#else + int setuid_err; +-#if defined(HAVE_GETEUID) && defined(HAVE_INITGROUPS) && defined(HAVE_GETPWUID) ++ ++# ifdef HAVE_INITGROUPS ++ /* Set the supplementary groups list. */ + if (geteuid() == 0) { + struct passwd *pw = getpwuid(getuid()); + if (pw == NULL) { +- zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %d: %e", +- getuid(), errno); +- return -1; +- } +- if (initgroups(pw->pw_name, pw->pw_gid)) { ++ zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e", ++ (long)getuid(), errno); ++ failed = 1; ++ } else if (initgroups(pw->pw_name, pw->pw_gid)) { + zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno); + return -1; + } ++ } else if (getuid() != 0 && ++ (geteuid() != getuid() || orig_egid != getegid())) { ++ zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L", ++ (long)geteuid()); ++ failed = 1; + } +-#endif ++# else ++ /* initgroups() isn't in POSIX. If it's not available on the system, ++ * we silently skip it. */ ++# endif + +-#ifdef HAVE_SETRESUID + setuid_err = setresuid(getuid(), getuid(), getuid()); +-#elif defined(HAVE_SETREUID) +-#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID) +- setuid_err = setreuid(getuid(), getuid()); +-#else +- zwarnnam("unsetopt", +- "PRIVILEGED: can't drop privileges; setreuid available, but cannot check if saved uid changed"); +- return -1; +-#endif +-#else +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid and setreuid not available"); +- return -1; +-#endif + if (setuid_err) { + zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno); + return -1; + } +-#if defined(HAVE_GETEUID) && defined(HAVE_SETUID) && defined(HAVE_GETUID) +- if (getuid() != 0 && !setuid(orig_euid)) { +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid"); +- return -1; +- } + #endif + } + +-#if defined(HAVE_GETEGID) && defined(HAVE_SETGID) && defined(HAVE_GETUID) +- if (getuid() != 0 && !skip_setgid && !setgid(orig_egid)) { ++#ifdef HAVE_SETGID ++ if (getuid() != 0 && orig_egid != getegid() && ++ (setgid(orig_egid) != -1 || setegid(orig_egid) != -1)) { + zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid"); + return -1; + } + #endif + ++#ifdef HAVE_SETUID ++ if (getuid() != 0 && orig_euid != geteuid() && ++ (setuid(orig_euid) != -1 || seteuid(orig_euid) != -1)) { ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid"); ++ return -1; ++ } ++#endif ++ ++ if (failed) { ++ /* A warning message has been printed. */ ++ return -1; ++ } ++ + #ifdef JOB_CONTROL + } else if (!force && optno == MONITOR && value) { + if (new_opts[optno] == value) +--- zsh-5.4.2.orig/Src/zsh.mdd ++++ zsh-5.4.2/Src/zsh.mdd +@@ -13,7 +13,8 @@ objects="builtin.o compat.o cond.o conte + exec.o glob.o hashtable.o hashnameddir.o \ + hist.o init.o input.o jobs.o lex.o linklist.o loop.o math.o \ + mem.o module.o options.o params.o parse.o pattern.o prompt.o signals.o \ +-signames.o sort.o string.o subst.o text.o utils.o watch.o" ++signames.o sort.o string.o subst.o text.o utils.o watch.o \ ++openssh_bsd_setres_id.o" + + headers="../config.h zsh_system.h zsh.h sigcount.h signals.h \ + prototypes.h hashtable.h ztype.h" +--- zsh-5.4.2.orig/Src/zsh_system.h ++++ zsh-5.4.2/Src/zsh_system.h +@@ -456,30 +456,90 @@ struct timezone { + # define setpgrp setpgid + #endif + +-/* can we set the user/group id of a process */ ++/* compatibility wrappers */ + +-#ifndef HAVE_SETUID ++/* Our strategy is as follows: ++ * ++ * - Ensure that either setre[ug]id() or set{e,}[ug]id() is available. ++ * - If setres[ug]id() are missing, provide them in terms of either ++ * setre[ug]id() or set{e,}[ug]id(), whichever is available. ++ * - Provide replacement setre[ug]id() or set{e,}[ug]id() if they are not ++ * available natively. ++ * ++ * There isn't a circular dependency because, right off the bat, we check that ++ * there's an end condition, and #error out otherwise. ++ */ ++#if !defined(HAVE_SETREUID) && !(defined(HAVE_SETEUID) && defined(HAVE_SETUID)) ++ /* ++ * If you run into this error, you have two options: ++ * - Teach zsh how to do the equivalent of setreuid() on your system ++ * - Remove support for PRIVILEGED option, and then remove the #error. ++ */ ++# error "Don't know how to change UID" ++#endif ++#if !defined(HAVE_SETREGID) && !(defined(HAVE_SETEGID) && defined(HAVE_SETGID)) ++ /* See above comment. */ ++# error "Don't know how to change GID" ++#endif ++ ++/* Provide setresuid(). */ ++#ifndef HAVE_SETRESUID ++int setresuid(uid_t, uid_t, uid_t); ++# define HAVE_SETRESUID ++# define ZSH_IMPLEMENT_SETRESUID + # ifdef HAVE_SETREUID +-# define setuid(X) setreuid(X,X) +-# define setgid(X) setregid(X,X) +-# define HAVE_SETUID ++# define ZSH_HAVE_NATIVE_SETREUID ++# endif ++#endif ++ ++/* Provide setresgid(). */ ++#ifndef HAVE_SETRESGID ++int setresgid(gid_t, gid_t, gid_t); ++# define HAVE_SETRESGID ++# define ZSH_IMPLEMENT_SETRESGID ++# ifdef HAVE_SETREGID ++# define ZSH_HAVE_NATIVE_SETREGID + # endif + #endif + +-/* can we set the effective user/group id of a process */ ++/* Provide setreuid(). */ ++#ifndef HAVE_SETREUID ++# define setreuid(X, Y) setresuid((X), (Y), -1) ++# define HAVE_SETREUID ++#endif ++ ++/* Provide setregid(). */ ++#ifndef HAVE_SETREGID ++# define setregid(X, Y) setresgid((X), (Y), -1) ++# define HAVE_SETREGID ++#endif + ++/* Provide setuid(). */ ++/* ### TODO: Either remove this (this function has been standard since 1985), ++ * ### or rewrite this without multiply-evaluating the argument */ ++#ifndef HAVE_SETUID ++# define setuid(X) setreuid((X), (X)) ++# define HAVE_SETUID ++#endif ++ ++/* Provide setgid(). */ ++#ifndef HAVE_SETGID ++/* ### TODO: Either remove this (this function has been standard since 1985), ++ * ### or rewrite this without multiply-evaluating the argument */ ++# define setgid(X) setregid((X), (X)) ++# define HAVE_SETGID ++#endif ++ ++/* Provide seteuid(). */ + #ifndef HAVE_SETEUID +-# ifdef HAVE_SETREUID +-# define seteuid(X) setreuid(-1,X) +-# define setegid(X) setregid(-1,X) +-# define HAVE_SETEUID +-# else +-# ifdef HAVE_SETRESUID +-# define seteuid(X) setresuid(-1,X,-1) +-# define setegid(X) setresgid(-1,X,-1) +-# define HAVE_SETEUID +-# endif +-# endif ++# define seteuid(X) setreuid(-1, (X)) ++# define HAVE_SETEUID ++#endif ++ ++/* Provide setegid(). */ ++#ifndef HAVE_SETEGID ++# define setegid(X) setregid(-1, (X)) ++# define HAVE_SETEGID + #endif + + #ifdef HAVE_SYS_RESOURCE_H +--- zsh-5.4.2.orig/Test/E01options.ztst ++++ zsh-5.4.2/Test/E01options.ztst +@@ -1369,3 +1369,18 @@ + ?(anon):4: `break' active at end of function scope + ?(anon):4: `break' active at end of function scope + ?(anon):4: `break' active at end of function scope ++ ++# There are further tests for PRIVILEGED in P01privileged.ztst. ++ if [[ -o privileged ]]; then ++ unsetopt privileged ++ fi ++ unsetopt privileged ++0:PRIVILEGED sanity check: unsetting is idempotent ++F:If this test fails at the first unsetopt, refer to P01privileged.ztst. ++ ++ if [[ -o privileged ]]; then ++ (( UID != EUID )) ++ else ++ (( UID == EUID )) ++ fi ++0:PRIVILEGED sanity check: default value is correct +--- zsh-5.4.2.orig/configure.ac ++++ zsh-5.4.2/configure.ac +@@ -1300,9 +1300,8 @@ AC_CHECK_FUNCS(strftime strptime mktime + inet_aton inet_pton inet_ntop \ + getlogin getpwent getpwnam getpwuid getgrgid getgrnam \ + initgroups nis_list \ +- getuid setuid seteuid setreuid setresuid setsid \ +- getgid setgid setegid setregid setresgid \ +- geteuid getegid \ ++ setuid seteuid setreuid setresuid setsid \ ++ setgid setegid setregid setresgid \ + memcpy memmove strstr strerror strtoul \ + getrlimit getrusage \ + setlocale \ diff -Nru zsh-5.4.2/debian/patches/CVE-2019-20044-3.patch zsh-5.4.2/debian/patches/CVE-2019-20044-3.patch --- zsh-5.4.2/debian/patches/CVE-2019-20044-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ zsh-5.4.2/debian/patches/CVE-2019-20044-3.patch 2022-03-11 13:45:25.000000000 +0000 @@ -0,0 +1,151 @@ +From 26d02efa7a9b0a6b32e1a8bbc6aca6c544b94211 Mon Sep 17 00:00:00 2001 +From: dana +Date: Sun, 29 Dec 2019 02:41:11 +0000 +Subject: [PATCH] Improve PRIVILEGED fixes (again) + +* Pass RGID instead of passwd GID to initgroups() + +* Clean up #ifdefs, avoid unnecessary checks + +* Flatten conditions +--- + Src/options.c | 92 ++++++++++++++++++++++++--------------------------- + 1 file changed, 43 insertions(+), 49 deletions(-) + +--- zsh-5.4.2.orig/Src/options.c ++++ zsh-5.4.2/Src/options.c +@@ -779,91 +779,85 @@ dosetopt(int optno, int value, int force + } else if(optno == PRIVILEGED && !value) { + /* unsetting PRIVILEGED causes the shell to make itself unprivileged */ + ++/* For simplicity's sake, require both setresgid() and setresuid() up-front. */ ++#if !defined(HAVE_SETRESGID) ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available"); ++ return -1; ++#elif !defined(HAVE_SETRESUID) ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available"); ++ return -1; ++#else + /* If set, return -1 so lastval will be non-zero. */ + int failed = 0; +- +-#ifdef HAVE_SETUID + const int orig_euid = geteuid(); +-#endif + const int orig_egid = getegid(); + + /* + * Set the GID first as if we set the UID to non-privileged it + * might be impossible to restore the GID. + */ +- { +-#ifndef HAVE_SETRESGID +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available"); ++ if (setresgid(getgid(), getgid(), getgid())) { ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno); + return -1; +-#else +- int setgid_err; +- setgid_err = setresgid(getgid(), getgid(), getgid()); +- if (setgid_err) { +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno); +- return -1; +- } +-#endif + } + +- /* Set the UID second. */ +- { +-#ifndef HAVE_SETRESUID +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available"); +- return -1; +-#else +- int setuid_err; +- + # ifdef HAVE_INITGROUPS +- /* Set the supplementary groups list. */ +- if (geteuid() == 0) { +- struct passwd *pw = getpwuid(getuid()); +- if (pw == NULL) { +- zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e", +- (long)getuid(), errno); +- failed = 1; +- } else if (initgroups(pw->pw_name, pw->pw_gid)) { +- zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno); +- return -1; +- } +- } else if (getuid() != 0 && +- (geteuid() != getuid() || orig_egid != getegid())) { +- zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L", +- (long)geteuid()); ++ /* Set the supplementary groups list. ++ * ++ * Note that on macOS, FreeBSD, and possibly some other platforms, ++ * initgroups() resets the EGID to its second argument (see setgroups(2) for ++ * details). This has the potential to leave the EGID in an unexpected ++ * state. However, it seems common in other projects that do this dance to ++ * simply re-use the same GID that's going to become the EGID anyway, in ++ * which case it doesn't matter. That's what we do here. It's therefore ++ * possible, in some probably uncommon cases, that the shell ends up not ++ * having the privileges of the RUID user's primary/passwd group. */ ++ if (geteuid() == 0) { ++ struct passwd *pw = getpwuid(getuid()); ++ if (pw == NULL) { ++ zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e", ++ (long)getuid(), errno); + failed = 1; ++ /* This may behave strangely in the unlikely event that the same user ++ * name appears with multiple UIDs in the passwd database */ ++ } else if (initgroups(pw->pw_name, getgid())) { ++ zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno); ++ return -1; + } ++ } else if (getuid() != 0 && ++ (geteuid() != getuid() || orig_egid != getegid())) { ++ zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L", ++ (long)geteuid()); ++ failed = 1; ++ } + # else +- /* initgroups() isn't in POSIX. If it's not available on the system, +- * we silently skip it. */ ++ /* initgroups() isn't in POSIX. If it's not available on the system, ++ * we silently skip it. */ + # endif + +- setuid_err = setresuid(getuid(), getuid(), getuid()); +- if (setuid_err) { +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno); +- return -1; +- } +-#endif ++ /* Set the UID second. */ ++ if (setresuid(getuid(), getuid(), getuid())) { ++ zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno); ++ return -1; + } + +-#ifdef HAVE_SETGID + if (getuid() != 0 && orig_egid != getegid() && + (setgid(orig_egid) != -1 || setegid(orig_egid) != -1)) { + zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid"); + return -1; + } +-#endif + +-#ifdef HAVE_SETUID + if (getuid() != 0 && orig_euid != geteuid() && + (setuid(orig_euid) != -1 || seteuid(orig_euid) != -1)) { + zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid"); + return -1; + } +-#endif + + if (failed) { + /* A warning message has been printed. */ + return -1; + } ++#endif /* HAVE_SETRESGID && HAVE_SETRESUID */ + + #ifdef JOB_CONTROL + } else if (!force && optno == MONITOR && value) { diff -Nru zsh-5.4.2/debian/patches/CVE-2019-20044-4.patch zsh-5.4.2/debian/patches/CVE-2019-20044-4.patch --- zsh-5.4.2/debian/patches/CVE-2019-20044-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ zsh-5.4.2/debian/patches/CVE-2019-20044-4.patch 2022-03-11 13:45:30.000000000 +0000 @@ -0,0 +1,90 @@ +From 4ce66857b71b40a0661df3780ff557f2b0f4cb13 Mon Sep 17 00:00:00 2001 +From: dana +Date: Sun, 29 Dec 2019 02:43:14 +0000 +Subject: [PATCH] Clean up error-message white space + +--- + Src/options.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- zsh-5.4.2.orig/Src/options.c ++++ zsh-5.4.2/Src/options.c +@@ -781,10 +781,12 @@ dosetopt(int optno, int value, int force + + /* For simplicity's sake, require both setresgid() and setresuid() up-front. */ + #if !defined(HAVE_SETRESGID) +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresgid() and friends not available"); ++ zwarnnam("unsetopt", ++ "PRIVILEGED: can't drop privileges; setresgid() and friends not available"); + return -1; + #elif !defined(HAVE_SETRESUID) +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; setresuid() and friends not available"); ++ zwarnnam("unsetopt", ++ "PRIVILEGED: can't drop privileges; setresuid() and friends not available"); + return -1; + #else + /* If set, return -1 so lastval will be non-zero. */ +@@ -797,7 +799,9 @@ dosetopt(int optno, int value, int force + * might be impossible to restore the GID. + */ + if (setresgid(getgid(), getgid(), getgid())) { +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change group ID: %e", errno); ++ zwarnnam("unsetopt", ++ "PRIVILEGED: can't drop privileges; failed to change group ID: %e", ++ errno); + return -1; + } + +@@ -815,18 +819,22 @@ dosetopt(int optno, int value, int force + if (geteuid() == 0) { + struct passwd *pw = getpwuid(getuid()); + if (pw == NULL) { +- zwarnnam("unsetopt", "can't drop privileges; failed to get user information for uid %L: %e", ++ zwarnnam("unsetopt", ++ "can't drop privileges; failed to get user information for uid %L: %e", + (long)getuid(), errno); + failed = 1; + /* This may behave strangely in the unlikely event that the same user + * name appears with multiple UIDs in the passwd database */ + } else if (initgroups(pw->pw_name, getgid())) { +- zwarnnam("unsetopt", "can't drop privileges; failed to set supplementary group list: %e", errno); ++ zwarnnam("unsetopt", ++ "can't drop privileges; failed to set supplementary group list: %e", ++ errno); + return -1; + } + } else if (getuid() != 0 && + (geteuid() != getuid() || orig_egid != getegid())) { +- zwarnnam("unsetopt", "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L", ++ zwarnnam("unsetopt", ++ "PRIVILEGED: supplementary group list not changed due to lack of permissions: EUID=%L", + (long)geteuid()); + failed = 1; + } +@@ -837,19 +845,23 @@ dosetopt(int optno, int value, int force + + /* Set the UID second. */ + if (setresuid(getuid(), getuid(), getuid())) { +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; failed to change user ID: %e", errno); ++ zwarnnam("unsetopt", ++ "PRIVILEGED: can't drop privileges; failed to change user ID: %e", ++ errno); + return -1; + } + + if (getuid() != 0 && orig_egid != getegid() && + (setgid(orig_egid) != -1 || setegid(orig_egid) != -1)) { +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the egid"); ++ zwarnnam("unsetopt", ++ "PRIVILEGED: can't drop privileges; was able to restore the egid"); + return -1; + } + + if (getuid() != 0 && orig_euid != geteuid() && + (setuid(orig_euid) != -1 || seteuid(orig_euid) != -1)) { +- zwarnnam("unsetopt", "PRIVILEGED: can't drop privileges; was able to restore the euid"); ++ zwarnnam("unsetopt", ++ "PRIVILEGED: can't drop privileges; was able to restore the euid"); + return -1; + } + diff -Nru zsh-5.4.2/debian/patches/CVE-2019-20044-5.patch zsh-5.4.2/debian/patches/CVE-2019-20044-5.patch --- zsh-5.4.2/debian/patches/CVE-2019-20044-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ zsh-5.4.2/debian/patches/CVE-2019-20044-5.patch 2022-03-11 13:45:34.000000000 +0000 @@ -0,0 +1,248 @@ +From b15bd4aa590db8087d1e8f2eb1af2874f5db814d Mon Sep 17 00:00:00 2001 +From: dana +Date: Sat, 28 Dec 2019 20:45:55 -0600 +Subject: [PATCH] Add unsetopt/PRIVILEGED tests + +--- + Test/E01options.ztst | 10 +- + Test/P01privileged.ztst | 197 ++++++++++++++++++++++++++++++++++++++++ + Test/README | 1 + + 3 files changed, 207 insertions(+), 1 deletion(-) + create mode 100644 Test/P01privileged.ztst + +--- zsh-5.4.2.orig/Test/E01options.ztst ++++ zsh-5.4.2/Test/E01options.ztst +@@ -74,7 +74,6 @@ + # HASH_LIST_ALL ) + # PRINT_EXIT_STATUS haven't worked out what this does yet, although + # Bart suggested a fix. +-# PRIVILEGED (similar to GLOBAL_RCS) + # RCS ( " " " " ) + # SH_OPTION_LETTERS even I found this too dull to set up a test for + # SINGLE_COMMAND kills shell +@@ -95,6 +94,15 @@ + + %test + ++ # setopt should move on to the next operation in the face of an error, but ++ # preserve the >0 return code ++ unsetopt aliases ++ setopt not_a_real_option aliases && return 2 ++ print -r - $options[aliases] ++0:setopt error handling ++?(eval):setopt:4: no such option: not_a_real_option ++>on ++ + alias echo='print foo' + unsetopt aliases + # use eval else aliases are all parsed at start +--- /dev/null ++++ zsh-5.4.2/Test/P01privileged.ztst +@@ -0,0 +1,197 @@ ++# This file contains tests related to the PRIVILEGED option. In order to run, ++# it requires that the test process itself have super-user privileges (or that ++# one of the environment variables described below be set). This can be achieved ++# via, e.g., `sudo make check TESTNUM=P`. ++# ++# Optionally, the environment variables ZSH_TEST_UNPRIVILEGED_UID and/or ++# ZSH_TEST_UNPRIVILEGED_GID may be set to UID:EUID or GID:EGID pairs, where the ++# two IDs in each pair are different, non-0 IDs valid on the system being used ++# to run the tests. (The UIDs must both be non-0 to effectively test downgrading ++# of privileges, and they must be non-matching to test auto-enabling of ++# PRIVILEGED and to ensure that disabling PRIVILEGED correctly resets the saved ++# UID. Technically GID 0 is not special, but for simplicity's sake we apply the ++# same requirements here.) ++# ++# If either of the aforementioned environment variables is not set, the test ++# script will try to pick the first two >0 IDs from the passwd/group databases ++# on the current system. ++# ++# If either variable is set, the tests will run, but they will likely fail ++# without super-user privileges. ++ ++%prep ++ ++ # Mind your empty lines here. The logic in this %prep section is somewhat ++ # complex compared to most others; to avoid lots of nested/duplicated ++ # conditions we need to make sure that this all gets executed as a single ++ # function from which we can return early ++ [[ $EUID == 0 || -n $ZSH_TEST_UNPRIVILEGED_UID$ZSH_TEST_UNPRIVILEGED_GID ]] || { ++ ZTST_unimplemented='PRIVILEGED tests require super-user privileges (or env var)' ++ return 1 ++ } ++ (( $+commands[perl] )) || { # @todo Eliminate this dependency with a C wrapper? ++ ZTST_unimplemented='PRIVILEGED tests require Perl' ++ return 1 ++ } ++ grep -qE '#define HAVE_SETRES?UID' $ZTST_testdir/../config.h || { ++ ZTST_unimplemented='PRIVILEGED tests require setreuid()/setresuid()' ++ return 1 ++ } ++ # ++ ruid= euid= rgid= egid= ++ # ++ if [[ -n $ZSH_TEST_UNPRIVILEGED_UID ]]; then ++ ruid=${ZSH_TEST_UNPRIVILEGED_UID%%:*} ++ euid=${ZSH_TEST_UNPRIVILEGED_UID##*:} ++ else ++ print -ru$ZTST_fd 'Selecting unprivileged UID:EUID pair automatically' ++ local tmp=$( getent passwd 2> /dev/null || < /etc/passwd ) ++ # Note: Some awks require -v and its argument to be separate ++ ruid=$( awk -F: '$3 > 0 { print $3; exit; }' <<< $tmp ) ++ euid=$( awk -F: -v u=$ruid '$3 > u { print $3; exit; }' <<< $tmp ) ++ fi ++ # ++ if [[ -n $ZSH_TEST_UNPRIVILEGED_GID ]]; then ++ rgid=${ZSH_TEST_UNPRIVILEGED_GID%%:*} ++ egid=${ZSH_TEST_UNPRIVILEGED_GID##*:} ++ else ++ print -ru$ZTST_fd 'Selecting unprivileged GID:EGID pair automatically' ++ local tmp=$( getent group 2> /dev/null || < /etc/group ) ++ # Note: Some awks require -v and its argument to be separate ++ rgid=$( awk -F: '$3 > 0 { print $3; exit; }' <<< $tmp ) ++ egid=$( awk -F: -v g=$rgid '$3 > g { print $3; exit; }' <<< $tmp ) ++ fi ++ # ++ [[ $ruid/$euid == <1->/<1-> && $ruid != $euid ]] || ruid= euid= ++ [[ $rgid/$egid == <1->/<1-> && $rgid != $egid ]] || rgid= egid= ++ # ++ [[ -n $ruid && -n $euid ]] || { ++ ZTST_unimplemented='PRIVILEGED tests require unprivileged UID:EUID' ++ return 1 ++ } ++ [[ -n $rgid || -n $egid ]] || { ++ ZTST_unimplemented='PRIVILEGED tests require unprivileged GID:EGID' ++ return 1 ++ } ++ # ++ print -ru$ZTST_fd \ ++ "Using unprivileged UID $ruid, EUID $euid, GID $rgid, EGID $egid" ++ # ++ # Execute process with specified UID and EUID ++ # $1 => Real UID ++ # $2 => Effective UID ++ # $3 => Real GID ++ # $4 => Effective GID ++ # $5 ... => Command + args to execute (must NOT be a shell command string) ++ re_exec() { ++ perl -e ' ++ die("re_exec: not enough arguments") unless (@ARGV >= 5); ++ my ($ruid, $euid, $rgid, $egid, @cmd) = @ARGV; ++ foreach my $id ($ruid, $euid, $rgid, $egid) { ++ die("re_exec: invalid ID: $id") unless ($id =~ /^(-1|\d+)$/a); ++ } ++ $< = 0 + $ruid if ($ruid >= 0); ++ $> = 0 + $euid if ($euid >= 0); ++ $( = 0 + $rgid if ($rgid >= 0); ++ $) = 0 + $egid if ($egid >= 0); ++ exec(@cmd); ++ die("re_exec: exec failed: $!"); ++ ' -- "$@" ++ } ++ # ++ # Convenience wrapper for re_exec to call `zsh -c` ++ # -* ... => (optional) Command-line options to zsh ++ # $1 => Real UID ++ # $2 => Effective UID ++ # $3 => Real GID ++ # $4 => Effective GID ++ # $5 ... => zsh command string; multiple strings are joined by \n ++ re_zsh() { ++ local -a opts ++ while [[ $1 == -[A-Za-z-]* ]]; do ++ opts+=( $1 ) ++ shift ++ done ++ re_exec "$1" "$2" "$3" "$4" $ZTST_exe $opts -fc \ ++ "MODULE_PATH=${(q)MODULE_PATH}; ${(F)@[5,-1]}" ++ } ++ # ++ # Return one or more random unused UIDs ++ # $1 ... => Names of parameters to store UIDs in ++ get_unused_uid() { ++ while (( $# )); do ++ local i_=0 uid_= ++ until [[ -n $uid_ ]]; do ++ (( ++i_ > 99 )) && return 1 ++ uid_=$RANDOM ++ id $uid_ &> /dev/null || break ++ uid_= ++ done ++ : ${(P)1::=$uid_} ++ shift ++ done ++ } ++ ++%test ++ ++ re_zsh $ruid $ruid -1 -1 'echo $UID/$EUID $options[privileged]' ++ re_zsh $euid $euid -1 -1 'echo $UID/$EUID $options[privileged]' ++ re_zsh $ruid $euid -1 -1 'echo $UID/$EUID $options[privileged]' ++0q:PRIVILEGED automatically enabled when RUID != EUID ++>$ruid/$ruid off ++>$euid/$euid off ++>$ruid/$euid on ++ ++ re_zsh -1 -1 $rgid $rgid 'echo $GID/$EGID $options[privileged]' ++ re_zsh -1 -1 $egid $egid 'echo $GID/$EGID $options[privileged]' ++ re_zsh -1 -1 $rgid $egid 'echo $GID/$EGID $options[privileged]' ++0q:PRIVILEGED automatically enabled when RGID != EGID ++>$rgid/$rgid off ++>$egid/$egid off ++>$rgid/$egid on ++ ++ re_zsh $ruid $euid -1 -1 'unsetopt privileged; echo $UID/$EUID' ++0q:EUID set to RUID after disabling PRIVILEGED ++*?zsh:unsetopt:1: PRIVILEGED: supplementary group list not changed * ++*?zsh:unsetopt:1: can't change option: privileged ++>$ruid/$ruid ++ ++ re_zsh 0 $euid -1 -1 'unsetopt privileged && echo $UID/$EUID' ++0:RUID/EUID set to 0/0 when privileged after disabling PRIVILEGED ++>0/0 ++ ++ re_zsh $ruid $euid -1 -1 "unsetopt privileged; UID=$euid" || ++ re_zsh $ruid $euid -1 -1 "unsetopt privileged; EUID=$euid" ++1:not possible to regain EUID when unprivileged after disabling PRIVILEGED ++*?zsh:unsetopt:1: PRIVILEGED: supplementary group list not changed * ++*?zsh:unsetopt:1: can't change option: privileged ++*?zsh:1: failed to change user ID: * ++*?zsh:unsetopt:1: PRIVILEGED: supplementary group list not changed * ++*?zsh:unsetopt:1: can't change option: privileged ++*?zsh:1: failed to change effective user ID: * ++ ++ re_zsh -1 -1 $rgid $egid 'unsetopt privileged && echo $GID/$EGID' ++0q:EGID set to RGID after disabling PRIVILEGED ++>$rgid/$rgid ++ ++# This test also confirms that we can't revert to the original EUID's primary ++# GID, which initgroups() may reset the EGID to on some systems ++ re_zsh $ruid 0 $rgid 0 'unsetopt privileged; GID=0' || ++ re_zsh $ruid 0 $rgid 0 'unsetopt privileged; EGID=0' ++1:not possible to regain EGID when unprivileged after disabling PRIVILEGED ++*?zsh:1: failed to change group ID: * ++*?zsh:1: failed to change effective group ID: * ++ ++ local rruid ++ grep -qF '#define HAVE_INITGROUPS' $ZTST_testdir/../config.h || { ++ ZTST_skip='initgroups() not available' ++ return 1 ++ } ++ get_unused_uid rruid || { ++ ZTST_skip="Can't get unused UID" ++ return 1 ++ } ++ re_zsh $rruid 0 -1 -1 'unsetopt privileged' ++1:getpwuid() fails with non-existent RUID and 0 EUID ++*?zsh:unsetopt:1: can't drop privileges; failed to get user information * ++*?zsh:unsetopt:1: can't change option: privileged +--- zsh-5.4.2.orig/Test/README ++++ zsh-5.4.2/Test/README +@@ -6,6 +6,7 @@ scripts names: + C: shell commands with special syntax + D: substititution + E: options ++ P: privileged (needs super-user privileges) + V: modules + W: builtin interactive commands and constructs + X: line editing diff -Nru zsh-5.4.2/debian/patches/CVE-2019-20044-pre.patch zsh-5.4.2/debian/patches/CVE-2019-20044-pre.patch --- zsh-5.4.2/debian/patches/CVE-2019-20044-pre.patch 1970-01-01 00:00:00.000000000 +0000 +++ zsh-5.4.2/debian/patches/CVE-2019-20044-pre.patch 2022-03-11 13:44:53.000000000 +0000 @@ -0,0 +1,71 @@ +From f37c181b29149c6829cc8a86f7348335a08d9670 Mon Sep 17 00:00:00 2001 +From: Peter Stephenson +Date: Fri, 15 Jun 2018 10:27:29 +0100 +Subject: [PATCH] 43008: Improve code to remove privileges. + +Remove warnings of unused values as we always check the finally +result later. + +Put segid before setuid as the setgid could fail if UID +no longer privileged. +--- + ChangeLog | 6 ++++++ + Src/options.c | 31 ++++++++++++++++++++++++------- + 2 files changed, 30 insertions(+), 7 deletions(-) + +#diff --git a/ChangeLog b/ChangeLog +#index 6c9172b77..0a83ee93f 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,3 +1,9 @@ +#+2018-06-15 Peter Stephenson +#+ +#+ * 43008: Src/otpions.c: combine suggestion from Sebastain to +#+ silence warnings for double setgid/setuid with suggestion +#+ from Eitan to put setgid first. +#+ +# 2018-06-13 dana +# +# * 42992: Completion/Unix/Command/_bash: Fix minor escaping bug +--- zsh-5.4.2.orig/Src/options.c ++++ zsh-5.4.2/Src/options.c +@@ -768,15 +768,32 @@ dosetopt(int optno, int value, int force + } else if(optno == PRIVILEGED && !value) { + /* unsetting PRIVILEGED causes the shell to make itself unprivileged */ + #ifdef HAVE_SETUID +- setuid(getuid()); +- setgid(getgid()); +- if (setuid(getuid())) { +- zwarn("failed to change user ID: %e", errno); +- return -1; +- } else if (setgid(getgid())) { ++ int ignore_err; ++ errno = 0; ++ /* ++ * Set the GID first as if we set the UID to non-privileged it ++ * might be impossible to restore the GID. ++ * ++ * Some OSes (possibly no longer around) have been known to ++ * fail silently the first time, so we attempt the change twice. ++ * If it fails we are guaranteed to pick this up the second ++ * time, so ignore the first time. ++ * ++ * Some versions of gcc make it hard to ignore the results the ++ * first time, hence the following. (These are probably not ++ * systems that require the doubled calls.) ++ */ ++ ignore_err = setgid(getgid()); ++ (void)ignore_err; ++ ignore_err = setuid(getuid()); ++ (void)ignore_err; ++ if (setgid(getgid())) { + zwarn("failed to change group ID: %e", errno); + return -1; +- } ++ } else if (setuid(getuid())) { ++ zwarn("failed to change user ID: %e", errno); ++ return -1; ++ } + #else + zwarn("setuid not available"); + return -1; diff -Nru zsh-5.4.2/debian/patches/CVE-2021-45444.patch zsh-5.4.2/debian/patches/CVE-2021-45444.patch --- zsh-5.4.2/debian/patches/CVE-2021-45444.patch 1970-01-01 00:00:00.000000000 +0000 +++ zsh-5.4.2/debian/patches/CVE-2021-45444.patch 2022-03-11 13:46:35.000000000 +0000 @@ -0,0 +1,56 @@ +From c187154f47697cdbf822c2f9d714d570ed4a0fd1 Mon Sep 17 00:00:00 2001 +From: Oliver Kiddle +Date: Wed, 15 Dec 2021 01:56:40 +0100 +Subject: [PATCH] security/41: Don't perform PROMPT_SUBST evaluation on %F/%K + arguments + +Mitigates CVE-2021-45444 +--- + ChangeLog | 5 +++++ + Src/prompt.c | 10 ++++++++++ + 2 files changed, 15 insertions(+) + +#diff --git a/ChangeLog b/ChangeLog +#index 8d7dfc169..eb248ec06 100644 +#--- a/ChangeLog +#+++ b/ChangeLog +#@@ -1,3 +1,8 @@ +#+2022-01-27 dana +#+ +#+ * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive +#+ PROMPT_SUBST +#+ +# 2020-02-14 dana +# +# * unposted: Config/version.mk: Update for 5.8 +diff --git a/Src/prompt.c b/Src/prompt.c +index b65bfb86b..91e21c8e9 100644 +--- a/Src/prompt.c ++++ b/Src/prompt.c +@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg) + bv->fm += 2; /* skip over F{ */ + if ((ep = strchr(bv->fm, '}'))) { + char oc = *ep, *col, *coll; ++ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; ++ int opp = opts[PROMPTPERCENT]; ++ ++ opts[PROMPTPERCENT] = 1; ++ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; ++ + *ep = '\0'; + /* expand the contents of the argument so you can use + * %v for example */ +@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg) + arg = match_colour((const char **)&coll, is_fg, 0); + free(col); + bv->fm = ep; ++ ++ opts[PROMPTSUBST] = ops; ++ opts[PROMPTBANG] = opb; ++ opts[PROMPTPERCENT] = opp; + } else { + arg = match_colour((const char **)&bv->fm, is_fg, 0); + if (*bv->fm != '}') +-- +2.32.0 + diff -Nru zsh-5.4.2/debian/patches/series zsh-5.4.2/debian/patches/series --- zsh-5.4.2/debian/patches/series 2018-09-10 20:02:45.000000000 +0000 +++ zsh-5.4.2/debian/patches/series 2022-03-11 13:46:35.000000000 +0000 @@ -7,3 +7,10 @@ CVE-2018-1083.patch CVE-2018-0502-and-CVE-2018-13259.patch CVE-2018-1100.patch +CVE-2019-20044-pre.patch +CVE-2019-20044-1.patch +CVE-2019-20044-2.patch +CVE-2019-20044-3.patch +CVE-2019-20044-4.patch +CVE-2019-20044-5.patch +CVE-2021-45444.patch