From 048f40b68b05fdd5f3f8d60cda4e69fce2611331 Mon Sep 17 00:00:00 2001 From: dana Date: Tue, 31 Dec 2019 03:41:28 -0600 Subject: Update NEWS/README --- NEWS | 18 ++++++++++++++++-- README | 11 +++++++++-- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index af59cb4e6..964e1633f 100644 --- a/NEWS +++ b/NEWS @@ -4,8 +4,22 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH Note also the list of incompatibilities in the README file. -Changes since 5.7.1 -------------------- +Changes since 5.7.1-test-3 +-------------------------- + +CVE-2019-20044: When unsetting the PRIVILEGED option, the shell sets its +effective user and group IDs to match their respective real IDs. On some +platforms (including Linux and macOS, but not FreeBSD), when the RUID and +EUID were both non-zero, it was possible to regain the shell's former +privileges by e.g. assigning to the EUID or EGID parameter. In the course +of investigating this issue, it was also found that the setopt built-in +did not correctly report errors when unsetting the option, which +prevented users from handling them as the documentation recommended. +setopt now returns non-zero if it is unable to safely drop privileges. +[ Reported by Sam Foxman . ] + +Changes from 5.7.1 to 5.7.1-test-3 +---------------------------------- The zsh/zutil module's zparseopts builtin learnt an -F option to abort parsing when an unrecognised option-like parameter is encountered. diff --git a/README b/README index a3701abe5..7f1dd5f92 100644 --- a/README +++ b/README @@ -5,8 +5,9 @@ THE Z SHELL (ZSH) Version ------- -This is version 5.8 of the shell. This is a stable release. There are -a few visible improvements since 5.7 as well as many bugfixes. +This is version 5.8 of the shell. This is a security and feature release. +There are a few visible improvements since 5.7, as well as many bugfixes. +All zsh installations are encouraged to upgrade as soon as possible. Note in particular the changes highlighted under "Incompatibilities since 5.7.1" below. See NEWS for more information. @@ -56,6 +57,12 @@ This only affects you if you override that function in your dotfiles. The cd and chdir builtins no longer interpret operands like -1 and +2 as stack entries when POSIX_CD is enabled. +Dropping privileges with `unsetopt privileged` may fail (with an error +message) on some older and uncommon platforms due to library dependency +changes made in the course of fixing CVE-2019-20044. Please report this +to the zsh-workers mailing list if your system is affected. See NEWS for +more. + Incompatibilities between 5.6.2 and 5.7.1 ----------------------------------------- -- cgit 1.4.1