CVE-2019-20044: 
NixOS vulnerability analysis and mitigation

In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid() (CVE, ZSH Release).

The vulnerability exists in the privilege-dropping mechanism when the PRIVILEGED option is unset. While the shell sets its effective user and group IDs to match their respective real IDs, it fails to properly handle the saved user ID. On affected platforms (including Linux and macOS), when both RUID and EUID were non-zero, it was possible to regain the shell's former privileges by manipulating the EUID or EGID parameters (Debian Security).

An attacker who can execute commands in a privileged Zsh shell can regain elevated privileges even after they are explicitly dropped using the --no-PRIVILEGED option. This could lead to unauthorized privilege escalation (Gentoo Security).

The vulnerability was fixed in Zsh version 5.8. Users should upgrade to this version or later. The fix ensures proper handling of privileges when unsetting the PRIVILEGED option and improves error reporting when privilege dropping fails (Fedora Update).

The vulnerability was considered a "minor vulnerability" by the Zsh development team, though it was still addressed in a security release. Multiple Linux distributions and Apple released security updates to address this issue in their packaged versions of Zsh (ZSH Announce).