CVE-2021-35331

NameCVE-2021-35331
DescriptionIn Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tcl8.5 (PTS)jessie8.5.17-1vulnerable
stretch8.5.19-2vulnerable
tcl8.6 (PTS)jessie8.6.2+dfsg-2vulnerable
stretch8.6.6+dfsg-1vulnerable
buster8.6.9+dfsg-2vulnerable
bullseye8.6.11+dfsg-1vulnerable
bookworm8.6.13+dfsg-2vulnerable
sid, trixie8.6.15+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tcl8.5source(unstable)(unfixed)unimportant
tcl8.6source(unstable)(unfixed)unimportant

Notes

https://core.tcl-lang.org/tcl/info/28ef6c0c741408a2
https://core.tcl-lang.org/tcl/info/bad6cc213dfe8280
https://github.com/tcltk/tcl/commit/4705dbdde2f32ff90420765cd93e7ac71d81a222
https://sqlite.org/forum/info/7dcd751996c93ec9
Various other sources would embedd a copy as well, but the security impact of
the issue tself for tcl is disputed in its significance.

Search for package or bug name: Reporting problems