Name | CVE-2021-35331 |
Description | In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
tcl8.5 (PTS) | jessie | 8.5.17-1 | vulnerable |
| stretch | 8.5.19-2 | vulnerable |
tcl8.6 (PTS) | jessie | 8.6.2+dfsg-2 | vulnerable |
| stretch | 8.6.6+dfsg-1 | vulnerable |
| buster | 8.6.9+dfsg-2 | vulnerable |
| bullseye | 8.6.11+dfsg-1 | vulnerable |
| bookworm | 8.6.13+dfsg-2 | vulnerable |
| sid, trixie | 8.6.15+dfsg-2 | vulnerable |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
tcl8.5 | source | (unstable) | (unfixed) | unimportant | | |
tcl8.6 | source | (unstable) | (unfixed) | unimportant | | |
Notes
https://core.tcl-lang.org/tcl/info/28ef6c0c741408a2
https://core.tcl-lang.org/tcl/info/bad6cc213dfe8280
https://github.com/tcltk/tcl/commit/4705dbdde2f32ff90420765cd93e7ac71d81a222
https://sqlite.org/forum/info/7dcd751996c93ec9
Various other sources would embedd a copy as well, but the security impact of
the issue tself for tcl is disputed in its significance.