| Name | CVE-2017-17533 |
| Description | default.tcl in Tkabber 1.1 does not validate strings before launching ... |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Originally assigned for src:tkabber
https://sources.debian.org/src/tkabber/1.1-1/default.tcl/?hl=118#L118
TCL's exec call does not involve the shell. It does its own argument parsing
which safely forwards the content of any variable. No command injection is
thus possible. See https://tcl.tk/man/tcl/TclCmd/exec.htm
MITRE only considers this as DISPUTED rather than fully REJECT The CVE.