| Name | CVE-2021-35331 |
| Description | In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| tcl8.6 (PTS) | buster | 8.6.9+dfsg-2 | vulnerable |
| bullseye | 8.6.11+dfsg-1 | vulnerable |
| bookworm | 8.6.13+dfsg-2 | vulnerable |
| sid, trixie | 8.6.14+dfsg-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| tcl8.6 | source | (unstable) | (unfixed) | unimportant | | |
Notes
https://core.tcl-lang.org/tcl/info/28ef6c0c741408a2
https://core.tcl-lang.org/tcl/info/bad6cc213dfe8280
https://github.com/tcltk/tcl/commit/4705dbdde2f32ff90420765cd93e7ac71d81a222
https://sqlite.org/forum/info/7dcd751996c93ec9
Various other sources would embedd a copy as well, but the security impact of
the issue tself for tcl is disputed in its significance.