CVE-2021-35331

NameCVE-2021-35331
Description** DISPUTED ** In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tcl8.6 (PTS)stretch8.6.6+dfsg-1vulnerable
buster8.6.9+dfsg-2vulnerable
bookworm, sid, bullseye8.6.11+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tcl8.6source(unstable)(unfixed)unimportant

Notes

https://core.tcl-lang.org/tcl/info/28ef6c0c741408a2
https://core.tcl-lang.org/tcl/info/bad6cc213dfe8280
https://github.com/tcltk/tcl/commit/4705dbdde2f32ff90420765cd93e7ac71d81a222
https://sqlite.org/forum/info/7dcd751996c93ec9
Various other sources would embedd a copy as well, but the security impact of
the issue tself for tcl is disputed in its significance.

Search for package or bug name: Reporting problems