Bug 15503

Ping?  Joseph, you are the maintainer of most of the packages that require this one.

Pushed the fix to cauldron

Thanks Joseph!

Updated and patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated tcl-tcllib package fixes security vulnerability:

tcllib is vulnerable to a Cross-Site-Scripting (XSS) issue in html::textarea.

References:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/151847.html
========================

Updated packages in core/updates_testing:
========================
tcl-tcllib-1.16-1.mga4

from tcl-tcllib-1.16-1.mga4.src.rpm

CC: (none) => joequant
Version: Cauldron => 4
Assignee: joequant => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Testing MGA4.1  32 and 64 bit, Vbox hardware

Following procedure here:
http://www.tldp.org/HOWTO/TclTk-HOWTO-5.html
to execute a rudimentary proc. in MGA4.1  32 and 64 bit architectures on vbox

CC: (none) => vzawalin1

There is a PoC if you want to experiment with it Vlad
http://core.tcl.tk/tcllib/tktview/09110adc430de8c91d26015f9697cdd099755e63

Thank you Claire and Shlomi, for your respective tips!

CC: (none) => shlomif

(In reply to Vladimir Zawalinski from comment #6)
> Thank you Claire and Shlomi, for your respective tips!

What are you talking about? I didn't say anything about this bug.

(In reply to Shlomi Fish from comment #7)
> (In reply to Vladimir Zawalinski from comment #6)
> > Thank you Claire and Shlomi, for your respective tips!
> 
> What are you talking about? I didn't say anything about this bug.

Apologies. You didn't. I had both bug reports open as well as email and inadvertently got my comments mixed. I was referring to your post on 15803.

(In reply to Vladimir Zawalinski from comment #8)
> (In reply to Shlomi Fish from comment #7)
> > (In reply to Vladimir Zawalinski from comment #6)
> > > Thank you Claire and Shlomi, for your respective tips!
> > 
> > What are you talking about? I didn't say anything about this bug.
> 
> Apologies. You didn't. I had both bug reports open as well as email and
> inadvertently got my comments mixed. I was referring to your post on 15803.

I see. Thanks for the clarification.

(In reply to claire robinson from comment #5)
> There is a PoC if you want to experiment with it Vlad
> http://core.tcl.tk/tcllib/tktview/09110adc430de8c91d26015f9697cdd099755e63

Claire, the web example quoted in the PoC in examples.com no longer exists. To follow that avenue through I would have to learn a bit of Tcl/Tk, something that I don't necessarily want to do right now, nor is there enough time to do so.

So I am taking the approach that it is assumed the developers have plugged the security hole and it is no necessary to do that, but it is necessary to show that Tcl-lib as patched for the bug has not introduced other problems.

I have executed two rudimentary scripts, before and after updating from "updates-testing for each architecture.

The first throws a GUI window and offers a button to close. It is irrelevant to the testing since it also executed when tcl-tcllib was removed.

The second executes the example shown on the tcl ticket that you provided. This script does depend on the presence of tcl-tcllib, and executed as expected before and after application of the update.

Version of tcl-tcllib before the update was 1.13.3.mga4
Version of tcl-tcllib after the update  was 1.16.1.mga4 (noarch.rpm)

I therefore conclude that there was no regression to rudimentary functionality in Mageia4.1 32 bit environment using the test performed.

example.com usually means replace it with a domain of your choice. You could use localhost for example. It looks like it will open an alert window, which is how this sort of thing is normally demonstrated.

You testing is fine though, well done! 64bit next then please and then we can validate it.

Email from bugs assigned to QA comes to qa-bugs ML so it's best not to add yourself to CC for updates or you'll get two emails each time.

CC: eeeemail => (none)

Please remember to add the relevant whiteboard marker for your tests when you're happy with the result.

(In reply to claire robinson from comment #12)
> Please remember to add the relevant whiteboard marker for your tests when
> you're happy with the result.

Thanks for the reassurance. Will update the whiteboard after I have completed the 64 bit tests.

CC: vzawalin1 => (none)

Created attachment 6459 [details]
test log for 64 bit test

CC: (none) => vzawalin1

Same test process as for 32 bit test.
Ran the test script shown at end of attachment. This needs 'ncgi' which is in tcl-tcllib.
This was run for tcl-tcllib  versions 1.13.3 and 1.16.1 respectively.
No difference in results so conclude no observable regression in rudimentary functionality

Well done Vlad. Congratulations on your first update!

Confirmed with..

$ tclsh
%   package require ncgi
  package require html
  
  ::ncgi::parse
  ::ncgi::header
  puts [::html::textarea ta]
  puts textarea
  puts ta
1.4.2
% 1.4
% % % Content-Type: text/html

% <textarea name="ta"></textarea>

% textarea
% ta

No obvious regression.



Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0201.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED