Fedora has issued an advisory on March 5: https://lists.fedoraproject.org/pipermail/package-announce/2015-March/151847.html Fedora updated it to 1.16 and added a patch to fix this issue in this commit: http://pkgs.fedoraproject.org/cgit/tcllib.git/commit/?h=f21&id=ef43118e860831d125864519ac2dca25de4e7ad7 The upstream bug and commit to fix this issue are linked in the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1197669 Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Assignee: bugsquad => joequant
Ping? Joseph, you are the maintainer of most of the packages that require this one.
Pushed the fix to cauldron
Thanks Joseph! Updated and patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated tcl-tcllib package fixes security vulnerability: tcllib is vulnerable to a Cross-Site-Scripting (XSS) issue in html::textarea. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-March/151847.html ======================== Updated packages in core/updates_testing: ======================== tcl-tcllib-1.16-1.mga4 from tcl-tcllib-1.16-1.mga4.src.rpm
CC: (none) => joequantVersion: Cauldron => 4Assignee: joequant => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Testing MGA4.1 32 and 64 bit, Vbox hardware Following procedure here: http://www.tldp.org/HOWTO/TclTk-HOWTO-5.html to execute a rudimentary proc. in MGA4.1 32 and 64 bit architectures on vbox
CC: (none) => vzawalin1
Whiteboard: (none) => has_procedure
There is a PoC if you want to experiment with it Vlad http://core.tcl.tk/tcllib/tktview/09110adc430de8c91d26015f9697cdd099755e63
Thank you Claire and Shlomi, for your respective tips!
CC: (none) => shlomif
(In reply to Vladimir Zawalinski from comment #6) > Thank you Claire and Shlomi, for your respective tips! What are you talking about? I didn't say anything about this bug.
(In reply to Shlomi Fish from comment #7) > (In reply to Vladimir Zawalinski from comment #6) > > Thank you Claire and Shlomi, for your respective tips! > > What are you talking about? I didn't say anything about this bug. Apologies. You didn't. I had both bug reports open as well as email and inadvertently got my comments mixed. I was referring to your post on 15803.
(In reply to Vladimir Zawalinski from comment #8) > (In reply to Shlomi Fish from comment #7) > > (In reply to Vladimir Zawalinski from comment #6) > > > Thank you Claire and Shlomi, for your respective tips! > > > > What are you talking about? I didn't say anything about this bug. > > Apologies. You didn't. I had both bug reports open as well as email and > inadvertently got my comments mixed. I was referring to your post on 15803. I see. Thanks for the clarification.
(In reply to claire robinson from comment #5) > There is a PoC if you want to experiment with it Vlad > http://core.tcl.tk/tcllib/tktview/09110adc430de8c91d26015f9697cdd099755e63 Claire, the web example quoted in the PoC in examples.com no longer exists. To follow that avenue through I would have to learn a bit of Tcl/Tk, something that I don't necessarily want to do right now, nor is there enough time to do so. So I am taking the approach that it is assumed the developers have plugged the security hole and it is no necessary to do that, but it is necessary to show that Tcl-lib as patched for the bug has not introduced other problems. I have executed two rudimentary scripts, before and after updating from "updates-testing for each architecture. The first throws a GUI window and offers a button to close. It is irrelevant to the testing since it also executed when tcl-tcllib was removed. The second executes the example shown on the tcl ticket that you provided. This script does depend on the presence of tcl-tcllib, and executed as expected before and after application of the update. Version of tcl-tcllib before the update was 1.13.3.mga4 Version of tcl-tcllib after the update was 1.16.1.mga4 (noarch.rpm) I therefore conclude that there was no regression to rudimentary functionality in Mageia4.1 32 bit environment using the test performed.
CC: shlomif => (none)
CC: (none) => eeeemail
example.com usually means replace it with a domain of your choice. You could use localhost for example. It looks like it will open an alert window, which is how this sort of thing is normally demonstrated. You testing is fine though, well done! 64bit next then please and then we can validate it. Email from bugs assigned to QA comes to qa-bugs ML so it's best not to add yourself to CC for updates or you'll get two emails each time.
CC: eeeemail => (none)
Please remember to add the relevant whiteboard marker for your tests when you're happy with the result.
(In reply to claire robinson from comment #12) > Please remember to add the relevant whiteboard marker for your tests when > you're happy with the result. Thanks for the reassurance. Will update the whiteboard after I have completed the 64 bit tests.
CC: vzawalin1 => (none)
Created attachment 6459 [details] test log for 64 bit test
Same test process as for 32 bit test. Ran the test script shown at end of attachment. This needs 'ncgi' which is in tcl-tcllib. This was run for tcl-tcllib versions 1.13.3 and 1.16.1 respectively. No difference in results so conclude no observable regression in rudimentary functionality
Whiteboard: has_procedure => has_procedure MGA4-32-OK MGA4-64-OK
Attachment 6459 mime type: application/octet-stream => text/plain
Well done Vlad. Congratulations on your first update! Confirmed with.. $ tclsh % package require ncgi package require html ::ncgi::parse ::ncgi::header puts [::html::textarea ta] puts textarea puts ta 1.4.2 % 1.4 % % % Content-Type: text/html % <textarea name="ta"></textarea> % textarea % ta No obvious regression. Validating. Advisory uploaded. Please push to 4 updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0201.html
Status: NEW => RESOLVEDResolution: (none) => FIXED