[MBT] new ticket for pkg tcl "Insecure file access "
bugs at pld.org.pl
bugs at pld.org.pl
Thu Mar 20 14:18:51 CET 2003
Date: 2003-03-20 14:18:48+01 Author: (kreutzm) <kreutzm at itp.uni-hannover.de>
Title: Insecure file access
Ticket ID: #613
Ticket URL: http://bugs.pld.org.pl/?bug=613
Package: tcl-1:8.3.4-6
Distribution: PLD-1.0.main
Category: unknown
Current state: opened
Text:
The tcl/tk package searched for its libraries in the current working directory before other directories, which could allow local users to execute arbitrary code by writing Trojan horse library that is under a user-controlled directory.
See RHSA-2002:148-06
According to the CAN, version 8.3.1 is affected; I did not find any note however, if this problem is fixed upstream. Since PLD shipped only two more revisions after this problem was announced and the changelog of these two does not indicate any patch PLD might be as well affacted, although a newer version is shipped in PLD.
More information about the pld-bugs
mailing list