ActiveTcl

ActiveTcl and CVE-2015-1793

Question: 

Are ActiveTcl releases affected by CVE-2015-1793?

Answer: 

ActiveTcl 8.4.6.1 is affected. No other releases were shipped with the OpenSSL libraries that have the issue.

Sites where Teacup updates have installed tls versions 1.6.6, 1.6.6.1, or 1.6.7 are also affected.

Mitigation:
tls version 1.6.7.1 will be released with an updated OpenSSL library, and can be installed to patch 8.4.6.1 or replace add-on tls versions in other releases.

Alternately, there is also the option of using teacup to fall back to a tls version prior to 1.6.6 which is not affected.

HeartBleed vulnerability and ActiveTcl

Question: 

Is my version of Community/Business/Enterprise Edition ActiveTcl vulnerable to Heartbleed?

Answer: 

From a running tclsh:

%package require tls

The version of tls will be reported. Interpreters running tls 1.6.2 and 1.6.3 are vulnerable. Some installations of tls 1.6.1 are also vulnerable, depending on the age of the module. v1.6.1 carrying a timestamp newer than Feb 2012 (TeaPOT version is affected) are vulnerable,

Unless the tls module has been locally updated,
- Enterprise ActiveTcls shipped before 2012Q2 are unaffected,
- Community/Business Edition ActiveTcl 8.4.19.5 and older are unaffected,
- Community/Business Edition ActiveTcl 8.5.11.0 and older are unaffected,
- Community/Business Edition ActiveTcl 8.6.0.0b6 and older are unaffected

You can mitigate for HeartBleed using the TEApot service.

teacup install tls -exact 1.6.3.1

RedHat and "set user" Tcl command

Question: 

We have Redhat 5 and 6, and use pam.ldap. We have noticed that ActiveTcl "set user [id user]" works with RedHat 5, but does not work with RedHat 6.

Answer: 

This results from a change in Red Hat 6 to the C library getpwuid(uid).

ActiveTcl is still built on an older kernel for backwards compatibility, and a program using getpwuid(uid) from an older kernel will not run correctly on Red Hat 6.

The problem can be worked around using:
set user [exec logname]

instead of

set user [id user]

ActiveTcl CVE-2012-5378 Insecure File Permissions Vulnerability

Question: 

We have read the Security alert for CVE-2012-5378, and would like more information.

Answer: 

This is not a new issue, and it's not really an ActiveTcl issue. This vulnerability is a member of a class of vulnerabilities that apply to any software which needs to have a user-writable directory on $PATH. It has been a security concern on Windows for as long as software has been avoiding dll conflicts by using custom library paths.

It is already possible to mitigate the vulnerability by choosing to override the default install path and install to one of the various protected program files silos that newer versions of Windows offer. We don't do this as the default because ActiveTcl has a long legacy of scripts and modules which do not handle spaces in the pathname.

It is also possible to migate the vulnerability on an inplace install. This powershell script will copy the permissions to the Tcl directory (replace with your directory name, as installed):

powershell -command "(Get-Item 'C:\Program Files').GetAccessControl('Access') | set-acl 'C:\Tcl'"

Be advised that protecting Tcl from this vulnerability *will* result in reduced functionality. With altered acls, teacup will be unable to manage modules unless it is run with elevated priviledges.

Powershell is included in Windows 7. With older versions, you may be able to download.

What version of ActiveTcl should I use with Windows Vista?

Question: 

What version of ActiveTcl should I use with Windows Vista?

Answer: 

The best version of Tcl to use with Windows Vista is ActiveTcl 8.4.14 or later.

There are currently minor issues with installing and uninstalling, but these are not serious and are being worked on. The demo applications distributed with ActiveTcl all function as expected, including the graphical libraries and Expect.

Note that you will need to right-click the installation file and select "Run as Administrator" for the installation to be successful. This will be fixed in a future release of ActiveTcl.

What version of ActiveTcl will work with my Mac with an Intel processor?

Question: 

What version of ActiveTcl will work with my Mac with an Intel processor?

Answer: 

The first version of ActiveTcl to be built natively for Intel Macs was ActiveTcl 8.4.13.0. Versions before this version were built specifically for PowerPC-based Macs. It may be possible to run the PowerPC version on the Intel Macs, taking advantage of the PowerPC emulation layer in OS X; however, this tends to be quite slow. Therefore, we recommend only using the Intel-specific builds of ActiveTcl 8.4.13.0 or higher on an Intel Mac.

For each build of ActiveTcl 8.4.13.0 and higher there are two files. One file specifies macosx-powerpc, and is of course the build for PowerPC-based Mac OS X systems. The other file specifies macosx-ix86, and is the correct package to install on your Intel Mac.

Where can I get past versions of ActiveTcl?

Question: 

Where can I get past versions of ActiveTcl? Is there an ftp server for ActiveTcl?

Answer: 

Recent past versions of ActiveState Community Edition products are available from our downloads repository via the web at:

http://downloads.activestate.com/

Versions of ActiveState Products which have aged out of Community Edition are still available, but now require a Business Edition license. If you have a Business Edition license, the products to which your license applies become available from your "My Account" page on our site.
http://www.activestate.com/business-edition

There is no ftp server.

Where is Expect?

Question: 

Where is Expect? Older versions of ActiveTcl had an expect executable, but the new versions don't. Where did it go? Why doesn't ActiveTcl 8.5 seem to have Expect anywhere?

Answer: 

Are you running a 64-bit ActiveTcl on Windows?
Expect has not been ported to 64-bit Windows. A Windows 64-bit port of Expect is not trivial, and may not be possible.

-------------------------------------------

Are you running ActiveTcl 8.5.x or 8.6.x?
With ActiveTcl 8.5.x and 8.6.x, the number of extensions shipped with ActiveTcl is limited. This controls size bloat in the installers. Expect is not included inside the installer for ActiveTcl 8.5 or 8.6.

Modules can be downloaded and installed over the internet for ActiveTcl 8.5 and 8.6 through the TEApot package manager. With ActiveTcl installed, Expect can be added from the command line with:
teacup install Expect
You may need to set up your environment if you are running behind a firewall or proxy server. See the user manuals for teacup (or ActivePerl's PPM manager since it requires the same setup).

There is no stand-alone installer for Expect, or any other Tcl package. A package is not a stand-alone product. You must use the framework of TEApot, or find the source-code on the internet and compile/install the package manually.

-----------------------------------------

Are running ActiveTcl 8.4.x?
Rather than being linked to a different interpreter, in recent versions of ActiveTcl 8.4, Expect has been made into a proper Tcl package. If you have the line:

package require Expect

In your source file before the first use of any Expect functions or variables, you can then run the file using tclsh, without having to use a special interpreter.

------------------------------------------

The TEAPot distribution process has an additional benefit, especially important if you cannot get internet access for TEApot. It is possible to install an 8.5 release ON TOP of (into the same directory) an 8.4 release. This gives you both tclsh and tclsh8.5, wish and wish8.5, fully working demos, plus the complete set of modules shipped with 8.4 which are also all compatible with 8.5.

If you wish to have both 8.4 and 8.5:
-You MUST install 8.4 first. (If you already have 8.5 only, it should be uninstalled.)
-It is always advisable to manually delete any files left behind in the ActiveTcl install directory when changing versions.
-You should use a compatible pairing. The most compatible pairings are:

ActiveTcl 8.4.20.0 with 8.5.14.0 and higher
ActiveTcl 8.4.19.6 with 8.5.11.1 to 8.5.13.0
ActiveTcl 8.4.19.5 with 8.5.9.2 to 8.5.11.0
ActiveTcl 8.4.19.4 with 8.5.8.2 to 8.5.9.1
ActiveTcl 8.4.19.3 with 8.5.8.1
ActiveTcl 8.4.19.2 with 8.5.8.0
ActiveTcl 8.4.19.1 with 8.5.3.0 to 8.5.7.0
ActiveTcl 8.4.19.0 with 8.5.2.0
ActiveTcl 8.4.18.0 with 8.5.1.0
ActiveTcl 8.4.17.0 with 8.5.0.0.283511

All 8.4 versions now require Business Edition licenses.

What is the ECCN for ActiveTcl?

Question: 

What is the Export Control Classification Number for ActiveTcl?

Answer: 

The Export Control Classification Number for ActiveTcl is EAR99 (self-classified). For a brief description of EAR99 and information on the difference between EAR99 and NLR (No License Required), see:

http://www.census.gov/foreign-trade/faq/reg/reg0031.html

Problems with buildall.vc

Question: 

I'm having problems with the buildall.vc file. Can you help?

Answer: 

buildall.vc is a batch file used to build a source distribution of Tcl on Windows platforms. This is associated with the Tcl.tk distribution of the language.

We do not support the standard distribution of the Tcl language, but rather ActiveTcl, which is a pre-built kit containing Tcl, Tk, and a host of useful libraries.

You can find more information, including download links, at the following URL:

http://www.activestate.com/Products/ActiveTclFamily/