CVEs in TCL ( tcl86.dll statically links to zlib)

The file tcl86.dll statically links to zlib 1.2.8, and ZLIB has several CVEs. one CVE is 9.8 - critical.
This affects the windows version. Probably the Linux and Mac versions are affected
This is not disclosed in the CVE report. It claims it is CVE-clean when it is not.
The function::tcl::zlib seems to use this zlib instance
Please update the zlib to 1.2.13


Welcome to the ActiveState Platform! Reviewing your project, I can see you’ve built Tcl 8.6.12 for Linux and Windows. zlib is listed as an “Other” dependency and is being pulled in by the Platform as version 1.2.12, which features a critical vulnerability.

You can resolve this simply by clicking the Edit button beside zlib. This will move it up to the Packages section where you can click the dropdown and select version, which has no known CVEs.

Hope that helps,

I have selected zlib 1.2.12 and, and the ZLIB it is still 1.2.11. There is something wrong with the selection tool.
Here is a snapshot of the tcl86t.dll. The zlib version inside tcl86t.dll is 1.2.11.

Thank you for bringing this to our attention, we will be investigating this issue to determine the cause, we will respond on this thread when we have a result.

Okay, I’ve dug into this and I’ve got more info. The version of zlib that is linked in tcl86t.dll, is the version of zlib that is shipped with the 8.6.12 core - see the github mirror: tcl/compat/zlib at main · tcltk/tcl · GitHub
It looks like for the upcoming releases they are updating the shipped zlib to 1.2.13.

So updating zlib will happen in one of two ways, either

  1. This will be fixed in the next release, and we will add this version.
  2. We will patch the new zlib into the 8.6.12 core if the new release isn’t soon. (It looks like 8.6.13 is in rc0)

Moving forward I anticipate we will shift to using selectable zlib.dlls for tcl, but this may not be implemented until we move tcl to the modern build system.

I will update this thread when the tcl is updated or patched.

1 Like