openSUSE Feature Update: Feature update for tcl and tk ______________________________________________________________________________ Announcement ID: openSUSE-FU-2022:0868-1 Rating: moderate References: #1138797 #1185662 #1195257 #903017 SLE-21016 SLE-23284 Affected Products: openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that solves one vulnerability, contains two features and has three fixes is now available. Description: This feature update for tcl and tk fixes the following issues: Update tcl and tk to version 8.6.12 (jsc#SLE-21016, jsc#SLE-23284): - Move tcl.macros to /usr/lib/rpm/macros.d (bsc#1185662) - Use FAT LTO objects in order to provide proper static library (bsc#1138797) - Fix a bug in itcl that was affecting iwidgets (bsc#903017) - Add [combobox current] support "end" index - Add fixes in [text] bindings - Add missing "deferred clear code" support to GIF photo images - Add new virtual event <<TkWorldChanged>> - Add new keycodes: CodeInput, SingleCandidate, MultipleCandidate, PreviousCandidate - Add new support for POSIX error: EILSEQ - Add new command [tcl::unsupported::corotype] - Add new command [tcl::unsupported::timerate] for performance testing - Add new option -state to [ttk::scale] - Add portable keycodes: OE, oe, Ydiaeresis - Add support for backrefs in [array names -regexp] - Add support for Unicode 14 - Disfavor Master/Slave terminology - Enhance [oo::object] to acquire or lose a class identity dynamically - Fix canvas rotated text overlap detection - Fix canvas closed polylines yo fully honor -joinstyle - Fix display of Long non-wrapped lines in text - Fix display treeview focus ring when -selectmode none - Fix focus events not to break entry validation - Fix [package prefer stable] failing case - Fix auto_path initialization by Safe Base interps - Fix bad interaction between grab and mouse pointer warp - Fix borderwidth calculations on menu items - Fix cascade tearoff menu redraw artifacts - Fix coords rounding when drawing canvas items - Fix corrupt result from [$c postscript] with -file or -channel - Fix errno management in socket full close - Fix failure when a [proc] argument name is computed, not literal - Fix focus on unmapped windows - Fix handling of duplicates in spinbox -values list - Fix incomplete read of multi-image GIF - Fix initialization order of static package in wish - Fix issue when trying to display angled text without Xft - Fix issue with font initialization when no font is installed - Fix problems with Noto Color Emoji font - Fix race conditions in [file delete] and [file mkdir] - Fix Std channel initialization for multi-thread operations - Fix tearoff menu redraw artifacts - Fix up arrow key in [text] to correctly move cursor to index 1.0 - Fix various cursor issues - Fix various encoding issues - Fix various fontchooser issues - Fix various issues causing crashes and hang in - Fix various memory issues - Fix various scrolling bugs and add improvements - Fix 32/64-bit confusion of FS DIR operations reported for AIX - Improve appearance of text selection in [*entry] widgets - Improve checkbutton handling of -selectcolor - Improve handling of resolution changes - Improve multi-thread safety when Xft is in use - Improve ttk high-contrast-mode support - Improve emoji support - Improve legacy support for [tk_setPalette] - Make combobox -postoffset option work with default style - Make spinbox use proper names in query of option database - Menu flaws when empty menubar clicked - New index argument in [$menubutton post x y index] - Preserve canvas tag list order during add/delete - Prevent cross-manager loops of geom management - Rewrite of zlib inflation for multi-stream and completeness - Run fileevents in proper thread after [thread::attach $channel] - Stop [unload] corruption of list of loaded packages - Stop app switching exposing withdrawn windows as zombies - Tk now denied access to PRIMARY selection from safe interps - TkpDrawAngledCharsInContext leaked a CGColor - Try to restore Tcl's [update] command when Tk is unloaded - Changed [info * methods] to include mixins - [package require] is now NR-enabled The following fixes might show some potential incompatibilities with existing software: - Revised [binary (en|de)code base64] for RFC compliance and roundtrip - Tcl_DStringAppendElement # quoting precision, dstring-2.13, dstring-3.10 - Extended [clock scan] ISO format and time zone support - Allow for select/copy from disabled text widget on all platforms - Revised case of [info loaded] module names - [info hostname] reports DNS name, not NetBIOS name - Force -eofchar \032 when evaluating library scripts - Revised error messages: "too few" => "not enough" - Performed rewrite of Tk event loop to prevent ring overflow - Refactored all MouseWheel bindings - Revised precision of ::scale widget tick mark values - Prevent transient window cycles (crashed on Aqua) - Builds no longer use -lieee - Quoting of command line arguments by [exec] on Windows revised. Prior quoting rules left holes where some values would not pass through, but could trigger substitutions or program execution. See https://core.tcl-lang.org/tcl/info/21b0629c81 - [lreplace] accepts all out-of-range index values Patch Instructions: To install this openSUSE Feature Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-868=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-868=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): tcl-8.6.12-150300.14.3.1 tcl-debuginfo-8.6.12-150300.14.3.1 tcl-debugsource-8.6.12-150300.14.3.1 tcl-devel-8.6.12-150300.14.3.1 tk-8.6.12-150300.10.3.1 tk-debuginfo-8.6.12-150300.10.3.1 tk-debugsource-8.6.12-150300.10.3.1 tk-devel-8.6.12-150300.10.3.1 - openSUSE Leap 15.4 (x86_64): tcl-32bit-8.6.12-150300.14.3.1 tcl-32bit-debuginfo-8.6.12-150300.14.3.1 tk-32bit-8.6.12-150300.10.3.1 tk-32bit-debuginfo-8.6.12-150300.10.3.1 - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): tcl-8.6.12-150300.14.3.1 tcl-debuginfo-8.6.12-150300.14.3.1 tcl-debugsource-8.6.12-150300.14.3.1 tcl-devel-8.6.12-150300.14.3.1 tk-8.6.12-150300.10.3.1 tk-debuginfo-8.6.12-150300.10.3.1 tk-debugsource-8.6.12-150300.10.3.1 tk-devel-8.6.12-150300.10.3.1 - openSUSE Leap 15.3 (x86_64): tcl-32bit-8.6.12-150300.14.3.1 tcl-32bit-debuginfo-8.6.12-150300.14.3.1 tk-32bit-8.6.12-150300.10.3.1 tk-32bit-debuginfo-8.6.12-150300.10.3.1 References: https://www.suse.com/security/cve/CVE-2021-35331.html https://bugzilla.suse.com/1138797 https://bugzilla.suse.com/1185662 https://bugzilla.suse.com/1195257 https://bugzilla.suse.com/903017