Secunia
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Thread: Install solution but no upgraded binary for GIMP 2.6.12
You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.This thread was submitted in the following forum:
Programs
|
Relating to this vendor: |
And, this specific program: GIMP 2.x |
| mbarley42 | Install solution but no upgraded binary for GIMP 2.6.12 |
|---|---|
 |
3rd Feb, 2012 12:25 |
|
Ranking: -4 Posts: 40 User Since: 17th Jun, 2011 System Score: N/A Location: HR Last edited on 3rd Feb, 2012 12:36 |
Page http://gimp-win.sourceforge.net/stable.html given by "Install solution" of PSI 2.0.0.4003 doesn't contain upgrade, that is GIMP-2.6.12. Last binary offered is 2.6.11 which is reported vulnerable by Secunia advisory in the first place. Result of PSI 2.0 scan is: ---START--- Program Name: GIMP 2.x Security State: Insecure Download Link: http://gimp-win.sourceforge.net/stable.html Instances Found: C:\Program Files (x86)\GIMP-2.0\bin\libgtk-win32-2.0-0.dll, version: 2.16.6.0 Last System Scan (localtime): 3. Feb 2012, 11:57 Operating System: Microsoft Windows 7, Microsoft Windows 7 ---END--- Any information? Regards, mt -- Be the change you wish to see in the world. Mahathma Gandhi |
| steffens | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
3rd Feb, 2012 14:57 | ||||||||
| Score: 8 Posts: 8 User Since: 25th Jul 2009 System Score: N/A Location: US |
I have the same detection as you do, but with a different path... C:\Program Files (x86)\Pidgin\Gtk\bin\libgtk-win32-2.0-0.dll, version 2.16.6.0 But look CAREFULLY at the associated version number, in both your detection and in mine. It's 2.16.6.0, whereas Secunia wants 2.6.12. By my reckoning, 2.16.6.0 IS GREATER THAN 2.6.12, which means there's clearly *something* wrong here. So it looks like a false positive to me. And until I hear otherwise, I'm sticking with what I've got. -- EstherD |
||||||||
|
|||||||||
| JimG | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
3rd Feb, 2012 15:13 | ||||||||
| Score: 1 Posts: 3 User Since: 8th Apr 2008 System Score: N/A Location: US Last edited on 3rd Feb, 2012 15:15 |
I got the same error and I don't have Gimp on my system. I use gnucash 2.4.9 which uses the same library that gimp uses. I tried to enter gnucash as a new program but the convoluted method for doing this would not allow this. Apparently, new programs must already be in your database or they can't be added! Why, then, the missing program button? |
||||||||
|
|||||||||
| steffens | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
3rd Feb, 2012 16:39 | ||||||||
| Score: 8 Posts: 8 User Since: 25th Jul 2009 System Score: N/A Location: US |
After reconsidering all the above data, I tentatively conclude that PSI is *not* detecting the GIMP *program* correctly. Instead of looking for the GIMP *program* and extracting the version therefrom, it appears instead to be detecting the "libgtk" *component* of the GIMP program, and extracting the version from that. Since the "libgtk" *component* is used by programs other than GIMP, e.g. Pidgin (and gnucash, apparently), this leads to a false positive detection of GIMP, even on systems where the GIMP *program* itself is *not* present. It also leads to an incorrect determination of the true version of the GIMP program on systems where it actually *is* present. There also seems to be a logical error in comparing version numbers, but that doesn't appear to be the root cause of this false positive detection. HTH... -- EstherD |
||||||||
|
|||||||||
| ddmarshall | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
3rd Feb, 2012 16:58 | ||||||||
| Score: 1037 Posts: 820 User Since: 8th Nov 2008 System Score: 100% Location: UK |
@JimG Failure of the program suggestion feature usually happens for one of the following reasons 1. https://secunia.com is not included in the list of sites in the Trusted Internet zone. 2. The executable that has been selected does not have version information in its properties. Secunia need a file with version information. |
||||||||
|
|||||||||
| mbarley42 | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
3rd Feb, 2012 17:04 | ||||||||
| Score: -4 Posts: 40 User Since: 17th Jun 2011 System Score: N/A Location: HR |
on 3rd Feb, 2012 16:58, ddmarshall wrote: @JimG Failure of the program suggestion feature usually happens for one of the following reasons 1. https://secunia.com is not included in the list of sites in the Trusted Internet zone. 2. The executable that has been selected does not have version information in its properties. Secunia need a file with version information. Hi @ddmarshall, I haven't touched settings nor GIMP since last check on Wednesday. What could it be? Regards, mt -- Be the change you wish to see in the world. Mahathma Gandhi |
||||||||
|
|||||||||
| ddmarshall | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
3rd Feb, 2012 18:40 | ||||||||
| Score: 1037 Posts: 820 User Since: 8th Nov 2008 System Score: 100% Location: UK Last edited on 3rd Feb, 2012 18:45 |
I've no idea. Probably confusion caused by the release of 2.6.12 for Linux on 1st February 2012. Secunia updated this advisory the following day. http://secunia.com/advisories/42771/ I was just trying to give JimG the reason he couldn't suggest gnucash as a missing program. I think you will have to wait till Monday now for the Secunia Officials to get back. |
||||||||
|
|||||||||
| EricSchaap | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
3rd Feb, 2012 18:55 | ||||||||
| Score: 1 Posts: 5 User Since: 17th May 2010 System Score: N/A Location: NL |
I agree, Pidgin, wireshark make use of the libgtk-win32-2.0-0.dll which is outdated. It is ONLY this DLL nothing else....... I for one don't have GIMP installed..... |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
7th Feb, 2012 12:35 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR Last edited on 7th Feb, 2012 14:06 |
In the mean time, the following happened: 1. PSI stopped reporting GIMP 2.6.11 as vulnerable 2. GIMP 2.6.12 for Windows appeared indeed on http://gimp-win.sourceforge.net/stable.html site This IMHO may mean that PSI didn't lie, GIMP 2.6.11 for Windows indeed was and still is vulnerable, but the packager for Windows version had not yet issued the package at the time of PSI reporting the vulnerability on Windows, as @ddmarshal guessed earlier. As for me, I'd like to know if a program is vulnerable even if it has no official patch yet. The PSI behavior is welcomed in reporting correct vulnerability except that solution offered was not available at the time. Regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
| steffens | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
7th Feb, 2012 14:35 | ||||||||
| Score: 8 Posts: 8 User Since: 25th Jul 2009 System Score: N/A Location: US |
Rescanned after receiving notice of the above post. Pleased to report that the false positive detection of the GIMP program that I reported a few days ago is no longer present. Thanks for the fix! |
||||||||
|
|||||||||
| EricSchaap | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
7th Feb, 2012 17:36 | ||||||||
| Score: 1 Posts: 5 User Since: 17th May 2010 System Score: N/A Location: NL |
Rescanned. Stil vulnerable: Pidgin and Wireshark I don't have Gimp!!!!! So again issue is NOT related to Gimp! Error in reporting tool. Should mention the correct software. Most probably also not related to Pidgin and Wireshark as well. |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
8th Feb, 2012 09:36 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR Last edited on 8th Feb, 2012 10:02 |
Hi, @EricSchaap, GIMP piggibacks a version of GTK lib, and so do these other programs. I guess PSI stumbled over this. Can you tell me are the reports showing GIMP as vulnerable when GTK lib is detected, or is the Pidgin reported? I wasn't able to find GIMP release notes for 2.6.11 and what bug was patched, nor a recent GTK bug. The things are completely blurred. The fact that each program carries it's own GTK lib is not particularly a lucky situation, leading to software bloat. Linux versions have clear dependencies to main GTK library that is in a separate package. Regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
| RE: Install solution but no upgraded binary for GIMP 2.6.12 | [+] |
|
| This reply has been deleted | ||
| EricSchaap | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
8th Feb, 2012 17:48 | ||||||||
| Score: 1 Posts: 5 User Since: 17th May 2010 System Score: N/A Location: NL |
on 8th Feb, 2012 09:36, mtodorov wrote: Hi, @EricSchaap, GIMP piggibacks a version of GTK lib, and so do these other programs. I guess PSI stumbled over this. Can you tell me are the reports showing GIMP as vulnerable when GTK lib is detected, or is the Pidgin reported? I wasn't able to find GIMP release notes for 2.6.11 and what bug was patched, nor a recent GTK bug. The things are completely blurred. The fact that each program carries it's own GTK lib is not particularly a lucky situation, leading to software bloat. Linux versions have clear dependencies to main GTK library that is in a separate package. Regards, mt It reports GIMP as vulnerable. Looking into the details it points to libgtk-win32-2.0-0.dll I know that Pidgin and Wireshark both use this libgtk-win32-2.0-0.dll. The issue here is: PSI is not pointing to the correct software package. Which creates confusion. Greetings, Eric |
||||||||
|
|||||||||
| Maurice Joyce | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
8th Feb, 2012 18:21 | ||||||||
| Score: 8623 Posts: 6,660 User Since: 4th Jan 2009 System Score: 100% Location: UK Last edited on 9th Feb, 2012 10:20 |
@ramonpadilla36 As a new Forum member U should be aware that Secunia have a ZERO tolerance of advertising which is considered spam. I would remove this entry including the hyperlink as a matter of urgency otherwise the post will be deleted. Deluxe CCTV is the leading manufacturer and distributor of video, audio surveillance, spy, covert cams, pepper sprays, hidden cameras, GPS trackers, and stun gun equipment, and has served more than two hundred thousand customer's world wide. EDIT: Post Deleted 09:19 09/02/2012 -- Maurice Windows 7 SP1 64 Bit OS HP Intel Pentium i7 IE9 16GB RAM |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
9th Feb, 2012 12:00 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR |
on 8th Feb, 2012 17:48, EricSchaap wrote: It reports GIMP as vulnerable. Looking into the details it points to libgtk-win32-2.0-0.dll I know that Pidgin and Wireshark both use this libgtk-win32-2.0-0.dll. The issue here is: PSI is not pointing to the correct software package. Which creates confusion. Greetings, Eric Hi, Eric, What exact versions of Pidgin and Wireshark are you using. I have tested Pidgin 2.10.1 and Wireshark 64-bit 1.6.5.40429 on Windows 7 64-bit and they are both reported as "Patched". Vulnerable GIMP isn't reported because of using GTK. I am using PSI 2.0.0.4003. Regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
9th Feb, 2012 12:03 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR |
Catch 22: Now my working GIMP installation 2.6.11 isn't reported in "Scan Results" window. Regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
| EricSchaap | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
9th Feb, 2012 17:41 | ||||||||
| Score: 1 Posts: 5 User Since: 17th May 2010 System Score: N/A Location: NL |
on 9th Feb, 2012 12:00, mtodorov wrote: Hi, Eric, What exact versions of Pidgin and Wireshark are you using. I have tested Pidgin 2.10.1 and Wireshark 64-bit 1.6.5.40429 on Windows 7 64-bit and they are both reported as "Patched". Vulnerable GIMP isn't reported because of using GTK. I am using PSI 2.0.0.4003. Regards, mt I am using the latest portable ones of both programs Regards, Eric |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
10th Feb, 2012 10:28 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR |
on 9th Feb, 2012 17:41, EricSchaap wrote: I am using the latest portable ones of both programs Regards, Eric Hi Eric, Haven't tried portable versions. I just still see that GIMP still isn't shown in "Scan Results" list of PSI. I agree with what was said here on forum, that is, detection of GIMP by GTK .dll is flawed inherently, since other programs have it bundled, too. Regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
| Maurice Joyce | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
10th Feb, 2012 12:08 | ||||||||
| Score: 8623 Posts: 6,660 User Since: 4th Jan 2009 System Score: 100% Location: UK |
Why not suggest the programme to Secunia using the tool provided? U may have difficulty - I have just tested it & the main Gimp EXE file (& other EXE files) have got no meta data. -- Maurice Windows 7 SP1 64 Bit OS HP Intel Pentium i7 IE9 16GB RAM |
||||||||
|
|||||||||
| EricSchaap | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
10th Feb, 2012 12:10 | ||||||||
| Score: 1 Posts: 5 User Since: 17th May 2010 System Score: N/A Location: NL |
Apperently secunia has solved the issue because after rescan yesterday evening the issue dissapeared...... | ||||||||
|
|||||||||
| Maurice Joyce | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
10th Feb, 2012 15:27 | ||||||||
| Score: 8623 Posts: 6,660 User Since: 4th Jan 2009 System Score: 100% Location: UK |
Eric, Sorry I may have confused U. Secunia have removed this file GTK .dll which caused alarm with GIMP & other programmes users. The latest statement/query from the originator is: I just still see that GIMP still isn't shown in "Scan Results" list of PSI. My reply to that is: Why not suggest the programme to Secunia using the tool provided? U may have difficulty - I have just tested it & the main Gimp EXE file (& other EXE files) have got no meta data. Until that data is provided by the vendor/or a user finds a suitable file GIMP will not show. -- Maurice Windows 7 SP1 64 Bit OS HP Intel Pentium i7 IE9 16GB RAM |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
13th Feb, 2012 17:19 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR |
on 10th Feb, 2012 15:27, Maurice Joyce wrote: Eric, Sorry I may have confused U. Secunia have removed this file GTK .dll which caused alarm with GIMP & other programmes users. The latest statement/query from the originator is: I just still see that GIMP still isn't shown in "Scan Results" list of PSI. My reply to that is: Why not suggest the programme to Secunia using the tool provided? U may have difficulty - I have just tested it & the main Gimp EXE file (& other EXE files) have got no meta data. Until that data is provided by the vendor/or a user finds a suitable file GIMP will not show. Thanks Mr. Joyce, I see. This is completely different thing. 1. I haven't seen a program suggest option in PSI 2.0.0.4003. 2. Nor do I know how to read EXE meta data. Basically, GIMP desktop shortcut has a "2.6.11" comment, but I guess that's not reliable as .EXE meta data. Thank you again. Regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
| Maurice Joyce | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
13th Feb, 2012 17:35 | ||||||||
| Score: 8623 Posts: 6,660 User Since: 4th Jan 2009 System Score: 100% Location: UK Last edited on 13th Feb, 2012 17:37 |
Open PSI>scan results>Above the scan results U will see a green icon with Are you missing a program? next to it. Click that A box appears with a browse button. Click that & it opens Windows Explorer - now U need to navigate to your GIMP programme By clicking on GIMP it reveals all the files in the right hand pane - click the main GIMP.exe file & U will see that Secunia will not accept it. To investigate why it is unacceptable go back to the file U nominated - right click on it & select properties. U will note that the vendor has not (at the time I tested it) included any file details. Without that it cannot be included as a programme on the Secunia database. -- Maurice Windows 7 SP1 64 Bit OS HP Intel Pentium i7 IE9 16GB RAM |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
17th Feb, 2012 10:15 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR |
Hi, Mr. Joyce, I can confirm that c:\Program Files (x86)\GIMP-2.0\bin\gimp.exe cannot be submitted on my installation either. I will try to contact the packager team. It still isn't clear whether the progam GIMP or GTK lib were vulnerable since I found no Secunia vulnerability report. Regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
| Maurice Joyce | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
17th Feb, 2012 10:22 | ||||||||
| Score: 8623 Posts: 6,660 User Since: 4th Jan 2009 System Score: 100% Location: UK |
Anything GIMP is here: http://secunia.com/community/advisories/search/?se... -- Maurice Windows 7 SP1 64 Bit OS HP Intel Pentium i7 IE9 16GB RAM |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
17th Feb, 2012 10:32 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR Last edited on 17th Feb, 2012 10:33 |
on 17th Feb, 2012 10:22, Maurice Joyce wrote: Anything GIMP is here: http://secunia.com/community/advisories/search/?se... Yep. I've seen that earlier. But, as you have seen, latest bug was in August 2011, nothing in February. Probably it was Valentine cupid hitting someone so he missed the right vuln. :-) Regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
17th Feb, 2012 10:44 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR |
I have filed a bug report to GNOME community. That's as far as it gets ... Regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
| mtodorov | RE: Install solution but no upgraded binary for GIMP 2.6.12 | ||||||||
|
|
21st Feb, 2012 10:51 | ||||||||
| Score: 1 Posts: 86 User Since: 20th Mar 2009 System Score: 93% Location: HR |
Hi, I have successfully uploaded GIMP 2.7.4 with Secunia 2.0.0.4003 program suggest feature. As for bug report to GNOME developers, they said there will be no patches to 2.6.x tree. regards, mt -- "If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles <>< |
||||||||
|
|||||||||
