Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Install solution but no upgraded binary for GIMP 2.6.12

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
GIMP project
And, this specific program:
GIMP 2.x

This thread has been marked as locked.
mbarley42 Install solution but no upgraded binary for GIMP 2.6.12
Member 3rd Feb, 2012 12:25
Ranking: -4
Posts: 40
User Since: 17th Jun, 2011
System Score: N/A
Location: HR
Last edited on 3rd Feb, 2012 12:36

Page http://gimp-win.sourceforge.net/stable.html given by "Install solution" of PSI 2.0.0.4003 doesn't contain upgrade, that is GIMP-2.6.12. Last binary offered is 2.6.11 which is reported vulnerable by Secunia advisory in the first place.

Result of PSI 2.0 scan is:

---START---

Program Name:
GIMP 2.x

Security State:
Insecure

Download Link:
http://gimp-win.sourceforge.net/stable.html

Instances Found:
C:\Program Files (x86)\GIMP-2.0\bin\libgtk-win32-2.0-0.dll, version: 2.16.6.0

Last System Scan (localtime):
3. Feb 2012, 11:57

Operating System:
Microsoft Windows 7, Microsoft Windows 7

---END---

Any information?

Regards,
mt

--
Be the change you wish to see in the world.
Mahathma Gandhi

steffens RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 3rd Feb, 2012 14:57
Score: 47
Posts: 62
User Since: 25th Jul 2009
System Score: N/A
Location: US
I have the same detection as you do, but with a different path...
C:\Program Files (x86)\Pidgin\Gtk\bin\libgtk-win32-2.0-0.dll, version 2.16.6.0

But look CAREFULLY at the associated version number, in both your detection and in mine. It's 2.16.6.0, whereas Secunia wants 2.6.12.

By my reckoning, 2.16.6.0 IS GREATER THAN 2.6.12, which means there's clearly *something* wrong here.

So it looks like a false positive to me. And until I hear otherwise, I'm sticking with what I've got.
-- EstherD
Was this reply relevant?
+0
-0
JimG RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 3rd Feb, 2012 15:13
Score: 1
Posts: 3
User Since: 8th Apr 2008
System Score: N/A
Location: US
Last edited on 3rd Feb, 2012 15:15
I got the same error and I don't have Gimp on my system. I use gnucash 2.4.9 which uses the same library that gimp uses.
I tried to enter gnucash as a new program but the convoluted method for doing this would not allow this. Apparently, new programs must already be in your database or they can't be added! Why, then, the missing program button?
Was this reply relevant?
+0
-0
steffens RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 3rd Feb, 2012 16:39
Score: 47
Posts: 62
User Since: 25th Jul 2009
System Score: N/A
Location: US
After reconsidering all the above data, I tentatively conclude that PSI is *not* detecting the GIMP *program* correctly.

Instead of looking for the GIMP *program* and extracting the version therefrom, it appears instead to be detecting the "libgtk" *component* of the GIMP program, and extracting the version from that. Since the "libgtk" *component* is used by programs other than GIMP, e.g. Pidgin (and gnucash, apparently), this leads to a false positive detection of GIMP, even on systems where the GIMP *program* itself is *not* present. It also leads to an incorrect determination of the true version of the GIMP program on systems where it actually *is* present.

There also seems to be a logical error in comparing version numbers, but that doesn't appear to be the root cause of this false positive detection.

HTH...
-- EstherD
Was this reply relevant?
+1
-0
ddmarshall RE: Install solution but no upgraded binary for GIMP 2.6.12
Dedicated Contributor 3rd Feb, 2012 16:58
Score: 1208
Posts: 960
User Since: 8th Nov 2008
System Score: 98%
Location: UK
@JimG

Failure of the program suggestion feature usually happens for one of the following reasons
1. https://secunia.com is not included in the list of sites in the Trusted Internet zone.
2. The executable that has been selected does not have version information in its properties.
Secunia need a file with version information.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
mbarley42 RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 3rd Feb, 2012 17:04
Score: -4
Posts: 40
User Since: 17th Jun 2011
System Score: N/A
Location: HR
on 3rd Feb, 2012 16:58, ddmarshall wrote:
@JimG

Failure of the program suggestion feature usually happens for one of the following reasons
1. https://secunia.com is not included in the list of sites in the Trusted Internet zone.
2. The executable that has been selected does not have version information in its properties.
Secunia need a file with version information.


Hi @ddmarshall,

I haven't touched settings nor GIMP since last check on Wednesday.

What could it be?

Regards,
mt

--
Be the change you wish to see in the world.
Mahathma Gandhi
Was this reply relevant?
+0
-0
ddmarshall RE: Install solution but no upgraded binary for GIMP 2.6.12
Dedicated Contributor 3rd Feb, 2012 18:40
Score: 1208
Posts: 960
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 3rd Feb, 2012 18:45
I've no idea. Probably confusion caused by the release of 2.6.12 for Linux on 1st February 2012. Secunia updated this advisory the following day.
http://secunia.com/advisories/42771/

I was just trying to give JimG the reason he couldn't suggest gnucash as a missing program.

I think you will have to wait till Monday now for the Secunia Officials to get back.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
EricSchaap RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 3rd Feb, 2012 18:55
Score: 1
Posts: 5
User Since: 17th May 2010
System Score: N/A
Location: NL
I agree, Pidgin, wireshark make use of the libgtk-win32-2.0-0.dll which is outdated. It is ONLY this DLL nothing else.......

I for one don't have GIMP installed.....
Was this reply relevant?
+0
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 7th Feb, 2012 12:35
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
Last edited on 7th Feb, 2012 14:06
In the mean time, the following happened:

1. PSI stopped reporting GIMP 2.6.11 as vulnerable
2. GIMP 2.6.12 for Windows appeared indeed on
http://gimp-win.sourceforge.net/stable.html site

This IMHO may mean that PSI didn't lie, GIMP 2.6.11 for Windows indeed was and still is vulnerable, but the packager for Windows version had not yet issued the package at the time of PSI reporting the vulnerability on Windows, as @ddmarshal guessed earlier.

As for me, I'd like to know if a program is vulnerable even if it has no official patch yet. The PSI behavior is welcomed in reporting correct vulnerability except that solution offered was not available at the time.

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+1
-0
steffens RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 7th Feb, 2012 14:35
Score: 47
Posts: 62
User Since: 25th Jul 2009
System Score: N/A
Location: US
Rescanned after receiving notice of the above post. Pleased to report that the false positive detection of the GIMP program that I reported a few days ago is no longer present. Thanks for the fix!
Was this reply relevant?
+1
-0
EricSchaap RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 7th Feb, 2012 17:36
Score: 1
Posts: 5
User Since: 17th May 2010
System Score: N/A
Location: NL
Rescanned.

Stil vulnerable: Pidgin and Wireshark

I don't have Gimp!!!!! So again issue is NOT related to Gimp!

Error in reporting tool.

Should mention the correct software. Most probably also not related to Pidgin and Wireshark as well.
Was this reply relevant?
+1
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 8th Feb, 2012 09:36
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
Last edited on 8th Feb, 2012 10:02
Hi, @EricSchaap,

GIMP piggibacks a version of GTK lib, and so do these other programs. I guess PSI stumbled over this.

Can you tell me are the reports showing GIMP as vulnerable when GTK lib is detected, or is the Pidgin reported?

I wasn't able to find GIMP release notes for 2.6.11 and what bug was patched, nor a recent GTK bug. The things are completely blurred.

The fact that each program carries it's own GTK lib is not particularly a lucky situation, leading to software bloat. Linux versions have clear dependencies to main GTK library that is in a separate package.

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0

ramonpadilla36

RE: Install solution but no upgraded binary for GIMP 2.6.12
[+]
This reply has been deleted
EricSchaap RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 8th Feb, 2012 17:48
Score: 1
Posts: 5
User Since: 17th May 2010
System Score: N/A
Location: NL
on 8th Feb, 2012 09:36, mtodorov wrote:
Hi, @EricSchaap,

GIMP piggibacks a version of GTK lib, and so do these other programs. I guess PSI stumbled over this.

Can you tell me are the reports showing GIMP as vulnerable when GTK lib is detected, or is the Pidgin reported?

I wasn't able to find GIMP release notes for 2.6.11 and what bug was patched, nor a recent GTK bug. The things are completely blurred.

The fact that each program carries it's own GTK lib is not particularly a lucky situation, leading to software bloat. Linux versions have clear dependencies to main GTK library that is in a separate package.

Regards,
mt


It reports GIMP as vulnerable. Looking into the details it points to libgtk-win32-2.0-0.dll
I know that Pidgin and Wireshark both use this libgtk-win32-2.0-0.dll.

The issue here is: PSI is not pointing to the correct software package. Which creates confusion.

Greetings,

Eric
Was this reply relevant?
+0
-0
Maurice Joyce RE: Install solution but no upgraded binary for GIMP 2.6.12
Handling Contributor 8th Feb, 2012 18:21
Score: 11720
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 9th Feb, 2012 10:20
@ramonpadilla36

As a new Forum member U should be aware that Secunia have a ZERO tolerance of advertising which is considered spam. I would remove this entry including the hyperlink as a matter of urgency otherwise the post will be deleted.

Deluxe CCTV is the leading manufacturer and distributor of video, audio surveillance, spy, covert cams, pepper sprays, hidden cameras, GPS trackers, and stun gun equipment, and has served more than two hundred thousand customer's world wide.


EDIT:
Post Deleted 09:19 09/02/2012

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 9th Feb, 2012 12:00
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
on 8th Feb, 2012 17:48, EricSchaap wrote:
It reports GIMP as vulnerable. Looking into the details it points to libgtk-win32-2.0-0.dll
I know that Pidgin and Wireshark both use this libgtk-win32-2.0-0.dll.

The issue here is: PSI is not pointing to the correct software package. Which creates confusion.

Greetings,

Eric


Hi, Eric,

What exact versions of Pidgin and Wireshark are you using. I have tested Pidgin 2.10.1 and Wireshark 64-bit 1.6.5.40429 on Windows 7 64-bit and they are both reported as "Patched".

Vulnerable GIMP isn't reported because of using GTK.

I am using PSI 2.0.0.4003.

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 9th Feb, 2012 12:03
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
Catch 22:

Now my working GIMP installation 2.6.11 isn't reported in "Scan Results" window.

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
EricSchaap RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 9th Feb, 2012 17:41
Score: 1
Posts: 5
User Since: 17th May 2010
System Score: N/A
Location: NL
on 9th Feb, 2012 12:00, mtodorov wrote:
Hi, Eric,

What exact versions of Pidgin and Wireshark are you using. I have tested Pidgin 2.10.1 and Wireshark 64-bit 1.6.5.40429 on Windows 7 64-bit and they are both reported as "Patched".

Vulnerable GIMP isn't reported because of using GTK.

I am using PSI 2.0.0.4003.

Regards,
mt


I am using the latest portable ones of both programs

Regards,

Eric
Was this reply relevant?
+0
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 10th Feb, 2012 10:28
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
on 9th Feb, 2012 17:41, EricSchaap wrote:
I am using the latest portable ones of both programs

Regards,

Eric


Hi Eric,

Haven't tried portable versions.

I just still see that GIMP still isn't shown in "Scan Results" list of PSI.

I agree with what was said here on forum, that is, detection of GIMP by GTK .dll is flawed inherently, since other programs have it bundled, too.

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
Maurice Joyce RE: Install solution but no upgraded binary for GIMP 2.6.12
Handling Contributor 10th Feb, 2012 12:08
Score: 11720
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Why not suggest the programme to Secunia using the tool provided?

U may have difficulty - I have just tested it & the main Gimp EXE file (& other EXE files) have got no meta data.




--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
EricSchaap RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 10th Feb, 2012 12:10
Score: 1
Posts: 5
User Since: 17th May 2010
System Score: N/A
Location: NL
Apperently secunia has solved the issue because after rescan yesterday evening the issue dissapeared......
Was this reply relevant?
+0
-0
Maurice Joyce RE: Install solution but no upgraded binary for GIMP 2.6.12
Handling Contributor 10th Feb, 2012 15:27
Score: 11720
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Eric,
Sorry I may have confused U. Secunia have removed this file GTK .dll which caused alarm with GIMP & other programmes users.

The latest statement/query from the originator is:

I just still see that GIMP still isn't shown in "Scan Results" list of PSI.

My reply to that is:

Why not suggest the programme to Secunia using the tool provided?

U may have difficulty - I have just tested it & the main Gimp EXE file (& other EXE files) have got no meta data.

Until that data is provided by the vendor/or a user finds a suitable file GIMP will not show.









--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 13th Feb, 2012 17:19
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
on 10th Feb, 2012 15:27, Maurice Joyce wrote:
Eric,
Sorry I may have confused U. Secunia have removed this file GTK .dll which caused alarm with GIMP & other programmes users.

The latest statement/query from the originator is:

I just still see that GIMP still isn't shown in "Scan Results" list of PSI.

My reply to that is:

Why not suggest the programme to Secunia using the tool provided?

U may have difficulty - I have just tested it & the main Gimp EXE file (& other EXE files) have got no meta data.

Until that data is provided by the vendor/or a user finds a suitable file GIMP will not show.


Thanks Mr. Joyce,

I see. This is completely different thing.

1. I haven't seen a program suggest option in PSI 2.0.0.4003.

2. Nor do I know how to read EXE meta data. Basically, GIMP desktop shortcut has a "2.6.11" comment, but I guess that's not reliable as .EXE meta data.

Thank you again.

Regards,
mt



--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
Maurice Joyce RE: Install solution but no upgraded binary for GIMP 2.6.12
Handling Contributor 13th Feb, 2012 17:35
Score: 11720
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 13th Feb, 2012 17:37
Open PSI>scan results>Above the scan results U will see a green icon with Are you missing a program? next to it.

Click that

A box appears with a browse button.

Click that & it opens Windows Explorer - now U need to navigate to your GIMP programme

By clicking on GIMP it reveals all the files in the right hand pane - click the main GIMP.exe file & U will see that Secunia will not accept it.

To investigate why it is unacceptable go back to the file U nominated - right click on it & select properties.

U will note that the vendor has not (at the time I tested it) included any file details. Without that it cannot be included as a programme on the Secunia database.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+3
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 17th Feb, 2012 10:15
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
Hi, Mr. Joyce,

I can confirm that c:\Program Files (x86)\GIMP-2.0\bin\gimp.exe cannot be submitted on my installation either.

I will try to contact the packager team.

It still isn't clear whether the progam GIMP or GTK lib were vulnerable since I found no Secunia vulnerability report.

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
Maurice Joyce RE: Install solution but no upgraded binary for GIMP 2.6.12
Handling Contributor 17th Feb, 2012 10:22
Score: 11720
Posts: 8,956
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Anything GIMP is here:

http://secunia.com/community/advisories/search/?se...





--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+3
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 17th Feb, 2012 10:32
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
Last edited on 17th Feb, 2012 10:33
on 17th Feb, 2012 10:22, Maurice Joyce wrote:
Anything GIMP is here:

http://secunia.com/community/advisories/search/?se...


Yep. I've seen that earlier. But, as you have seen, latest bug was in August 2011, nothing in February.

Probably it was Valentine cupid hitting someone so he missed the right vuln. :-)

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 17th Feb, 2012 10:44
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
I have filed a bug report to GNOME community. That's as far as it gets ...

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
mtodorov RE: Install solution but no upgraded binary for GIMP 2.6.12
Member 21st Feb, 2012 10:51
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
Hi,

I have successfully uploaded GIMP 2.7.4 with Secunia 2.0.0.4003 program suggest feature.

As for bug report to GNOME developers, they said there will be no patches to 2.6.x tree.

regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability