Re: Security issue being reported by the SecuniaPSI scanner.

["Anders Broman" <a.broman () telia com>]

Hi,
At the time of 1.2.5 GTK 2.16.2 was the latest version...
Besides gdk_window_begin_implicit_paint() is not used by Wireshark
So most probably this is a non issue.
Regards
Anders

-----Ursprungligt meddelande-----
Från: wireshark-dev-bounces () wireshark org
[mailto:wireshark-dev-bounces () wireshark org] För Richard Brooks
Skickat: den 7 januari 2010 06:37
Till: 'Developer support list for Wireshark'
Ämne: Re: [Wireshark-dev] Security issue being reported by the SecuniaPSI
scanner.

True, but if all it takes to put it right is to include the later version,
then why not include the later version?

Regards
Richard
<RichardBUK () Sky com>
 
 


-----Original Message-----
From: wireshark-dev-bounces () wireshark org
[mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Bill Meier
Sent: 06 January 2010 22:47
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Security issue being reported by the Secunia
PSI scanner.

Stephen Fisher wrote:
> On Jan 6, 2010, at 3:20 PM, Richard Brooks wrote:
>
> > Hello Bill, in my last email I neglected to add the Secunia report  
> > information you asked for.
>
> Your screenshots show that you're running Wireshark v1.2.5 with GTK+  
> 2.16.2.  I don't see anything that says "security" in the release  
> notes (news) for GTK+ from v2.16.2 -> the latest 2.16, which is 2.16.6:
>
>       http://ftp.acc.umu.se/pub/gnome/sources/gtk+/2.16/gtk+-2.16.6.news
>       http://ftp.acc.umu.se/pub/gnome/sources/gtk+/2.16/gtk+-2.16.5.news
>       http://ftp.acc.umu.se/pub/gnome/sources/gtk+/2.16/gtk+-2.16.4.news
>       http://ftp.acc.umu.se/pub/gnome/sources/gtk+/2.16/gtk+-2.16.3.news
>
> This is still something worth looking into.  I see that GTK+ 2.18.x is  
> the current stable maintained branch, while 2.16.x is "old" but "but  
> in some respects more stable" (http://www.gtk.org/download- 
> windows.html).
>
>
> Steve


Going one level deeper: It turns out the the Secunia Security ID which 
is being reported is SA37852: GTK+ "gdk_window_begin_implicit_paint()" 
Foreign Windows Weakness.

http://secunia.com/advisories/37852/

Among other things the advisory says "fixed in GTK 2.18.5".

The security level is reported as "not criotical"



___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe