GNOME Bugzilla – Bug 605310
GTK+ 2.16.5.0 has security vulnerability, fixed in 2.18.5.0
Last modified: 2010-01-07 16:42:46 UTC
A patch has been released for GTK+ to close a security vulnerability. The oldest GTK+ release including the patch is 2.18.5.0. Recommend that GTK+ 2.18.5.0 or newer be bundled with GIMP.
There are no "patches" that would be "released" for GTK+ sources. There are just releases. And the version number of the latest GTK+ source release is 2.18.5, there is no fourth number. Anyway, if you talk about the http://secunia.com/advisories/37852/ thing, that seems likely to be quite irrelevant on Windows. No need for scaremongering. If you have some concrete evidence to the contrary, please present them.
Furthermore, the commit to GTK+ sources that is said to fix bug #598476 , which I guess is what you and the Secunia "advisiory" are talking about, affects the function gdk_window_begin_implicit_paint() in gdk/gdkwindow.c. That function and the whole implicit paint concept, as far as I understand, didn't even exist in GTK+ before 2.18.
This comment did not appear when posted. I apologize if I am now creating a duplicate comment. Secunia is reporting a security vulnerability in GIMP and all other software which bundle GTK+ older than 2.18.5. Thank you for figuring out and sharing that pre-2.18 GTK+ cannot have this vulnerability. I will communicate with Secunia and try to get them to acknowledge and correct their advisory. The bug reporting guidelines explicitly say no bug is too small to report. Sorry if it was wrong to bring this to your attention --- perhaps the guidelines should be changed. If anyone is scaremongering, it is Secunia, so your scolding is perhaps misdirected.
*** Bug 606319 has been marked as a duplicate of this bug. ***