On Thu, 21 Feb 2013 18:33:03 +0100 Alberto <alber...@aol.it> wrote: >I've checked again today after updating the distribution with the >latest packages (including also libc6 and nouveau). > >With libgcrypt11 1.5 the bug is present (with https sites). >With libgcrypt11 1.4.6 the bug doesn't show up. > >I think the bugs could be merged... but I think also it's pretty >strange having an _assert_ inside a library (that's the case of cairo).
This behavior seems to be a memory management problem (overflow). It is discussed further in this bug report: https://bugs.freedesktop.org/show_bug.cgi?id=49719#c12 >I'm not therefore completely sure that only libgcrypt11 is responsible >for this issue. Maybe there's something wrong also in cairo, but that's >just an hypothesis without evidence. I found this bug very similar to #640501, that it is merged with #640123 related to claws-mail. They both share the use of libgcrypt through libgnutls26 and the bug appears only when doing an encrypted connection. All others operations are running fine, like drawing widgets and rendering fonts with gtk/cairo or making unencrypted connections. Also the bug appeared after upgrading libgcrypt. >Still, I don't think it could be _secure_ having an outdated crypt >library into a stable system. Newer versions of gnutls (like libgnutls28) deprecated libgcrypt in favor of libnettle and when the affected applications will be ported, the bug will go away with libgcrypt. >If libgcrypt11 is responsible of this, maybe this issue should be >addressed before next stable. I think so too. Also the severity should be raised. Ciao -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
