Re: [matplotlib-devel] v1.4.3rc1

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Mon, Feb 9, 2015 at 1:00 AM, Thomas Caswell <tca...@gm...> wrote:
> Sorry about the bad tarball, I forgot to clean my git directory before
> generating it.  Another point in favor of using the gh tarball, I can't
> screw it up.

I switch to GH tarball, but I must say they are a lot different than
the SF ones (now we have 3 copies of the examples in doc/mpl_examples
lib/mpl_examples and examples) and contains quite a lot more files
(like the whole unit/ tree) and development files (.travis, .gitignore
and friends), but if that's a more reliable way to get new tarball,
I'm all for it - let's use this in the future :)

> This is the first I have seen that CVE.
>
> That PR is not included in 1.4.3 because it completely over-hauls how the
> Agg rendering works (and generated a whole bunch of other bugs along the
> way).
>
> Mike: Is there a way to fix up the security issues reported on just the
> 1.4.x branch with out pulling that whole patch back?

there is a patch[1] attached to the Debian bug[2], I'm about to apply
to the package and see how it goes, you might want to
investigate+apply it in the final release

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=matplotlib-printf-buffer-overrun.patch;att=1;bug=775691
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775691

Cheers,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi