lcms dependency
Mark Wielaard
mark at klomp.org
Thu Dec 18 06:57:49 PST 2008
On Thu, 2008-12-18 at 15:36 +0100, Robert Schuster wrote:
> mjw answered on this at #classpath and was under the impression that the
> system provided lcms will be used. However it turned out that this is
> not true - the openjdk sources contains lcms.h and the implementation
> and those are used.
>
> This is especially interesting because there is a known security issue
> with lcms:
> http://www.debian.org/security/2008/dsa-1684
Just to followup on this particular security issue. It seems we already
picked up the fixes for the issue mentioned in CVE-2008-5316, but we are
missing the fixes mention in CVE-2008-5317 in the sources we ship under
jdk/src/share/native/sun/java2d/cmm/lcms.
I haven't checked yet whether or not we actually build these in. If we
do, that is clearly a bug. We should be linking against the system
provided libraries, precisely to make sure these kind of security issues
can be handled by the distributions.
Cheers,
Mark
More information about the distro-pkg-dev
mailing list