lcms dependency

Mark Wielaard mark at
Thu Dec 18 06:57:49 PST 2008

On Thu, 2008-12-18 at 15:36 +0100, Robert Schuster wrote:
> mjw answered on this at #classpath and was under the impression that the
> system provided lcms will be used. However it turned out that this is
> not true - the openjdk sources contains lcms.h and the implementation
> and those are used.
> This is especially interesting because there is a known security issue
> with lcms:

Just to followup on this particular security issue. It seems we already
picked up the fixes for the issue mentioned in CVE-2008-5316, but we are
missing the fixes mention in CVE-2008-5317 in the sources we ship under

I haven't checked yet whether or not we actually build these in. If we
do, that is clearly a bug. We should be linking against the system
provided libraries, precisely to make sure these kind of security issues
can be handled by the distributions.



More information about the distro-pkg-dev mailing list