lcms dependency
Andrew John Hughes
gnu_andrew at member.fsf.org
Fri Dec 19 11:11:26 PST 2008
2008/12/18 Mark Wielaard <mark at klomp.org>:
> On Thu, 2008-12-18 at 15:36 +0100, Robert Schuster wrote:
>> mjw answered on this at #classpath and was under the impression that the
>> system provided lcms will be used. However it turned out that this is
>> not true - the openjdk sources contains lcms.h and the implementation
>> and those are used.
>>
>> This is especially interesting because there is a known security issue
>> with lcms:
>> http://www.debian.org/security/2008/dsa-1684
>
> Just to followup on this particular security issue. It seems we already
> picked up the fixes for the issue mentioned in CVE-2008-5316, but we are
> missing the fixes mention in CVE-2008-5317 in the sources we ship under
> jdk/src/share/native/sun/java2d/cmm/lcms.
>
> I haven't checked yet whether or not we actually build these in. If we
> do, that is clearly a bug. We should be linking against the system
> provided libraries, precisely to make sure these kind of security issues
> can be handled by the distributions.
>
> Cheers,
>
> Mark
>
>
We are building ./control/build/linux-amd64/lib/amd64/liblcms.so
--
Andrew :-)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the distro-pkg-dev
mailing list