lcms dependency

[Andrew John Hughes]

2008/12/19 Andrew John Hughes <gnu_andrew at member.fsf.org>:
> 2008/12/18 Mark Wielaard <mark at klomp.org>:
>> On Thu, 2008-12-18 at 15:36 +0100, Robert Schuster wrote:
>>> mjw answered on this at #classpath and was under the impression that the
>>> system provided lcms will be used. However it turned out that this is
>>> not true - the openjdk sources contains lcms.h and the implementation
>>> and those are used.
>>>
>>> This is especially interesting because there is a known security issue
>>> with lcms:
>>> http://www.debian.org/security/2008/dsa-1684
>>
>> Just to followup on this particular security issue. It seems we already
>> picked up the fixes for the issue mentioned in CVE-2008-5316, but we are
>> missing the fixes mention in CVE-2008-5317 in the sources we ship under
>> jdk/src/share/native/sun/java2d/cmm/lcms.
>>
>> I haven't checked yet whether or not we actually build these in. If we
>> do, that is clearly a bug. We should be linking against the system
>> provided libraries, precisely to make sure these kind of security issues
>> can be handled by the distributions.
>>
>> Cheers,
>>
>> Mark
>>
>>
>
> We are building ./control/build/linux-amd64/lib/amd64/liblcms.so
> --
> Andrew :-)
>
> Support Free Java!
> Contribute to GNU Classpath and the OpenJDK
> http://www.gnu.org/software/classpath
> http://openjdk.java.net
>
> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
> Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
>

This is why we aren't building against the system LCMS:

http://mail.openjdk.java.net/pipermail/2d-dev/2008-April/000228.html

The system LCMS does not contain _cmsModifyTagData and given the patch
alters other parts of LCMS, I don't see how we can.  This needs to go
upstream.
-- 
Andrew :-)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8