lcms dependency
Mark Wielaard
mark at klomp.org
Sun Dec 21 03:24:45 PST 2008
Hi Andrew (added CC Keith since he wrote the original patch),
On Fri, 2008-12-19 at 22:39 +0000, Andrew John Hughes wrote:
> 2008/12/19 Andrew John Hughes <gnu_andrew at member.fsf.org>:
> > 2008/12/18 Mark Wielaard <mark at klomp.org>:
> >> On Thu, 2008-12-18 at 15:36 +0100, Robert Schuster wrote:
> >>> mjw answered on this at #classpath and was under the impression that the
> >>> system provided lcms will be used. However it turned out that this is
> >>> not true - the openjdk sources contains lcms.h and the implementation
> >>> and those are used.
> >>>
> >>> This is especially interesting because there is a known security issue
> >>> with lcms:
> >>> http://www.debian.org/security/2008/dsa-1684
> >>
> >> Just to followup on this particular security issue. It seems we already
> >> picked up the fixes for the issue mentioned in CVE-2008-5316, but we are
> >> missing the fixes mention in CVE-2008-5317 in the sources we ship under
> >> jdk/src/share/native/sun/java2d/cmm/lcms.
> >
> > We are building ./control/build/linux-amd64/lib/amd64/liblcms.so
>
> This is why we aren't building against the system LCMS:
>
> http://mail.openjdk.java.net/pipermail/2d-dev/2008-April/000228.html
>
> The system LCMS does not contain _cmsModifyTagData and given the patch
> alters other parts of LCMS, I don't see how we can. This needs to go
> upstream.
Urgh. Yeah. I can see why it might be a non-trivial patch to push
upstream seeing that it adds a class of modifications that were not
earlier supported. But having to ship outdated lcms sources (that
currently are missing some security fixes) seems pretty bad :{
Keith, did you ever try to push this upstream?
Thanks,
Mark
More information about the distro-pkg-dev
mailing list