CVE Request: OpenJDK and lcms2 2.5 release fixes various denial of service issues in lcms2

[Marcus Meissner <meissner () suse de>]

Hi,

The lcms2 2.4 -> 2.5 version upgrade fixes various crashes that could be used
by attackers to crash (NULL ptr deref) programs using lcms2, like e.g. OpenJDK 7

This was found in the embedded copy within OpenJDK7 first, then merged to lcms2.

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-July/023895.html

lcms2 related issues in there:
 * S8007925: Improve cmsStageAllocLabV2ToV4curves
 * S8007926: Improve cmsPipelineDup
 * S8007927: Improve cmsAllocProfileSequenceDescription
 * S8007929: Improve CurvesAlloc
 * S8009654: Improve stability of cmsnamed

All covered by lcms2 in this commit (I think):
https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9

These probably can get just 1 CVE, although I do not know the OpenJDK IcedTea side
of the story.

https://bugzilla.novell.com/show_bug.cgi?id=826097#c9 has the research into
more of these stability commits in lcms2 by my colleague Stanislav Brabec.
Not sure if they should get seperate CVEs or not.

Ciao, Marcus