LittleCMS (or lcms) prior to v1.18beta2 contains various integer overflow, buffer overflow and memory leak errors. At least one of these bugs is a stack-based buffer overflow which is good for arbitrary code execution. I have an exploit that works on my Ubuntu-8.10 laptop but am holding off on releasing it just yet.
The most serious bug is a stack-based buffer overflow in ReadSetOfCurves() in cmsio1.c. With some code paths, validation of the number of channels in the ICC profile is not performed. This leads to an overflow of the "Curves" stack buffer. The overflow data is not arbitrarily user controlled; it's pointers to heap chunks where the attacker has partial control over the contents of the heap chunks. That's good enough for an exploit on many systems.
Full technical details: http://scary.beasts.org/security/CESA-2009-003.html
Blog post: http://scarybeastsecurity.blogspot.com/2009/03/littlecms-vulnerabilities.html
The blog post goes into a little more detail on which attack surfaces LittleCMS is present, and which system-level defenses mitigate this vulnerability.