Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

xpdf code: (some use xpdf 2, some xpdf 3)
gpdf (has been replaced by evince - which uses poppler - in Etch)
pdftohtml (has been replaced by poppler-utils from the poppler source package, still in Etch, though)
kdegraphics/kpdf (okular, the kpdf replacement in KDE 4 is using poppler, #436164)
tetex-bin (links to poppler since 3.0-12)
texlive-bin (links to poppler)
cupsys (uses xpdf-utils, it's still present in the src, though)
poppler
koffice/kword (upstream is working on using poppler, #436163)
libextractor (uses internal pdf decoder since 0.5.12-1)
pdfkit.framework (links to poppler since 0.8-4)
ipe (only small parts, but with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp)
ruby-gnome2 (has a copy of poppler but links against the shared lib)

silc-toolkit:
silc-client (uses libsilc and libsilcclient)

dietlibc:
ccontrol (links statically)

libiax:
iaxmodem

zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
dpkg
rsync (somehow derived code base)
mono
mozilla(?)
Linux kernels
pvpgn (links dynamically since 1.7.8-2)
mrtg (links dynamically since 2.12.2-1)
rpm

libbz2:
dpkg (statically linked)

libgadu/ekg:
centericq
gaim
pigdin (links dynamically against libgadu)
kopete (ships the code, but links dynamically in the Debian package)
kadu (not packaged in Debian)
GNU gadu (not yet packaged in Debian)

xmlrpc: (which package is the "origin" of this code?)
drupal
phpgroupware
egroupware
phpwiki
php4 (php-pear, IIRC this was reorganized some weeks ago?)

shtool: (affects build-time only)
mysql-ocaml
php4 

mozilla:
mozilla-firefox
mozilla-thunderbird
firefox (to be removed)
thunderbird (to be removed)
iceweasel
iceape
icedove
xulrunner
nvu (no longer in Debian)

xli:
xloadimage

lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
openmotif
xfree86/xorg (in libxpm)

kerberized apps with BSD origin:
krb4
krb5
heimdal

grip: (which pkg is the origin?)
libcdaudio
grip
gnome-vfs (vfs2 as well?)

fudforum:
phpgroupware-fudforum
egroupware-fudforum (removed from egroupware after sarge)

cvs:
gcvs (at least an additional script is included, check if there's more)

pcre:
all pythons
php4 (src included, but Debian package links dynamically)
analog (src included, but Debian package links dynamically)
libgoffice-1
vfu (removed linking against embedded copy in 4.06-4.1; #450754)
tf5 (since 5.0beta7 the Debian package links dynamically)
monotone (including this starting from 0.37)
glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
gtamsanalyzer.app (links dynamically since 0.42-5)

tiff:
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy

uudeview:
libconvert-uulib-perl

sqlite: (not affected by security vulnerabilities so far)
amarok
monotone
iceweasel

util-linux/mount:
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb

webmin:
usermin (only in sarge)

sylpheed:
sylpheed-claws

phpsysinfo:
egroupware
phpgroupware

phpldapadmin:
egroupware (removed from egroupware after sarge)

chmlib:
kchmviewer (ships the code but links dynamically)

libavcodec/libavformat (source: ffmpeg):
mplayer (#395252)
xvidcap
kino (links statically, does not include code)
vlc (links statically, does not include code)
smilutils (links statically, does not include code)
motion (links statically, does not include code)
gst-ffmpeg
gstreamer0.10-ffmpeg
xmovie

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	nion	7695	Embedded code copies
2			====================
3
4	jmm-guest	1586	This file collects cases, where a source package embeds code from
5	nion	7695	other projects which is considered bad for fixing security flaws
6			because the fix needs to be applied in multiple source packages.
7	jmm-guest	1586
8	nion	7695	Format:
9			<srcpkg> (<optional comment about srcpkg>)
10			- <embedding srcpkg> <status> (<sort>; bug #<number>)
11			NOTE: optional comments about the linkage of the embedding srcpkg
12
13	jmm-guest	1586	xpdf code: (some use xpdf 2, some xpdf 3)
14	jmm-guest	6249	gpdf (has been replaced by evince - which uses poppler - in Etch)
15			pdftohtml (has been replaced by poppler-utils from the poppler source package, still in Etch, though)
16	jmm-guest	6356	kdegraphics/kpdf (okular, the kpdf replacement in KDE 4 is using poppler, #436164)
17	jmm-guest	3477	tetex-bin (links to poppler since 3.0-12)
18	jamie-guest	7488	texlive-bin (links to poppler)
19	jmm-guest	6249	cupsys (uses xpdf-utils, it's still present in the src, though)
20	jmm-guest	1712	poppler
21	jmm-guest	6249	koffice/kword (upstream is working on using poppler, #436163)
22	jmm-guest	3854	libextractor (uses internal pdf decoder since 0.5.12-1)
23	jmm-guest	3446	pdfkit.framework (links to poppler since 0.8-4)
24	stef-guest	6146	ipe (only small parts, but with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp)
25	nion	7448	ruby-gnome2 (has a copy of poppler but links against the shared lib)
26	jmm-guest	1586
27	nion	6965	silc-toolkit:
28			silc-client (uses libsilc and libsilcclient)
29
30	nion	6967	dietlibc:
31			ccontrol (links statically)
32
33	nion	6969	libiax:
34			iaxmodem
35
36	jmm-guest	3042	zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
37	jmm-guest	1586	dpkg
38	jmm-guest	3042	rsync (somehow derived code base)
39	nion	7135	mono
40	jmm-guest	1586	mozilla(?)
41			Linux kernels
42	jmm-guest	2380	pvpgn (links dynamically since 1.7.8-2)
43	jmm-guest	3428	mrtg (links dynamically since 2.12.2-1)
44	stef-guest	5320	rpm
45	jmm-guest	1586
46	stef-guest	5320	libbz2:
47			dpkg (statically linked)
48
49	jmm-guest	1586	libgadu/ekg:
50			centericq
51	jmm-guest	1593	gaim
52	jmm-guest	7463	pigdin (links dynamically against libgadu)
53	jmm-guest	1588	kopete (ships the code, but links dynamically in the Debian package)
54	jmm-guest	1599	kadu (not packaged in Debian)
55	jmm-guest	3042	GNU gadu (not yet packaged in Debian)
56	jmm-guest	1586
57	jmm-guest	1588	xmlrpc: (which package is the "origin" of this code?)
58			drupal
59			phpgroupware
60			egroupware
61			phpwiki
62			php4 (php-pear, IIRC this was reorganized some weeks ago?)
63	jmm-guest	1586
64	jmm-guest	1588	shtool: (affects build-time only)
65			mysql-ocaml
66			php4
67
68			mozilla:
69			mozilla-firefox
70			mozilla-thunderbird
71	stef-guest	5320	firefox (to be removed)
72			thunderbird (to be removed)
73			iceweasel
74			iceape
75			icedove
76			xulrunner
77			nvu (no longer in Debian)
78	jmm-guest	1588
79			xli:
80			xloadimage
81
82	jmm-guest	3042	lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
83	jmm-guest	1588	openmotif
84	jmm-guest	3042	xfree86/xorg (in libxpm)
85	jmm-guest	1588
86			kerberized apps with BSD origin:
87			krb4
88			krb5
89			heimdal
90
91			grip: (which pkg is the origin?)
92			libcdaudio
93			grip
94			gnome-vfs (vfs2 as well?)
95	stef-guest	1608
96			fudforum:
97			phpgroupware-fudforum
98	stef-guest	5320	egroupware-fudforum (removed from egroupware after sarge)
99	jmm-guest	1670
100			cvs:
101	jmm-guest	1755	gcvs (at least an additional script is included, check if there's more)
102	jmm-guest	1684
103			pcre:
104	jmm-guest	3042	all pythons
105	jmm-guest	1757	php4 (src included, but Debian package links dynamically)
106	joeyh	1834	analog (src included, but Debian package links dynamically)
107			libgoffice-1
108	nion	7629	vfu (removed linking against embedded copy in 4.06-4.1; #450754)
109	jmm-guest	2068	tf5 (since 5.0beta7 the Debian package links dynamically)
110	nion	7136	monotone (including this starting from 0.37)
111	micah	7271	glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
112	jamie-guest	7367	apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
113	jamie-guest	7368	exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
114	nion	7627	yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
115	stef-guest	7683	gtamsanalyzer.app (links dynamically since 0.42-5)
116	jmm-guest	1758
117			tiff:
118			wxpythongtk (check, which debian pkg this is in)
119			older kdegraphics/kpdf releases < 3.3 embedded a copy
120	joeyh	1802
121			uudeview:
122			libconvert-uulib-perl
123	jmm-guest	1824
124			sqlite: (not affected by security vulnerabilities so far)
125			amarok
126	stef-guest	6985	monotone
127	jmm-guest	7212	iceweasel
128	jmm-guest	1828
129	jmm-guest	2037	util-linux/mount:
130			loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
131	jmm-guest	2104
132			webmin:
133	stef-guest	5320	usermin (only in sarge)
134	jmm-guest	2714
135			sylpheed:
136			sylpheed-claws
137	jmm-guest	2751
138			phpsysinfo:
139			egroupware
140	jmm-guest	2800	phpgroupware
141
142			phpldapadmin:
143	stef-guest	5320	egroupware (removed from egroupware after sarge)
144	jmm-guest	2800
145	jmm-guest	2889	chmlib:
146	nion	7385	kchmviewer (ships the code but links dynamically)
147	jmm-guest	2800
148	jmm-guest	7214	libavcodec/libavformat (source: ffmpeg):
149			mplayer (#395252)
150	stef-guest	5320	xvidcap
151	jmm-guest	3075	kino (links statically, does not include code)
152			vlc (links statically, does not include code)
153			smilutils (links statically, does not include code)
154			motion (links statically, does not include code)
155	fw	3061	gst-ffmpeg
156	stef-guest	5048	gstreamer0.10-ffmpeg
157			xmovie
158	jmm-guest	2948
159			mad MPEG decoding lib:
160			mad
161			xine-lib
162
163			libdts:
164			libdts
165			xine-lib
166
167			flac:
168			flac
169			xine-lib
170
171			liba52:
172			a52dec
173			xine-lib
174
175			libmpeg2:
176			mpeg2dec
177			xine-lib
178
179	jmm-guest	2965	curl:
180			wget (code for NTLM authentication)
181	jmm-guest	3093
182			TODO evaluate:
183	jmm-guest	3320	gimp-gap (potentially using ffmpeg code as well)
184
185			uw-imap:
186			pine
187	stef-guest	6985	alpine
188	jmm-guest	3402
189			imagemagick:
190	micah	3537	graphicsmagick
191
192			halibut:
193			nsis
194
195			libghttp:
196			hotway
197
198	nion	6869	libsndfile:
199			ardour
200
201			glibmm2.4:
202			ardour
203
204			libgnomecanvasmm2.6:
205			ardour
206
207			libsigc++-2.0:
208			ardour
209
210			soundtouch:
211			ardour
212
213	stef-guest	4495	libmms:
214			xine-lib
215			mimms
216	stef-guest	4517
217	jmm-guest	7383	FCKeditor: (packaged as fckeditor)
218	stef-guest	4517	knowledgeroot
219	jmm-guest	7383	moin (452599)
220			karrigell (452598)
221	jmm-guest	7384	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
222	stef-guest	4517
223	jmm-guest	7383
224
225	neilm	4838	Moodle contains lots of things:
226			AdoDB
227			AdoDB-XML Schema
228			ipatlas
229			PHPMailer
230			Smarty
231			htmlArea
232			TinyMCE
233			bennu
234
235	stef-guest	4517	TinyMCE:
236			wordpress
237			moodle
238			knowledgeroot
239			joomla (ITP)
240
241	micah	4767	scintilla:
242	micah	4561	scite
243			qscintilla
244	micah	7091	qscintilla2
245	micah	4561	geany
246	stef-guest	4706
247	micah	4767	libphp-adodb:
248	stef-guest	4706	gallery2
249			phppgadmin
250			egroupware
251			phpwiki
252	nion	7236	ipplan
253	nion	7226	typo3
254	stef-guest	4706	moodle
255	neilm	4835	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
256	stef-guest	4706
257	micah	4767	gzip:
258			linux-kernel (lib/inflate.c)
259			klibc (based on linux-kernel gzip code)
260	micah	4808	busybox
261	micah	4767
262	neilm	4891	neon:
263			cadaver (all, but being worked on: #188381)
264			gnome-vfs2 (#395874)
265			litmus (#395875)
266			screem (sarge only)
267			sitecopy (#395876)
268			tla (etch/sid only: #395877)
269	stef-guest	5319
270			libmodplug:
271			gst-plugins-bad0.10
272	stef-guest	5320
273			libvncserver:
274			vino
275
276			putty:
277			filezilla
278
279			tinyxml (not packaged in Debian):
280			filezilla
281
282			gv:
283			evince (ps/ tree from gv 3.5.8)
284			evince-gtk (not packaged in Debian)
285	stef-guest	5321
286			libXbae:
287			libpawlib2-lesstif package (from Cernlib)
288
289			libXaw:
290			libpawlib2-lesstif package (from Cernlib)
291
292			(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
293
294			libgd2:
295			graphviz (lib/gd seems to be 2.0.33)
296	stef-guest	5440
297			rar:
298			unrar-nonfree
299
300			unrar-free: (maybe this code is derived from the original rar, too?)
301			clamav (seems to be disabled in default config)
302
303	keescook-guest	5526	mplayer (DirectMedia Object loader):
304			xine-lib (src/libw32dll/)
305			vlc (modules/codec/dmo/)
306	alec-guest	5564
307			libwpd (WordPerfect converter):
308			openoffice.org
309	keescook-guest	6298
310			fsplib (http://sourceforge.net/projects/fsp/):
311			gftp (lib/fsplib version 0.3)
312	keescook-guest	6498
313			librpcsecgss:
314			krb5
315	stef-guest	6985
316	keescook-guest	7007	jasper:
317			ghostscript
318			gs-gpl
319
320	nion	7136	libidn:
321			monotone
322	micah	7134
323	nion	7136	liblua:
324			monotone
325
326			libbotan:
327			montone
328
329			NetXX:
330			monotone
331
332	nion	7135	libgc:
333			mono
334	white	7203
335	jmm-guest	7212	lzma:
336			p7zip
337
338			lzo:
339			grub2
340
341	white	7203	pax code:
342			tar
343			cpio
344	jamie-guest	7487
345			t1lib:
346	jamie-guest	7503	tetex-bin (links to system t1lib since 2.0.2)
347			texlive-bin (links to system t1lib)
348	jamie-guest	7487