Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed> or <unknown> if the version number can not be determined
sort: static/dynamic

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        - gpdf <unfixed>
        NOTE: only present in sarge, has been replaced by evince in etch
        - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils, only present in sarge/etch
        - kdegraphics <unfixed> (static; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (dynamic)
        NOTE: links to poppler
        - texlive-bin <unknown> (dynamic)
        NOTE: links to poppler
        - koffice <unfixed> (static; bug #436163)
        - libextractor 0.5.12-1 (static)
        NOTE: libextractor is using its own pdf decoder
        - libextractor 0.5.12-1 (dynamic)
        NOTE: links to poppler
        - pdfkit.framework 0.8-4 (dynamic)
        NOTE: links to poppler
        - ipe <unfixed> (static)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (dynamic)
        NOTE: copy only present in source but links to poppler

silc-toolkit:
silc-client (uses libsilc and libsilcclient)

dietlibc:
ccontrol (links statically)

libiax:
iaxmodem

zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
dpkg
rsync (somehow derived code base)
mono
mozilla(?)
Linux kernels
pvpgn (links dynamically since 1.7.8-2)
mrtg (links dynamically since 2.12.2-1)
rpm

libbz2:
dpkg (statically linked)

libgadu/ekg:
centericq
gaim
pigdin (links dynamically against libgadu)
kopete (ships the code, but links dynamically in the Debian package)
kadu (not packaged in Debian)
GNU gadu (not yet packaged in Debian)

xmlrpc: (which package is the "origin" of this code?)
drupal
phpgroupware
egroupware
phpwiki
php4 (php-pear, IIRC this was reorganized some weeks ago?)

shtool: (affects build-time only)
mysql-ocaml
php4 

mozilla:
mozilla-firefox
mozilla-thunderbird
firefox (to be removed)
thunderbird (to be removed)
iceweasel
iceape
icedove
xulrunner
nvu (no longer in Debian)

xli:
xloadimage

lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
openmotif
xfree86/xorg (in libxpm)

kerberized apps with BSD origin:
krb4
krb5
heimdal

grip: (which pkg is the origin?)
libcdaudio
grip
gnome-vfs (vfs2 as well?)

fudforum:
phpgroupware-fudforum
egroupware-fudforum (removed from egroupware after sarge)

cvs:
gcvs (at least an additional script is included, check if there's more)

pcre:
all pythons
php4 (src included, but Debian package links dynamically)
analog (src included, but Debian package links dynamically)
libgoffice-1
vfu (removed linking against embedded copy in 4.06-4.1; #450754)
tf5 (since 5.0beta7 the Debian package links dynamically)
monotone (including this starting from 0.37)
glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
gtamsanalyzer.app (links dynamically since 0.42-5)

tiff:
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy

uudeview:
libconvert-uulib-perl

sqlite: (not affected by security vulnerabilities so far)
amarok
monotone
iceweasel

util-linux/mount:
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb

webmin:
usermin (only in sarge)

sylpheed:
sylpheed-claws

phpsysinfo:
egroupware
phpgroupware

phpldapadmin:
egroupware (removed from egroupware after sarge)

chmlib:
kchmviewer (ships the code but links dynamically)

libavcodec/libavformat (source: ffmpeg):
mplayer (#395252)
xvidcap
kino (links statically, does not include code)
vlc (links statically, does not include code)
smilutils (links statically, does not include code)
motion (links statically, does not include code)
gst-ffmpeg
gstreamer0.10-ffmpeg
xmovie

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	nion	7695	Embedded code copies
2			====================
3
4	jmm-guest	1586	This file collects cases, where a source package embeds code from
5	nion	7695	other projects which is considered bad for fixing security flaws
6			because the fix needs to be applied in multiple source packages.
7	jmm-guest	1586
8	nion	7695	Format:
9			<srcpkg> (<optional comment about srcpkg>)
10			- <embedding srcpkg> <status> (<sort>; bug #<number>)
11			NOTE: optional comments about the linkage of the embedding srcpkg
12
13	nion	7696	status: version number fixing the embedded copy, <unfixed> or <unknown> if the version number can not be determined
14			sort: static/dynamic
15	jmm-guest	1586
16	nion	7696	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
17			- gpdf <unfixed>
18			NOTE: only present in sarge, has been replaced by evince in etch
19			- pdftohtml <unfixed>
20			NOTE: has been replaced by poppler-utils, only present in sarge/etch
21			- kdegraphics <unfixed> (static; bug #436164)
22			NOTE: the kpdf replacement in KDE 4 is using poppler
23			- tetex-bin 3.0-12 (dynamic)
24			NOTE: links to poppler
25			- texlive-bin <unknown> (dynamic)
26			NOTE: links to poppler
27			- koffice <unfixed> (static; bug #436163)
28			- libextractor 0.5.12-1 (static)
29			NOTE: libextractor is using its own pdf decoder
30			- libextractor 0.5.12-1 (dynamic)
31			NOTE: links to poppler
32			- pdfkit.framework 0.8-4 (dynamic)
33			NOTE: links to poppler
34			- ipe <unfixed> (static)
35			NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
36			- ruby-gnome2 <unknown> (dynamic)
37			NOTE: copy only present in source but links to poppler
38
39	nion	6965	silc-toolkit:
40			silc-client (uses libsilc and libsilcclient)
41
42	nion	6967	dietlibc:
43			ccontrol (links statically)
44
45	nion	6969	libiax:
46			iaxmodem
47
48	jmm-guest	3042	zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
49	jmm-guest	1586	dpkg
50	jmm-guest	3042	rsync (somehow derived code base)
51	nion	7135	mono
52	jmm-guest	1586	mozilla(?)
53			Linux kernels
54	jmm-guest	2380	pvpgn (links dynamically since 1.7.8-2)
55	jmm-guest	3428	mrtg (links dynamically since 2.12.2-1)
56	stef-guest	5320	rpm
57	jmm-guest	1586
58	stef-guest	5320	libbz2:
59			dpkg (statically linked)
60
61	jmm-guest	1586	libgadu/ekg:
62			centericq
63	jmm-guest	1593	gaim
64	jmm-guest	7463	pigdin (links dynamically against libgadu)
65	jmm-guest	1588	kopete (ships the code, but links dynamically in the Debian package)
66	jmm-guest	1599	kadu (not packaged in Debian)
67	jmm-guest	3042	GNU gadu (not yet packaged in Debian)
68	jmm-guest	1586
69	jmm-guest	1588	xmlrpc: (which package is the "origin" of this code?)
70			drupal
71			phpgroupware
72			egroupware
73			phpwiki
74			php4 (php-pear, IIRC this was reorganized some weeks ago?)
75	jmm-guest	1586
76	jmm-guest	1588	shtool: (affects build-time only)
77			mysql-ocaml
78			php4
79
80			mozilla:
81			mozilla-firefox
82			mozilla-thunderbird
83	stef-guest	5320	firefox (to be removed)
84			thunderbird (to be removed)
85			iceweasel
86			iceape
87			icedove
88			xulrunner
89			nvu (no longer in Debian)
90	jmm-guest	1588
91			xli:
92			xloadimage
93
94	jmm-guest	3042	lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
95	jmm-guest	1588	openmotif
96	jmm-guest	3042	xfree86/xorg (in libxpm)
97	jmm-guest	1588
98			kerberized apps with BSD origin:
99			krb4
100			krb5
101			heimdal
102
103			grip: (which pkg is the origin?)
104			libcdaudio
105			grip
106			gnome-vfs (vfs2 as well?)
107	stef-guest	1608
108			fudforum:
109			phpgroupware-fudforum
110	stef-guest	5320	egroupware-fudforum (removed from egroupware after sarge)
111	jmm-guest	1670
112			cvs:
113	jmm-guest	1755	gcvs (at least an additional script is included, check if there's more)
114	jmm-guest	1684
115			pcre:
116	jmm-guest	3042	all pythons
117	jmm-guest	1757	php4 (src included, but Debian package links dynamically)
118	joeyh	1834	analog (src included, but Debian package links dynamically)
119			libgoffice-1
120	nion	7629	vfu (removed linking against embedded copy in 4.06-4.1; #450754)
121	jmm-guest	2068	tf5 (since 5.0beta7 the Debian package links dynamically)
122	nion	7136	monotone (including this starting from 0.37)
123	micah	7271	glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
124	jamie-guest	7367	apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
125	jamie-guest	7368	exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
126	nion	7627	yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
127	stef-guest	7683	gtamsanalyzer.app (links dynamically since 0.42-5)
128	jmm-guest	1758
129			tiff:
130			wxpythongtk (check, which debian pkg this is in)
131			older kdegraphics/kpdf releases < 3.3 embedded a copy
132	joeyh	1802
133			uudeview:
134			libconvert-uulib-perl
135	jmm-guest	1824
136			sqlite: (not affected by security vulnerabilities so far)
137			amarok
138	stef-guest	6985	monotone
139	jmm-guest	7212	iceweasel
140	jmm-guest	1828
141	jmm-guest	2037	util-linux/mount:
142			loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
143	jmm-guest	2104
144			webmin:
145	stef-guest	5320	usermin (only in sarge)
146	jmm-guest	2714
147			sylpheed:
148			sylpheed-claws
149	jmm-guest	2751
150			phpsysinfo:
151			egroupware
152	jmm-guest	2800	phpgroupware
153
154			phpldapadmin:
155	stef-guest	5320	egroupware (removed from egroupware after sarge)
156	jmm-guest	2800
157	jmm-guest	2889	chmlib:
158	nion	7385	kchmviewer (ships the code but links dynamically)
159	jmm-guest	2800
160	jmm-guest	7214	libavcodec/libavformat (source: ffmpeg):
161			mplayer (#395252)
162	stef-guest	5320	xvidcap
163	jmm-guest	3075	kino (links statically, does not include code)
164			vlc (links statically, does not include code)
165			smilutils (links statically, does not include code)
166			motion (links statically, does not include code)
167	fw	3061	gst-ffmpeg
168	stef-guest	5048	gstreamer0.10-ffmpeg
169			xmovie
170	jmm-guest	2948
171			mad MPEG decoding lib:
172			mad
173			xine-lib
174
175			libdts:
176			libdts
177			xine-lib
178
179			flac:
180			flac
181			xine-lib
182
183			liba52:
184			a52dec
185			xine-lib
186
187			libmpeg2:
188			mpeg2dec
189			xine-lib
190
191	jmm-guest	2965	curl:
192			wget (code for NTLM authentication)
193	jmm-guest	3093
194			TODO evaluate:
195	jmm-guest	3320	gimp-gap (potentially using ffmpeg code as well)
196
197			uw-imap:
198			pine
199	stef-guest	6985	alpine
200	jmm-guest	3402
201			imagemagick:
202	micah	3537	graphicsmagick
203
204			halibut:
205			nsis
206
207			libghttp:
208			hotway
209
210	nion	6869	libsndfile:
211			ardour
212
213			glibmm2.4:
214			ardour
215
216			libgnomecanvasmm2.6:
217			ardour
218
219			libsigc++-2.0:
220			ardour
221
222			soundtouch:
223			ardour
224
225	stef-guest	4495	libmms:
226			xine-lib
227			mimms
228	stef-guest	4517
229	jmm-guest	7383	FCKeditor: (packaged as fckeditor)
230	stef-guest	4517	knowledgeroot
231	jmm-guest	7383	moin (452599)
232			karrigell (452598)
233	jmm-guest	7384	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
234	stef-guest	4517
235	jmm-guest	7383
236
237	neilm	4838	Moodle contains lots of things:
238			AdoDB
239			AdoDB-XML Schema
240			ipatlas
241			PHPMailer
242			Smarty
243			htmlArea
244			TinyMCE
245			bennu
246
247	stef-guest	4517	TinyMCE:
248			wordpress
249			moodle
250			knowledgeroot
251			joomla (ITP)
252
253	micah	4767	scintilla:
254	micah	4561	scite
255			qscintilla
256	micah	7091	qscintilla2
257	micah	4561	geany
258	stef-guest	4706
259	micah	4767	libphp-adodb:
260	stef-guest	4706	gallery2
261			phppgadmin
262			egroupware
263			phpwiki
264	nion	7236	ipplan
265	nion	7226	typo3
266	stef-guest	4706	moodle
267	neilm	4835	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
268	stef-guest	4706
269	micah	4767	gzip:
270			linux-kernel (lib/inflate.c)
271			klibc (based on linux-kernel gzip code)
272	micah	4808	busybox
273	micah	4767
274	neilm	4891	neon:
275			cadaver (all, but being worked on: #188381)
276			gnome-vfs2 (#395874)
277			litmus (#395875)
278			screem (sarge only)
279			sitecopy (#395876)
280			tla (etch/sid only: #395877)
281	stef-guest	5319
282			libmodplug:
283			gst-plugins-bad0.10
284	stef-guest	5320
285			libvncserver:
286			vino
287
288			putty:
289			filezilla
290
291			tinyxml (not packaged in Debian):
292			filezilla
293
294			gv:
295			evince (ps/ tree from gv 3.5.8)
296			evince-gtk (not packaged in Debian)
297	stef-guest	5321
298			libXbae:
299			libpawlib2-lesstif package (from Cernlib)
300
301			libXaw:
302			libpawlib2-lesstif package (from Cernlib)
303
304			(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
305
306			libgd2:
307			graphviz (lib/gd seems to be 2.0.33)
308	stef-guest	5440
309			rar:
310			unrar-nonfree
311
312			unrar-free: (maybe this code is derived from the original rar, too?)
313			clamav (seems to be disabled in default config)
314
315	keescook-guest	5526	mplayer (DirectMedia Object loader):
316			xine-lib (src/libw32dll/)
317			vlc (modules/codec/dmo/)
318	alec-guest	5564
319			libwpd (WordPerfect converter):
320			openoffice.org
321	keescook-guest	6298
322			fsplib (http://sourceforge.net/projects/fsp/):
323			gftp (lib/fsplib version 0.3)
324	keescook-guest	6498
325			librpcsecgss:
326			krb5
327	stef-guest	6985
328	keescook-guest	7007	jasper:
329			ghostscript
330			gs-gpl
331
332	nion	7136	libidn:
333			monotone
334	micah	7134
335	nion	7136	liblua:
336			monotone
337
338			libbotan:
339			montone
340
341			NetXX:
342			monotone
343
344	nion	7135	libgc:
345			mono
346	white	7203
347	jmm-guest	7212	lzma:
348			p7zip
349
350			lzo:
351			grub2
352
353	white	7203	pax code:
354			tar
355			cpio
356	jamie-guest	7487
357			t1lib:
358	jamie-guest	7503	tetex-bin (links to system t1lib since 2.0.2)
359			texlive-bin (links to system t1lib)
360	jamie-guest	7487