Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static/dynamic

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (static; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (dynamic)
        NOTE: links to poppler
        - texlive-bin <unknown> (dynamic)
        NOTE: links to poppler
        - koffice <unfixed> (static; bug #436163)
        - libextractor 0.5.12-1 (static)
        NOTE: libextractor is using its own pdf decoder
        - libextractor 0.5.12-1 (dynamic)
        NOTE: links to poppler
        - pdfkit.framework 0.8-4 (dynamic)
        NOTE: links to poppler
        - ipe <unfixed> (static)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (dynamic)
        NOTE: copy only present in source but links to poppler

silc-toolkit:
silc-client (uses libsilc and libsilcclient)

dietlibc:
ccontrol (links statically)

libiax:
iaxmodem

zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
dpkg
rsync (somehow derived code base)
mono
mozilla(?)
Linux kernels
pvpgn (links dynamically since 1.7.8-2)
mrtg (links dynamically since 2.12.2-1)
rpm

libbz2:
dpkg (statically linked)

libgadu/ekg:
centericq
gaim
pigdin (links dynamically against libgadu)
kopete (ships the code, but links dynamically in the Debian package)
kadu (not packaged in Debian)
GNU gadu (not yet packaged in Debian)

xmlrpc: (which package is the "origin" of this code?)
drupal
phpgroupware
egroupware
phpwiki
php4 (php-pear, IIRC this was reorganized some weeks ago?)

shtool: (affects build-time only)
mysql-ocaml
php4 

mozilla:
mozilla-firefox
mozilla-thunderbird
firefox (to be removed)
thunderbird (to be removed)
iceweasel
iceape
icedove
xulrunner
nvu (no longer in Debian)

xli:
xloadimage

lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
openmotif
xfree86/xorg (in libxpm)

kerberized apps with BSD origin:
krb4
krb5
heimdal

grip: (which pkg is the origin?)
libcdaudio
grip
gnome-vfs (vfs2 as well?)

fudforum:
phpgroupware-fudforum
egroupware-fudforum (removed from egroupware after sarge)

cvs:
gcvs (at least an additional script is included, check if there's more)

pcre:
all pythons
php4 (src included, but Debian package links dynamically)
analog (src included, but Debian package links dynamically)
libgoffice-1
vfu (removed linking against embedded copy in 4.06-4.1; #450754)
tf5 (since 5.0beta7 the Debian package links dynamically)
monotone (including this starting from 0.37)
glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
gtamsanalyzer.app (links dynamically since 0.42-5)

tiff:
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy

uudeview:
libconvert-uulib-perl

sqlite: (not affected by security vulnerabilities so far)
amarok
monotone
iceweasel

util-linux/mount:
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb

webmin:
usermin (only in sarge)

sylpheed:
sylpheed-claws

phpsysinfo:
egroupware
phpgroupware

phpldapadmin:
egroupware (removed from egroupware after sarge)

chmlib:
kchmviewer (ships the code but links dynamically)

libavcodec/libavformat (source: ffmpeg):
mplayer (#395252)
xvidcap
kino (links statically, does not include code)
vlc (links statically, does not include code)
smilutils (links statically, does not include code)
motion (links statically, does not include code)
gst-ffmpeg
gstreamer0.10-ffmpeg
xmovie

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	nion	7695	Embedded code copies
2			====================
3
4	jmm-guest	1586	This file collects cases, where a source package embeds code from
5	nion	7695	other projects which is considered bad for fixing security flaws
6			because the fix needs to be applied in multiple source packages.
7	jmm-guest	1586
8	nion	7695	Format:
9			<srcpkg> (<optional comment about srcpkg>)
10			- <embedding srcpkg> <status> (<sort>; bug #<number>)
11			NOTE: optional comments about the linkage of the embedding srcpkg
12
13	nion	7697	status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14	nion	7696	sort: static/dynamic
15	jmm-guest	1586
16	nion	7696	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
17	nion	7697	- gpdf <removed>
18			[sarge] - gpdf <unfixed>
19			NOTE: has been replaced by evince in etch
20			- pdftohtml <unknown>
21			[sarge] - pdftohtml <unfixed>
22			[etch] - pdftohtml <unfixed>
23			NOTE: has been replaced by poppler-utils
24	nion	7696	- kdegraphics <unfixed> (static; bug #436164)
25			NOTE: the kpdf replacement in KDE 4 is using poppler
26			- tetex-bin 3.0-12 (dynamic)
27			NOTE: links to poppler
28			- texlive-bin <unknown> (dynamic)
29			NOTE: links to poppler
30			- koffice <unfixed> (static; bug #436163)
31			- libextractor 0.5.12-1 (static)
32			NOTE: libextractor is using its own pdf decoder
33			- libextractor 0.5.12-1 (dynamic)
34			NOTE: links to poppler
35			- pdfkit.framework 0.8-4 (dynamic)
36			NOTE: links to poppler
37			- ipe <unfixed> (static)
38			NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
39			- ruby-gnome2 <unknown> (dynamic)
40			NOTE: copy only present in source but links to poppler
41
42	nion	6965	silc-toolkit:
43			silc-client (uses libsilc and libsilcclient)
44
45	nion	6967	dietlibc:
46			ccontrol (links statically)
47
48	nion	6969	libiax:
49			iaxmodem
50
51	jmm-guest	3042	zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
52	jmm-guest	1586	dpkg
53	jmm-guest	3042	rsync (somehow derived code base)
54	nion	7135	mono
55	jmm-guest	1586	mozilla(?)
56			Linux kernels
57	jmm-guest	2380	pvpgn (links dynamically since 1.7.8-2)
58	jmm-guest	3428	mrtg (links dynamically since 2.12.2-1)
59	stef-guest	5320	rpm
60	jmm-guest	1586
61	stef-guest	5320	libbz2:
62			dpkg (statically linked)
63
64	jmm-guest	1586	libgadu/ekg:
65			centericq
66	jmm-guest	1593	gaim
67	jmm-guest	7463	pigdin (links dynamically against libgadu)
68	jmm-guest	1588	kopete (ships the code, but links dynamically in the Debian package)
69	jmm-guest	1599	kadu (not packaged in Debian)
70	jmm-guest	3042	GNU gadu (not yet packaged in Debian)
71	jmm-guest	1586
72	jmm-guest	1588	xmlrpc: (which package is the "origin" of this code?)
73			drupal
74			phpgroupware
75			egroupware
76			phpwiki
77			php4 (php-pear, IIRC this was reorganized some weeks ago?)
78	jmm-guest	1586
79	jmm-guest	1588	shtool: (affects build-time only)
80			mysql-ocaml
81			php4
82
83			mozilla:
84			mozilla-firefox
85			mozilla-thunderbird
86	stef-guest	5320	firefox (to be removed)
87			thunderbird (to be removed)
88			iceweasel
89			iceape
90			icedove
91			xulrunner
92			nvu (no longer in Debian)
93	jmm-guest	1588
94			xli:
95			xloadimage
96
97	jmm-guest	3042	lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
98	jmm-guest	1588	openmotif
99	jmm-guest	3042	xfree86/xorg (in libxpm)
100	jmm-guest	1588
101			kerberized apps with BSD origin:
102			krb4
103			krb5
104			heimdal
105
106			grip: (which pkg is the origin?)
107			libcdaudio
108			grip
109			gnome-vfs (vfs2 as well?)
110	stef-guest	1608
111			fudforum:
112			phpgroupware-fudforum
113	stef-guest	5320	egroupware-fudforum (removed from egroupware after sarge)
114	jmm-guest	1670
115			cvs:
116	jmm-guest	1755	gcvs (at least an additional script is included, check if there's more)
117	jmm-guest	1684
118			pcre:
119	jmm-guest	3042	all pythons
120	jmm-guest	1757	php4 (src included, but Debian package links dynamically)
121	joeyh	1834	analog (src included, but Debian package links dynamically)
122			libgoffice-1
123	nion	7629	vfu (removed linking against embedded copy in 4.06-4.1; #450754)
124	jmm-guest	2068	tf5 (since 5.0beta7 the Debian package links dynamically)
125	nion	7136	monotone (including this starting from 0.37)
126	micah	7271	glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
127	jamie-guest	7367	apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
128	jamie-guest	7368	exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
129	nion	7627	yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
130	stef-guest	7683	gtamsanalyzer.app (links dynamically since 0.42-5)
131	jmm-guest	1758
132			tiff:
133			wxpythongtk (check, which debian pkg this is in)
134			older kdegraphics/kpdf releases < 3.3 embedded a copy
135	joeyh	1802
136			uudeview:
137			libconvert-uulib-perl
138	jmm-guest	1824
139			sqlite: (not affected by security vulnerabilities so far)
140			amarok
141	stef-guest	6985	monotone
142	jmm-guest	7212	iceweasel
143	jmm-guest	1828
144	jmm-guest	2037	util-linux/mount:
145			loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
146	jmm-guest	2104
147			webmin:
148	stef-guest	5320	usermin (only in sarge)
149	jmm-guest	2714
150			sylpheed:
151			sylpheed-claws
152	jmm-guest	2751
153			phpsysinfo:
154			egroupware
155	jmm-guest	2800	phpgroupware
156
157			phpldapadmin:
158	stef-guest	5320	egroupware (removed from egroupware after sarge)
159	jmm-guest	2800
160	jmm-guest	2889	chmlib:
161	nion	7385	kchmviewer (ships the code but links dynamically)
162	jmm-guest	2800
163	jmm-guest	7214	libavcodec/libavformat (source: ffmpeg):
164			mplayer (#395252)
165	stef-guest	5320	xvidcap
166	jmm-guest	3075	kino (links statically, does not include code)
167			vlc (links statically, does not include code)
168			smilutils (links statically, does not include code)
169			motion (links statically, does not include code)
170	fw	3061	gst-ffmpeg
171	stef-guest	5048	gstreamer0.10-ffmpeg
172			xmovie
173	jmm-guest	2948
174			mad MPEG decoding lib:
175			mad
176			xine-lib
177
178			libdts:
179			libdts
180			xine-lib
181
182			flac:
183			flac
184			xine-lib
185
186			liba52:
187			a52dec
188			xine-lib
189
190			libmpeg2:
191			mpeg2dec
192			xine-lib
193
194	jmm-guest	2965	curl:
195			wget (code for NTLM authentication)
196	jmm-guest	3093
197			TODO evaluate:
198	jmm-guest	3320	gimp-gap (potentially using ffmpeg code as well)
199
200			uw-imap:
201			pine
202	stef-guest	6985	alpine
203	jmm-guest	3402
204			imagemagick:
205	micah	3537	graphicsmagick
206
207			halibut:
208			nsis
209
210			libghttp:
211			hotway
212
213	nion	6869	libsndfile:
214			ardour
215
216			glibmm2.4:
217			ardour
218
219			libgnomecanvasmm2.6:
220			ardour
221
222			libsigc++-2.0:
223			ardour
224
225			soundtouch:
226			ardour
227
228	stef-guest	4495	libmms:
229			xine-lib
230			mimms
231	stef-guest	4517
232	jmm-guest	7383	FCKeditor: (packaged as fckeditor)
233	stef-guest	4517	knowledgeroot
234	jmm-guest	7383	moin (452599)
235			karrigell (452598)
236	jmm-guest	7384	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
237	stef-guest	4517
238	jmm-guest	7383
239
240	neilm	4838	Moodle contains lots of things:
241			AdoDB
242			AdoDB-XML Schema
243			ipatlas
244			PHPMailer
245			Smarty
246			htmlArea
247			TinyMCE
248			bennu
249
250	stef-guest	4517	TinyMCE:
251			wordpress
252			moodle
253			knowledgeroot
254			joomla (ITP)
255
256	micah	4767	scintilla:
257	micah	4561	scite
258			qscintilla
259	micah	7091	qscintilla2
260	micah	4561	geany
261	stef-guest	4706
262	micah	4767	libphp-adodb:
263	stef-guest	4706	gallery2
264			phppgadmin
265			egroupware
266			phpwiki
267	nion	7236	ipplan
268	nion	7226	typo3
269	stef-guest	4706	moodle
270	neilm	4835	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
271	stef-guest	4706
272	micah	4767	gzip:
273			linux-kernel (lib/inflate.c)
274			klibc (based on linux-kernel gzip code)
275	micah	4808	busybox
276	micah	4767
277	neilm	4891	neon:
278			cadaver (all, but being worked on: #188381)
279			gnome-vfs2 (#395874)
280			litmus (#395875)
281			screem (sarge only)
282			sitecopy (#395876)
283			tla (etch/sid only: #395877)
284	stef-guest	5319
285			libmodplug:
286			gst-plugins-bad0.10
287	stef-guest	5320
288			libvncserver:
289			vino
290
291			putty:
292			filezilla
293
294			tinyxml (not packaged in Debian):
295			filezilla
296
297			gv:
298			evince (ps/ tree from gv 3.5.8)
299			evince-gtk (not packaged in Debian)
300	stef-guest	5321
301			libXbae:
302			libpawlib2-lesstif package (from Cernlib)
303
304			libXaw:
305			libpawlib2-lesstif package (from Cernlib)
306
307			(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
308
309			libgd2:
310			graphviz (lib/gd seems to be 2.0.33)
311	stef-guest	5440
312			rar:
313			unrar-nonfree
314
315			unrar-free: (maybe this code is derived from the original rar, too?)
316			clamav (seems to be disabled in default config)
317
318	keescook-guest	5526	mplayer (DirectMedia Object loader):
319			xine-lib (src/libw32dll/)
320			vlc (modules/codec/dmo/)
321	alec-guest	5564
322			libwpd (WordPerfect converter):
323			openoffice.org
324	keescook-guest	6298
325			fsplib (http://sourceforge.net/projects/fsp/):
326			gftp (lib/fsplib version 0.3)
327	keescook-guest	6498
328			librpcsecgss:
329			krb5
330	stef-guest	6985
331	keescook-guest	7007	jasper:
332			ghostscript
333			gs-gpl
334
335	nion	7136	libidn:
336			monotone
337	micah	7134
338	nion	7136	liblua:
339			monotone
340
341			libbotan:
342			montone
343
344			NetXX:
345			monotone
346
347	nion	7135	libgc:
348			mono
349	white	7203
350	jmm-guest	7212	lzma:
351			p7zip
352
353			lzo:
354			grub2
355
356	white	7203	pax code:
357			tar
358			cpio
359	jamie-guest	7487
360			t1lib:
361	jamie-guest	7503	tetex-bin (links to system t1lib since 2.0.2)
362			texlive-bin (links to system t1lib)
363	jamie-guest	7487