Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

silc-toolkit:
        - silc-client 1.1~beta6-1 (embed)

dietlibc:
        - ccontrol 0.9.1+20071204-1 (static)

libiax:
        - iaxmodem <unfixed> (embed)

zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
dpkg
rsync (somehow derived code base)
mono
mozilla(?)
Linux kernels
pvpgn (links dynamically since 1.7.8-2)
mrtg (links dynamically since 2.12.2-1)
rpm

libbz2:
dpkg (statically linked)

libgadu/ekg:
centericq
gaim
pigdin (links dynamically against libgadu)
kopete (ships the code, but links dynamically in the Debian package)
kadu (not packaged in Debian)
GNU gadu (not yet packaged in Debian)

xmlrpc: (which package is the "origin" of this code?)
drupal
phpgroupware
egroupware
phpwiki
php4 (php-pear, IIRC this was reorganized some weeks ago?)

shtool: (affects build-time only)
mysql-ocaml
php4 

mozilla:
mozilla-firefox
mozilla-thunderbird
firefox (to be removed)
thunderbird (to be removed)
iceweasel
iceape
icedove
xulrunner
nvu (no longer in Debian)

xli:
xloadimage

lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
openmotif
xfree86/xorg (in libxpm)

kerberized apps with BSD origin:
krb4
krb5
heimdal

grip: (which pkg is the origin?)
libcdaudio
grip
gnome-vfs (vfs2 as well?)

fudforum:
phpgroupware-fudforum
egroupware-fudforum (removed from egroupware after sarge)

cvs:
gcvs (at least an additional script is included, check if there's more)

pcre:
all pythons
php4 (src included, but Debian package links dynamically)
analog (src included, but Debian package links dynamically)
libgoffice-1
vfu (removed linking against embedded copy in 4.06-4.1; #450754)
tf5 (since 5.0beta7 the Debian package links dynamically)
monotone (including this starting from 0.37)
glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
gtamsanalyzer.app (links dynamically since 0.42-5)

tiff:
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy

uudeview:
libconvert-uulib-perl

sqlite: (not affected by security vulnerabilities so far)
amarok
monotone
iceweasel

util-linux/mount:
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb

webmin:
usermin (only in sarge)

sylpheed:
sylpheed-claws

phpsysinfo:
egroupware
phpgroupware

phpldapadmin:
egroupware (removed from egroupware after sarge)

chmlib:
kchmviewer (ships the code but links dynamically)

libavcodec/libavformat (source: ffmpeg):
mplayer (#395252)
xvidcap
kino (links statically, does not include code)
vlc (links statically, does not include code)
smilutils (links statically, does not include code)
motion (links statically, does not include code)
gst-ffmpeg
gstreamer0.10-ffmpeg
xmovie

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	nion	7695	Embedded code copies
2			====================
3
4	jmm-guest	1586	This file collects cases, where a source package embeds code from
5	nion	7695	other projects which is considered bad for fixing security flaws
6			because the fix needs to be applied in multiple source packages.
7	jmm-guest	1586
8	nion	7695	Format:
9			<srcpkg> (<optional comment about srcpkg>)
10			- <embedding srcpkg> <status> (<sort>; bug #<number>)
11			NOTE: optional comments about the linkage of the embedding srcpkg
12
13	nion	7697	status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14	nion	7739	sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)
15	jmm-guest	1586
16	nion	7696	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
17	jmm-guest	7743	NOTE: Fixed packages link to poppler library unless otherwise noted
18	nion	7697	- gpdf <removed>
19			[sarge] - gpdf <unfixed>
20			NOTE: has been replaced by evince in etch
21			- pdftohtml <unknown>
22			[sarge] - pdftohtml <unfixed>
23			[etch] - pdftohtml <unfixed>
24			NOTE: has been replaced by poppler-utils
25	nion	7739	- kdegraphics <unfixed> (embed; bug #436164)
26	nion	7696	NOTE: the kpdf replacement in KDE 4 is using poppler
27	nion	7739	- tetex-bin 3.0-12 (embed)
28	jmm-guest	7743	- texlive-bin 2007-1 (embed)
29	nion	7696	NOTE: links to poppler
30	nion	7739	- koffice <unfixed> (embed; bug #436163)
31			- libextractor 0.5.12-1 (embed)
32	jmm-guest	7743	NOTE: libextractor is using its own pdf decoder now
33	nion	7739	- libextractor 0.5.12-1 (embed)
34			- pdfkit.framework 0.8-4 (embed)
35			- ipe <unfixed> (embed)
36	nion	7696	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
37	nion	7739	- ruby-gnome2 <unknown> (embed)
38	nion	7696	NOTE: copy only present in source but links to poppler
39
40	nion	6965	silc-toolkit:
41	nion	7740	- silc-client 1.1~beta6-1 (embed)
42	nion	6965
43	nion	6967	dietlibc:
44	nion	7740	- ccontrol 0.9.1+20071204-1 (static)
45	nion	6967
46	nion	6969	libiax:
47	nion	7740	- iaxmodem <unfixed> (embed)
48	nion	6969
49	jmm-guest	3042	zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
50	jmm-guest	1586	dpkg
51	jmm-guest	3042	rsync (somehow derived code base)
52	nion	7135	mono
53	jmm-guest	1586	mozilla(?)
54			Linux kernels
55	jmm-guest	2380	pvpgn (links dynamically since 1.7.8-2)
56	jmm-guest	3428	mrtg (links dynamically since 2.12.2-1)
57	stef-guest	5320	rpm
58	jmm-guest	1586
59	stef-guest	5320	libbz2:
60			dpkg (statically linked)
61
62	jmm-guest	1586	libgadu/ekg:
63			centericq
64	jmm-guest	1593	gaim
65	jmm-guest	7463	pigdin (links dynamically against libgadu)
66	jmm-guest	1588	kopete (ships the code, but links dynamically in the Debian package)
67	jmm-guest	1599	kadu (not packaged in Debian)
68	jmm-guest	3042	GNU gadu (not yet packaged in Debian)
69	jmm-guest	1586
70	jmm-guest	1588	xmlrpc: (which package is the "origin" of this code?)
71			drupal
72			phpgroupware
73			egroupware
74			phpwiki
75			php4 (php-pear, IIRC this was reorganized some weeks ago?)
76	jmm-guest	1586
77	jmm-guest	1588	shtool: (affects build-time only)
78			mysql-ocaml
79			php4
80
81			mozilla:
82			mozilla-firefox
83			mozilla-thunderbird
84	stef-guest	5320	firefox (to be removed)
85			thunderbird (to be removed)
86			iceweasel
87			iceape
88			icedove
89			xulrunner
90			nvu (no longer in Debian)
91	jmm-guest	1588
92			xli:
93			xloadimage
94
95	jmm-guest	3042	lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
96	jmm-guest	1588	openmotif
97	jmm-guest	3042	xfree86/xorg (in libxpm)
98	jmm-guest	1588
99			kerberized apps with BSD origin:
100			krb4
101			krb5
102			heimdal
103
104			grip: (which pkg is the origin?)
105			libcdaudio
106			grip
107			gnome-vfs (vfs2 as well?)
108	stef-guest	1608
109			fudforum:
110			phpgroupware-fudforum
111	stef-guest	5320	egroupware-fudforum (removed from egroupware after sarge)
112	jmm-guest	1670
113			cvs:
114	jmm-guest	1755	gcvs (at least an additional script is included, check if there's more)
115	jmm-guest	1684
116			pcre:
117	jmm-guest	3042	all pythons
118	jmm-guest	1757	php4 (src included, but Debian package links dynamically)
119	joeyh	1834	analog (src included, but Debian package links dynamically)
120			libgoffice-1
121	nion	7629	vfu (removed linking against embedded copy in 4.06-4.1; #450754)
122	jmm-guest	2068	tf5 (since 5.0beta7 the Debian package links dynamically)
123	nion	7136	monotone (including this starting from 0.37)
124	micah	7271	glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
125	jamie-guest	7367	apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
126	jamie-guest	7368	exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
127	nion	7627	yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
128	stef-guest	7683	gtamsanalyzer.app (links dynamically since 0.42-5)
129	jmm-guest	1758
130			tiff:
131			wxpythongtk (check, which debian pkg this is in)
132			older kdegraphics/kpdf releases < 3.3 embedded a copy
133	joeyh	1802
134			uudeview:
135			libconvert-uulib-perl
136	jmm-guest	1824
137			sqlite: (not affected by security vulnerabilities so far)
138			amarok
139	stef-guest	6985	monotone
140	jmm-guest	7212	iceweasel
141	jmm-guest	1828
142	jmm-guest	2037	util-linux/mount:
143			loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
144	jmm-guest	2104
145			webmin:
146	stef-guest	5320	usermin (only in sarge)
147	jmm-guest	2714
148			sylpheed:
149			sylpheed-claws
150	jmm-guest	2751
151			phpsysinfo:
152			egroupware
153	jmm-guest	2800	phpgroupware
154
155			phpldapadmin:
156	stef-guest	5320	egroupware (removed from egroupware after sarge)
157	jmm-guest	2800
158	jmm-guest	2889	chmlib:
159	nion	7385	kchmviewer (ships the code but links dynamically)
160	jmm-guest	2800
161	jmm-guest	7214	libavcodec/libavformat (source: ffmpeg):
162			mplayer (#395252)
163	stef-guest	5320	xvidcap
164	jmm-guest	3075	kino (links statically, does not include code)
165			vlc (links statically, does not include code)
166			smilutils (links statically, does not include code)
167			motion (links statically, does not include code)
168	fw	3061	gst-ffmpeg
169	stef-guest	5048	gstreamer0.10-ffmpeg
170			xmovie
171	jmm-guest	2948
172			mad MPEG decoding lib:
173			mad
174			xine-lib
175
176			libdts:
177			libdts
178			xine-lib
179
180			flac:
181			flac
182			xine-lib
183
184			liba52:
185			a52dec
186			xine-lib
187
188			libmpeg2:
189			mpeg2dec
190			xine-lib
191
192	jmm-guest	2965	curl:
193			wget (code for NTLM authentication)
194	jmm-guest	3093
195			TODO evaluate:
196	jmm-guest	3320	gimp-gap (potentially using ffmpeg code as well)
197
198			uw-imap:
199			pine
200	stef-guest	6985	alpine
201	jmm-guest	3402
202			imagemagick:
203	micah	3537	graphicsmagick
204
205			halibut:
206			nsis
207
208			libghttp:
209			hotway
210
211	nion	6869	libsndfile:
212			ardour
213
214			glibmm2.4:
215			ardour
216
217			libgnomecanvasmm2.6:
218			ardour
219
220			libsigc++-2.0:
221			ardour
222
223			soundtouch:
224			ardour
225
226	stef-guest	4495	libmms:
227			xine-lib
228			mimms
229	stef-guest	4517
230	jmm-guest	7383	FCKeditor: (packaged as fckeditor)
231	stef-guest	4517	knowledgeroot
232	jmm-guest	7383	moin (452599)
233			karrigell (452598)
234	jmm-guest	7384	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
235	stef-guest	4517
236	jmm-guest	7383
237
238	neilm	4838	Moodle contains lots of things:
239			AdoDB
240			AdoDB-XML Schema
241			ipatlas
242			PHPMailer
243			Smarty
244			htmlArea
245			TinyMCE
246			bennu
247
248	stef-guest	4517	TinyMCE:
249			wordpress
250			moodle
251			knowledgeroot
252			joomla (ITP)
253
254	micah	4767	scintilla:
255	micah	4561	scite
256			qscintilla
257	micah	7091	qscintilla2
258	micah	4561	geany
259	stef-guest	4706
260	micah	4767	libphp-adodb:
261	stef-guest	4706	gallery2
262			phppgadmin
263			egroupware
264			phpwiki
265	nion	7236	ipplan
266	nion	7226	typo3
267	stef-guest	4706	moodle
268	neilm	4835	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
269	stef-guest	4706
270	micah	4767	gzip:
271			linux-kernel (lib/inflate.c)
272			klibc (based on linux-kernel gzip code)
273	micah	4808	busybox
274	micah	4767
275	neilm	4891	neon:
276			cadaver (all, but being worked on: #188381)
277			gnome-vfs2 (#395874)
278			litmus (#395875)
279			screem (sarge only)
280			sitecopy (#395876)
281			tla (etch/sid only: #395877)
282	stef-guest	5319
283			libmodplug:
284			gst-plugins-bad0.10
285	stef-guest	5320
286			libvncserver:
287			vino
288
289			putty:
290			filezilla
291
292			tinyxml (not packaged in Debian):
293			filezilla
294
295			gv:
296			evince (ps/ tree from gv 3.5.8)
297			evince-gtk (not packaged in Debian)
298	stef-guest	5321
299			libXbae:
300			libpawlib2-lesstif package (from Cernlib)
301
302			libXaw:
303			libpawlib2-lesstif package (from Cernlib)
304
305			(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
306
307			libgd2:
308			graphviz (lib/gd seems to be 2.0.33)
309	stef-guest	5440
310			rar:
311			unrar-nonfree
312
313			unrar-free: (maybe this code is derived from the original rar, too?)
314			clamav (seems to be disabled in default config)
315
316	keescook-guest	5526	mplayer (DirectMedia Object loader):
317			xine-lib (src/libw32dll/)
318			vlc (modules/codec/dmo/)
319	alec-guest	5564
320			libwpd (WordPerfect converter):
321			openoffice.org
322	keescook-guest	6298
323			fsplib (http://sourceforge.net/projects/fsp/):
324			gftp (lib/fsplib version 0.3)
325	keescook-guest	6498
326			librpcsecgss:
327			krb5
328	stef-guest	6985
329	keescook-guest	7007	jasper:
330			ghostscript
331			gs-gpl
332
333	nion	7136	libidn:
334			monotone
335	micah	7134
336	nion	7136	liblua:
337			monotone
338
339			libbotan:
340			montone
341
342			NetXX:
343			monotone
344
345	nion	7135	libgc:
346			mono
347	white	7203
348	jmm-guest	7212	lzma:
349			p7zip
350
351			lzo:
352			grub2
353
354	white	7203	pax code:
355			tar
356			cpio
357	jamie-guest	7487
358			t1lib:
359	jamie-guest	7503	tetex-bin (links to system t1lib since 2.0.2)
360			texlive-bin (links to system t1lib)
361	jamie-guest	7487