Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd:
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit:
        - silc-client 1.1~beta6-1 (embed)

dietlibc:
        - ccontrol 0.9.1+20071204-1 (static)

libiax:
        - iaxmodem <unfixed> (embed)

zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
dpkg
rsync (somehow derived code base)
mono
mozilla(?)
Linux kernels
pvpgn (links dynamically since 1.7.8-2)
mrtg (links dynamically since 2.12.2-1)
rpm

libbz2:
dpkg (statically linked)

libgadu/ekg:
centericq
gaim
pigdin (links dynamically against libgadu)
kopete (ships the code, but links dynamically in the Debian package)
kadu (not packaged in Debian)
GNU gadu (not yet packaged in Debian)

xmlrpc: (which package is the "origin" of this code?)
drupal
phpgroupware
egroupware
phpwiki
php4 (php-pear, IIRC this was reorganized some weeks ago?)

shtool: (affects build-time only)
mysql-ocaml
php4 

mozilla:
mozilla-firefox
mozilla-thunderbird
firefox (to be removed)
thunderbird (to be removed)
iceweasel
iceape
icedove
xulrunner
nvu (no longer in Debian)

xli:
xloadimage

lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
openmotif
xfree86/xorg (in libxpm)

kerberized apps with BSD origin:
krb4
krb5
heimdal

grip: (which pkg is the origin?)
libcdaudio
grip
gnome-vfs (vfs2 as well?)

fudforum:
phpgroupware-fudforum
egroupware-fudforum (removed from egroupware after sarge)

cvs:
gcvs (at least an additional script is included, check if there's more)

pcre:
all pythons
php4 (src included, but Debian package links dynamically)
analog (src included, but Debian package links dynamically)
libgoffice-1
vfu (removed linking against embedded copy in 4.06-4.1; #450754)
tf5 (since 5.0beta7 the Debian package links dynamically)
monotone (including this starting from 0.37)
glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
gtamsanalyzer.app (links dynamically since 0.42-5)

tiff:
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy

uudeview:
libconvert-uulib-perl

sqlite: (not affected by security vulnerabilities so far)
amarok
monotone
iceweasel

util-linux/mount:
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb

webmin:
usermin (only in sarge)

sylpheed:
sylpheed-claws

phpsysinfo:
egroupware
phpgroupware

phpldapadmin:
egroupware (removed from egroupware after sarge)

chmlib:
kchmviewer (ships the code but links dynamically)

libavcodec/libavformat (source: ffmpeg):
mplayer (#395252)
xvidcap
kino (links statically, does not include code)
vlc (links statically, does not include code)
smilutils (links statically, does not include code)
motion (links statically, does not include code)
gst-ffmpeg
gstreamer0.10-ffmpeg
xmovie

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	nion	7695	Embedded code copies
2			====================
3
4	jmm-guest	1586	This file collects cases, where a source package embeds code from
5	nion	7695	other projects which is considered bad for fixing security flaws
6			because the fix needs to be applied in multiple source packages.
7	jmm-guest	1586
8	nion	7695	Format:
9			<srcpkg> (<optional comment about srcpkg>)
10			- <embedding srcpkg> <status> (<sort>; bug #<number>)
11			NOTE: optional comments about the linkage of the embedding srcpkg
12
13	nion	7697	status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14	nion	7739	sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)
15	jmm-guest	1586
16	nion	7696	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
17	jmm-guest	7743	NOTE: Fixed packages link to poppler library unless otherwise noted
18	nion	7697	- gpdf <removed>
19			[sarge] - gpdf <unfixed>
20			NOTE: has been replaced by evince in etch
21			- pdftohtml <unknown>
22			[sarge] - pdftohtml <unfixed>
23			[etch] - pdftohtml <unfixed>
24			NOTE: has been replaced by poppler-utils
25	nion	7739	- kdegraphics <unfixed> (embed; bug #436164)
26	nion	7696	NOTE: the kpdf replacement in KDE 4 is using poppler
27	nion	7739	- tetex-bin 3.0-12 (embed)
28	jmm-guest	7743	- texlive-bin 2007-1 (embed)
29	nion	7696	NOTE: links to poppler
30	nion	7739	- koffice <unfixed> (embed; bug #436163)
31			- libextractor 0.5.12-1 (embed)
32	jmm-guest	7743	NOTE: libextractor is using its own pdf decoder now
33	nion	7739	- libextractor 0.5.12-1 (embed)
34			- pdfkit.framework 0.8-4 (embed)
35			- ipe <unfixed> (embed)
36	nion	7696	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
37	nion	7739	- ruby-gnome2 <unknown> (embed)
38	nion	7696	NOTE: copy only present in source but links to poppler
39
40	nion	7755	ppmd:
41			- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
42
43	nion	6965	silc-toolkit:
44	nion	7740	- silc-client 1.1~beta6-1 (embed)
45	nion	6965
46	nion	6967	dietlibc:
47	nion	7740	- ccontrol 0.9.1+20071204-1 (static)
48	nion	6967
49	nion	6969	libiax:
50	nion	7740	- iaxmodem <unfixed> (embed)
51	nion	6969
52	jmm-guest	3042	zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
53	jmm-guest	1586	dpkg
54	jmm-guest	3042	rsync (somehow derived code base)
55	nion	7135	mono
56	jmm-guest	1586	mozilla(?)
57			Linux kernels
58	jmm-guest	2380	pvpgn (links dynamically since 1.7.8-2)
59	jmm-guest	3428	mrtg (links dynamically since 2.12.2-1)
60	stef-guest	5320	rpm
61	jmm-guest	1586
62	stef-guest	5320	libbz2:
63			dpkg (statically linked)
64
65	jmm-guest	1586	libgadu/ekg:
66			centericq
67	jmm-guest	1593	gaim
68	jmm-guest	7463	pigdin (links dynamically against libgadu)
69	jmm-guest	1588	kopete (ships the code, but links dynamically in the Debian package)
70	jmm-guest	1599	kadu (not packaged in Debian)
71	jmm-guest	3042	GNU gadu (not yet packaged in Debian)
72	jmm-guest	1586
73	jmm-guest	1588	xmlrpc: (which package is the "origin" of this code?)
74			drupal
75			phpgroupware
76			egroupware
77			phpwiki
78			php4 (php-pear, IIRC this was reorganized some weeks ago?)
79	jmm-guest	1586
80	jmm-guest	1588	shtool: (affects build-time only)
81			mysql-ocaml
82			php4
83
84			mozilla:
85			mozilla-firefox
86			mozilla-thunderbird
87	stef-guest	5320	firefox (to be removed)
88			thunderbird (to be removed)
89			iceweasel
90			iceape
91			icedove
92			xulrunner
93			nvu (no longer in Debian)
94	jmm-guest	1588
95			xli:
96			xloadimage
97
98	jmm-guest	3042	lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
99	jmm-guest	1588	openmotif
100	jmm-guest	3042	xfree86/xorg (in libxpm)
101	jmm-guest	1588
102			kerberized apps with BSD origin:
103			krb4
104			krb5
105			heimdal
106
107			grip: (which pkg is the origin?)
108			libcdaudio
109			grip
110			gnome-vfs (vfs2 as well?)
111	stef-guest	1608
112			fudforum:
113			phpgroupware-fudforum
114	stef-guest	5320	egroupware-fudforum (removed from egroupware after sarge)
115	jmm-guest	1670
116			cvs:
117	jmm-guest	1755	gcvs (at least an additional script is included, check if there's more)
118	jmm-guest	1684
119			pcre:
120	jmm-guest	3042	all pythons
121	jmm-guest	1757	php4 (src included, but Debian package links dynamically)
122	joeyh	1834	analog (src included, but Debian package links dynamically)
123			libgoffice-1
124	nion	7629	vfu (removed linking against embedded copy in 4.06-4.1; #450754)
125	jmm-guest	2068	tf5 (since 5.0beta7 the Debian package links dynamically)
126	nion	7136	monotone (including this starting from 0.37)
127	micah	7271	glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
128	jamie-guest	7367	apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
129	jamie-guest	7368	exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
130	nion	7627	yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
131	stef-guest	7683	gtamsanalyzer.app (links dynamically since 0.42-5)
132	jmm-guest	1758
133			tiff:
134			wxpythongtk (check, which debian pkg this is in)
135			older kdegraphics/kpdf releases < 3.3 embedded a copy
136	joeyh	1802
137			uudeview:
138			libconvert-uulib-perl
139	jmm-guest	1824
140			sqlite: (not affected by security vulnerabilities so far)
141			amarok
142	stef-guest	6985	monotone
143	jmm-guest	7212	iceweasel
144	jmm-guest	1828
145	jmm-guest	2037	util-linux/mount:
146			loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
147	jmm-guest	2104
148			webmin:
149	stef-guest	5320	usermin (only in sarge)
150	jmm-guest	2714
151			sylpheed:
152			sylpheed-claws
153	jmm-guest	2751
154			phpsysinfo:
155			egroupware
156	jmm-guest	2800	phpgroupware
157
158			phpldapadmin:
159	stef-guest	5320	egroupware (removed from egroupware after sarge)
160	jmm-guest	2800
161	jmm-guest	2889	chmlib:
162	nion	7385	kchmviewer (ships the code but links dynamically)
163	jmm-guest	2800
164	jmm-guest	7214	libavcodec/libavformat (source: ffmpeg):
165			mplayer (#395252)
166	stef-guest	5320	xvidcap
167	jmm-guest	3075	kino (links statically, does not include code)
168			vlc (links statically, does not include code)
169			smilutils (links statically, does not include code)
170			motion (links statically, does not include code)
171	fw	3061	gst-ffmpeg
172	stef-guest	5048	gstreamer0.10-ffmpeg
173			xmovie
174	jmm-guest	2948
175			mad MPEG decoding lib:
176			mad
177			xine-lib
178
179			libdts:
180			libdts
181			xine-lib
182
183			flac:
184			flac
185			xine-lib
186
187			liba52:
188			a52dec
189			xine-lib
190
191			libmpeg2:
192			mpeg2dec
193			xine-lib
194
195	jmm-guest	2965	curl:
196			wget (code for NTLM authentication)
197	jmm-guest	3093
198			TODO evaluate:
199	jmm-guest	3320	gimp-gap (potentially using ffmpeg code as well)
200
201			uw-imap:
202			pine
203	stef-guest	6985	alpine
204	jmm-guest	3402
205			imagemagick:
206	micah	3537	graphicsmagick
207
208			halibut:
209			nsis
210
211			libghttp:
212			hotway
213
214	nion	6869	libsndfile:
215			ardour
216
217			glibmm2.4:
218			ardour
219
220			libgnomecanvasmm2.6:
221			ardour
222
223			libsigc++-2.0:
224			ardour
225
226			soundtouch:
227			ardour
228
229	stef-guest	4495	libmms:
230			xine-lib
231			mimms
232	stef-guest	4517
233	jmm-guest	7383	FCKeditor: (packaged as fckeditor)
234	stef-guest	4517	knowledgeroot
235	jmm-guest	7383	moin (452599)
236			karrigell (452598)
237	jmm-guest	7384	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
238	stef-guest	4517
239	jmm-guest	7383
240
241	neilm	4838	Moodle contains lots of things:
242			AdoDB
243			AdoDB-XML Schema
244			ipatlas
245			PHPMailer
246			Smarty
247			htmlArea
248			TinyMCE
249			bennu
250
251	stef-guest	4517	TinyMCE:
252			wordpress
253			moodle
254			knowledgeroot
255			joomla (ITP)
256
257	micah	4767	scintilla:
258	micah	4561	scite
259			qscintilla
260	micah	7091	qscintilla2
261	micah	4561	geany
262	stef-guest	4706
263	micah	4767	libphp-adodb:
264	stef-guest	4706	gallery2
265			phppgadmin
266			egroupware
267			phpwiki
268	nion	7236	ipplan
269	nion	7226	typo3
270	stef-guest	4706	moodle
271	neilm	4835	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
272	stef-guest	4706
273	micah	4767	gzip:
274			linux-kernel (lib/inflate.c)
275			klibc (based on linux-kernel gzip code)
276	micah	4808	busybox
277	micah	4767
278	neilm	4891	neon:
279			cadaver (all, but being worked on: #188381)
280			gnome-vfs2 (#395874)
281			litmus (#395875)
282			screem (sarge only)
283			sitecopy (#395876)
284			tla (etch/sid only: #395877)
285	stef-guest	5319
286			libmodplug:
287			gst-plugins-bad0.10
288	stef-guest	5320
289			libvncserver:
290			vino
291
292			putty:
293			filezilla
294
295			tinyxml (not packaged in Debian):
296			filezilla
297
298			gv:
299			evince (ps/ tree from gv 3.5.8)
300			evince-gtk (not packaged in Debian)
301	stef-guest	5321
302			libXbae:
303			libpawlib2-lesstif package (from Cernlib)
304
305			libXaw:
306			libpawlib2-lesstif package (from Cernlib)
307
308			(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
309
310			libgd2:
311			graphviz (lib/gd seems to be 2.0.33)
312	stef-guest	5440
313			rar:
314			unrar-nonfree
315
316			unrar-free: (maybe this code is derived from the original rar, too?)
317			clamav (seems to be disabled in default config)
318
319	keescook-guest	5526	mplayer (DirectMedia Object loader):
320			xine-lib (src/libw32dll/)
321			vlc (modules/codec/dmo/)
322	alec-guest	5564
323			libwpd (WordPerfect converter):
324			openoffice.org
325	keescook-guest	6298
326			fsplib (http://sourceforge.net/projects/fsp/):
327			gftp (lib/fsplib version 0.3)
328	keescook-guest	6498
329			librpcsecgss:
330			krb5
331	stef-guest	6985
332	keescook-guest	7007	jasper:
333			ghostscript
334			gs-gpl
335
336	nion	7136	libidn:
337			monotone
338	micah	7134
339	nion	7136	liblua:
340			monotone
341
342			libbotan:
343			montone
344
345			NetXX:
346			monotone
347
348	nion	7135	libgc:
349			mono
350	white	7203
351	jmm-guest	7212	lzma:
352			p7zip
353
354			lzo:
355			grub2
356
357	white	7203	pax code:
358			tar
359			cpio
360	jamie-guest	7487
361			t1lib:
362	jamie-guest	7503	tetex-bin (links to system t1lib since 2.0.2)
363			texlive-bin (links to system t1lib)
364	jamie-guest	7487