Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd:
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit:
        - silc-client 1.1~beta6-1 (embed)

dietlibc:
        - ccontrol 0.9.1+20071204-1 (static)

libiax:
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged joeyh

libbz2:
dpkg (statically linked)

libgadu/ekg:
centericq
gaim
pigdin (links dynamically against libgadu)
kopete (ships the code, but links dynamically in the Debian package)
kadu (not packaged in Debian)
GNU gadu (not yet packaged in Debian)

xmlrpc: (which package is the "origin" of this code?)
drupal
phpgroupware
egroupware
phpwiki
php4 (php-pear, IIRC this was reorganized some weeks ago?)

shtool: (affects build-time only)
mysql-ocaml
php4 

mozilla:
mozilla-firefox
mozilla-thunderbird
firefox (to be removed)
thunderbird (to be removed)
iceweasel
iceape
icedove
xulrunner
nvu (no longer in Debian)

xli:
xloadimage

lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
openmotif
xfree86/xorg (in libxpm)

kerberized apps with BSD origin:
krb4
krb5
heimdal

grip: (which pkg is the origin?)
libcdaudio
grip
gnome-vfs (vfs2 as well?)

fudforum:
phpgroupware-fudforum
egroupware-fudforum (removed from egroupware after sarge)

cvs:
gcvs (at least an additional script is included, check if there's more)

pcre:
all pythons
php4 (src included, but Debian package links dynamically)
analog (src included, but Debian package links dynamically)
libgoffice-1
vfu (removed linking against embedded copy in 4.06-4.1; #450754)
tf5 (since 5.0beta7 the Debian package links dynamically)
monotone (including this starting from 0.37)
glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
gtamsanalyzer.app (links dynamically since 0.42-5)

tiff:
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy

uudeview:
libconvert-uulib-perl

sqlite: (not affected by security vulnerabilities so far)
amarok
monotone
iceweasel

util-linux/mount:
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb

webmin:
usermin (only in sarge)

sylpheed:
sylpheed-claws

phpsysinfo:
egroupware
phpgroupware

phpldapadmin:
egroupware (removed from egroupware after sarge)

chmlib:
kchmviewer (ships the code but links dynamically)

libavcodec/libavformat (source: ffmpeg):
mplayer (#395252)
xvidcap
kino (links statically, does not include code)
vlc (links statically, does not include code)
smilutils (links statically, does not include code)
motion (links statically, does not include code)
gst-ffmpeg
gstreamer0.10-ffmpeg
xmovie

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	nion	7695	Embedded code copies
2			====================
3
4	jmm-guest	1586	This file collects cases, where a source package embeds code from
5	nion	7695	other projects which is considered bad for fixing security flaws
6			because the fix needs to be applied in multiple source packages.
7	jmm-guest	1586
8	nion	7695	Format:
9			<srcpkg> (<optional comment about srcpkg>)
10			- <embedding srcpkg> <status> (<sort>; bug #<number>)
11			NOTE: optional comments about the linkage of the embedding srcpkg
12
13	nion	7697	status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14	nion	7739	sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)
15	jmm-guest	1586
16	nion	7696	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
17	jmm-guest	7743	NOTE: Fixed packages link to poppler library unless otherwise noted
18	nion	7697	- gpdf <removed>
19			[sarge] - gpdf <unfixed>
20			NOTE: has been replaced by evince in etch
21			- pdftohtml <unknown>
22			[sarge] - pdftohtml <unfixed>
23			[etch] - pdftohtml <unfixed>
24			NOTE: has been replaced by poppler-utils
25	nion	7739	- kdegraphics <unfixed> (embed; bug #436164)
26	nion	7696	NOTE: the kpdf replacement in KDE 4 is using poppler
27	nion	7739	- tetex-bin 3.0-12 (embed)
28	jmm-guest	7743	- texlive-bin 2007-1 (embed)
29	nion	7696	NOTE: links to poppler
30	nion	7739	- koffice <unfixed> (embed; bug #436163)
31			- libextractor 0.5.12-1 (embed)
32	jmm-guest	7743	NOTE: libextractor is using its own pdf decoder now
33	nion	7739	- libextractor 0.5.12-1 (embed)
34			- pdfkit.framework 0.8-4 (embed)
35			- ipe <unfixed> (embed)
36	nion	7696	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
37	nion	7739	- ruby-gnome2 <unknown> (embed)
38	nion	7696	NOTE: copy only present in source but links to poppler
39
40	nion	7755	ppmd:
41			- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
42
43	nion	6965	silc-toolkit:
44	nion	7740	- silc-client 1.1~beta6-1 (embed)
45	nion	6965
46	nion	6967	dietlibc:
47	nion	7740	- ccontrol 0.9.1+20071204-1 (static)
48	nion	6967
49	nion	6969	libiax:
50	nion	7740	- iaxmodem <unfixed> (embed)
51	nion	6969
52	nion	7787	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
53			- dpkg <unfixed> (embed)
54			NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
55			- rsync <unfixed> (embed)
56			NOTE: somehow derived code base
57			- mono <unfixed> (embed)
58			TODO: check mozilla
59			- Linux kernels <unfixed> (embed)
60			- pvpgn 1.7.8-2 (embed)
61			- mrtg 2.12.2-1 (embed)
62			- rpm <unknown> (embed)
63			NOTE: pinged joeyh
64	jmm-guest	1586
65	stef-guest	5320	libbz2:
66			dpkg (statically linked)
67
68	jmm-guest	1586	libgadu/ekg:
69			centericq
70	jmm-guest	1593	gaim
71	jmm-guest	7463	pigdin (links dynamically against libgadu)
72	jmm-guest	1588	kopete (ships the code, but links dynamically in the Debian package)
73	jmm-guest	1599	kadu (not packaged in Debian)
74	jmm-guest	3042	GNU gadu (not yet packaged in Debian)
75	jmm-guest	1586
76	jmm-guest	1588	xmlrpc: (which package is the "origin" of this code?)
77			drupal
78			phpgroupware
79			egroupware
80			phpwiki
81			php4 (php-pear, IIRC this was reorganized some weeks ago?)
82	jmm-guest	1586
83	jmm-guest	1588	shtool: (affects build-time only)
84			mysql-ocaml
85			php4
86
87			mozilla:
88			mozilla-firefox
89			mozilla-thunderbird
90	stef-guest	5320	firefox (to be removed)
91			thunderbird (to be removed)
92			iceweasel
93			iceape
94			icedove
95			xulrunner
96			nvu (no longer in Debian)
97	jmm-guest	1588
98			xli:
99			xloadimage
100
101	jmm-guest	3042	lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
102	jmm-guest	1588	openmotif
103	jmm-guest	3042	xfree86/xorg (in libxpm)
104	jmm-guest	1588
105			kerberized apps with BSD origin:
106			krb4
107			krb5
108			heimdal
109
110			grip: (which pkg is the origin?)
111			libcdaudio
112			grip
113			gnome-vfs (vfs2 as well?)
114	stef-guest	1608
115			fudforum:
116			phpgroupware-fudforum
117	stef-guest	5320	egroupware-fudforum (removed from egroupware after sarge)
118	jmm-guest	1670
119			cvs:
120	jmm-guest	1755	gcvs (at least an additional script is included, check if there's more)
121	jmm-guest	1684
122			pcre:
123	jmm-guest	3042	all pythons
124	jmm-guest	1757	php4 (src included, but Debian package links dynamically)
125	joeyh	1834	analog (src included, but Debian package links dynamically)
126			libgoffice-1
127	nion	7629	vfu (removed linking against embedded copy in 4.06-4.1; #450754)
128	jmm-guest	2068	tf5 (since 5.0beta7 the Debian package links dynamically)
129	nion	7136	monotone (including this starting from 0.37)
130	micah	7271	glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
131	jamie-guest	7367	apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
132	jamie-guest	7368	exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
133	nion	7627	yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
134	stef-guest	7683	gtamsanalyzer.app (links dynamically since 0.42-5)
135	jmm-guest	1758
136			tiff:
137			wxpythongtk (check, which debian pkg this is in)
138			older kdegraphics/kpdf releases < 3.3 embedded a copy
139	joeyh	1802
140			uudeview:
141			libconvert-uulib-perl
142	jmm-guest	1824
143			sqlite: (not affected by security vulnerabilities so far)
144			amarok
145	stef-guest	6985	monotone
146	jmm-guest	7212	iceweasel
147	jmm-guest	1828
148	jmm-guest	2037	util-linux/mount:
149			loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
150	jmm-guest	2104
151			webmin:
152	stef-guest	5320	usermin (only in sarge)
153	jmm-guest	2714
154			sylpheed:
155			sylpheed-claws
156	jmm-guest	2751
157			phpsysinfo:
158			egroupware
159	jmm-guest	2800	phpgroupware
160
161			phpldapadmin:
162	stef-guest	5320	egroupware (removed from egroupware after sarge)
163	jmm-guest	2800
164	jmm-guest	2889	chmlib:
165	nion	7385	kchmviewer (ships the code but links dynamically)
166	jmm-guest	2800
167	jmm-guest	7214	libavcodec/libavformat (source: ffmpeg):
168			mplayer (#395252)
169	stef-guest	5320	xvidcap
170	jmm-guest	3075	kino (links statically, does not include code)
171			vlc (links statically, does not include code)
172			smilutils (links statically, does not include code)
173			motion (links statically, does not include code)
174	fw	3061	gst-ffmpeg
175	stef-guest	5048	gstreamer0.10-ffmpeg
176			xmovie
177	jmm-guest	2948
178			mad MPEG decoding lib:
179			mad
180			xine-lib
181
182			libdts:
183			libdts
184			xine-lib
185
186			flac:
187			flac
188			xine-lib
189
190			liba52:
191			a52dec
192			xine-lib
193
194			libmpeg2:
195			mpeg2dec
196			xine-lib
197
198	jmm-guest	2965	curl:
199			wget (code for NTLM authentication)
200	jmm-guest	3093
201			TODO evaluate:
202	jmm-guest	3320	gimp-gap (potentially using ffmpeg code as well)
203
204			uw-imap:
205			pine
206	stef-guest	6985	alpine
207	jmm-guest	3402
208			imagemagick:
209	micah	3537	graphicsmagick
210
211			halibut:
212			nsis
213
214			libghttp:
215			hotway
216
217	nion	6869	libsndfile:
218			ardour
219
220			glibmm2.4:
221			ardour
222
223			libgnomecanvasmm2.6:
224			ardour
225
226			libsigc++-2.0:
227			ardour
228
229			soundtouch:
230			ardour
231
232	stef-guest	4495	libmms:
233			xine-lib
234			mimms
235	stef-guest	4517
236	jmm-guest	7383	FCKeditor: (packaged as fckeditor)
237	stef-guest	4517	knowledgeroot
238	jmm-guest	7383	moin (452599)
239			karrigell (452598)
240	jmm-guest	7384	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
241	stef-guest	4517
242	jmm-guest	7383
243
244	neilm	4838	Moodle contains lots of things:
245			AdoDB
246			AdoDB-XML Schema
247			ipatlas
248			PHPMailer
249			Smarty
250			htmlArea
251			TinyMCE
252			bennu
253
254	stef-guest	4517	TinyMCE:
255			wordpress
256			moodle
257			knowledgeroot
258			joomla (ITP)
259
260	micah	4767	scintilla:
261	micah	4561	scite
262			qscintilla
263	micah	7091	qscintilla2
264	micah	4561	geany
265	stef-guest	4706
266	micah	4767	libphp-adodb:
267	stef-guest	4706	gallery2
268			phppgadmin
269			egroupware
270			phpwiki
271	nion	7236	ipplan
272	nion	7226	typo3
273	stef-guest	4706	moodle
274	neilm	4835	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
275	stef-guest	4706
276	micah	4767	gzip:
277			linux-kernel (lib/inflate.c)
278			klibc (based on linux-kernel gzip code)
279	micah	4808	busybox
280	micah	4767
281	neilm	4891	neon:
282			cadaver (all, but being worked on: #188381)
283			gnome-vfs2 (#395874)
284			litmus (#395875)
285			screem (sarge only)
286			sitecopy (#395876)
287			tla (etch/sid only: #395877)
288	stef-guest	5319
289			libmodplug:
290			gst-plugins-bad0.10
291	stef-guest	5320
292			libvncserver:
293			vino
294
295			putty:
296			filezilla
297
298			tinyxml (not packaged in Debian):
299			filezilla
300
301			gv:
302			evince (ps/ tree from gv 3.5.8)
303			evince-gtk (not packaged in Debian)
304	stef-guest	5321
305			libXbae:
306			libpawlib2-lesstif package (from Cernlib)
307
308			libXaw:
309			libpawlib2-lesstif package (from Cernlib)
310
311			(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
312
313			libgd2:
314			graphviz (lib/gd seems to be 2.0.33)
315	stef-guest	5440
316			rar:
317			unrar-nonfree
318
319			unrar-free: (maybe this code is derived from the original rar, too?)
320			clamav (seems to be disabled in default config)
321
322	keescook-guest	5526	mplayer (DirectMedia Object loader):
323			xine-lib (src/libw32dll/)
324			vlc (modules/codec/dmo/)
325	alec-guest	5564
326			libwpd (WordPerfect converter):
327			openoffice.org
328	keescook-guest	6298
329			fsplib (http://sourceforge.net/projects/fsp/):
330			gftp (lib/fsplib version 0.3)
331	keescook-guest	6498
332			librpcsecgss:
333			krb5
334	stef-guest	6985
335	keescook-guest	7007	jasper:
336			ghostscript
337			gs-gpl
338
339	nion	7136	libidn:
340			monotone
341	micah	7134
342	nion	7136	liblua:
343			monotone
344
345			libbotan:
346			montone
347
348			NetXX:
349			monotone
350
351	nion	7135	libgc:
352			mono
353	white	7203
354	jmm-guest	7212	lzma:
355			p7zip
356
357			lzo:
358			grub2
359
360	white	7203	pax code:
361			tar
362			cpio
363	jamie-guest	7487
364			t1lib:
365	jamie-guest	7503	tetex-bin (links to system t1lib since 2.0.2)
366			texlive-bin (links to system t1lib)
367	jamie-guest	7487