/[secure-testing]/data/embedded-code-copies
ViewVC logotype

Contents of /data/embedded-code-copies

Parent Directory Parent Directory | Revision Log Revision Log


Revision 7791 - (hide annotations) (download)
Thu Jan 3 15:19:23 2008 UTC (6 years, 10 months ago) by nion
File size: 7567 byte(s)
conversions to new file format
1 nion 7695 Embedded code copies
2     ====================
3    
4 jmm-guest 1586 This file collects cases, where a source package embeds code from
5 nion 7695 other projects which is considered bad for fixing security flaws
6     because the fix needs to be applied in multiple source packages.
7 jmm-guest 1586
8 nion 7695 Format:
9     <srcpkg> (<optional comment about srcpkg>)
10     - <embedding srcpkg> <status> (<sort>; bug #<number>)
11     NOTE: optional comments about the linkage of the embedding srcpkg
12    
13 nion 7697 status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14 nion 7739 sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)
15 nion 7788 The srcpkg might be some string to identify the code if there is no specific source package.
16 jmm-guest 1586
17 nion 7696 xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
18 jmm-guest 7743 NOTE: Fixed packages link to poppler library unless otherwise noted
19 nion 7697 - gpdf <removed>
20     [sarge] - gpdf <unfixed>
21     NOTE: has been replaced by evince in etch
22     - pdftohtml <unknown>
23     [sarge] - pdftohtml <unfixed>
24     [etch] - pdftohtml <unfixed>
25     NOTE: has been replaced by poppler-utils
26 nion 7739 - kdegraphics <unfixed> (embed; bug #436164)
27 nion 7696 NOTE: the kpdf replacement in KDE 4 is using poppler
28 nion 7739 - tetex-bin 3.0-12 (embed)
29 jmm-guest 7743 - texlive-bin 2007-1 (embed)
30 nion 7696 NOTE: links to poppler
31 nion 7739 - koffice <unfixed> (embed; bug #436163)
32     - libextractor 0.5.12-1 (embed)
33 jmm-guest 7743 NOTE: libextractor is using its own pdf decoder now
34 nion 7739 - libextractor 0.5.12-1 (embed)
35     - pdfkit.framework 0.8-4 (embed)
36     - ipe <unfixed> (embed)
37 nion 7696 NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
38 nion 7739 - ruby-gnome2 <unknown> (embed)
39 nion 7696 NOTE: copy only present in source but links to poppler
40    
41 nion 7791 ppmd
42 nion 7755 - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
43    
44 nion 7791 silc-toolkit
45 nion 7740 - silc-client 1.1~beta6-1 (embed)
46 nion 6965
47 nion 7791 dietlibc
48 nion 7740 - ccontrol 0.9.1+20071204-1 (static)
49 nion 6967
50 nion 7791 libiax
51 nion 7740 - iaxmodem <unfixed> (embed)
52 nion 6969
53 nion 7787 zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
54     - dpkg <unfixed> (embed)
55     NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
56     - rsync <unfixed> (embed)
57     NOTE: somehow derived code base
58     - mono <unfixed> (embed)
59     TODO: check mozilla
60     - Linux kernels <unfixed> (embed)
61     - pvpgn 1.7.8-2 (embed)
62     - mrtg 2.12.2-1 (embed)
63     - rpm <unknown> (embed)
64 nion 7788 NOTE: pinged joeyh since when rpm was fixed
65 jmm-guest 1586
66 nion 7788 libbz2
67     - dpkg <unfixed> (static)
68 stef-guest 5320
69 nion 7788 ekg
70     - centericq <unfixed> (embed)
71     - gaim <unfixed> (embed)
72     - pigdin <unfixed> (embed)(links dynamically against libgadu)
73     - kopete 4:3.3.2-5 (embed)
74     - kadu <unfixed> (embed)
75     - gadu <unfixed> (embed)
76     NOTE: g/kadu not packaged in Debian yet
77 jmm-guest 1586
78 nion 7791 xmlrpc (which package is the "origin" of this code?)
79 nion 7788 - drupal <unfixed> (embed)
80     - phpgroupware <unfixed> (embed)
81     - egroupware <unfixed> (embed)
82     - phpwiki (embed)
83     - php4 <unfixed> (embed)
84     TODO: check, php-pear, IIRC this was reorganized some weeks ago?
85 jmm-guest 1586
86 nion 7791 shtool (affects build-time only)
87     - mysql-ocaml <unfixed> (embed)
88     - php4 <unfixed> (embed)
89 jmm-guest 1588
90 nion 7791 mozilla source code
91     - mozilla-firefox <unfixed> (embed)
92     - mozilla-thunderbird
93     - firefox <removed>
94     [etch] - firefox <unfixed> (embed)
95     - thunderbird <removed>
96     [etch] - thunderbird <unfixed> (embed)
97     - iceweasel <unfixed> (embed)
98     - iceape <unfixed> (embed)
99     - icedove <unfixed> (embed)
100     - xulrunner <unfixed> (embed)
101     - nvu <removed> (embed)
102 jmm-guest 1588
103 nion 7791 xli
104     - xloadimage <unfixed> (embed)
105 jmm-guest 1588
106 jmm-guest 3042 lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
107 jmm-guest 1588 openmotif
108 jmm-guest 3042 xfree86/xorg (in libxpm)
109 jmm-guest 1588
110     kerberized apps with BSD origin:
111     krb4
112     krb5
113     heimdal
114    
115     grip: (which pkg is the origin?)
116     libcdaudio
117     grip
118     gnome-vfs (vfs2 as well?)
119 stef-guest 1608
120     fudforum:
121     phpgroupware-fudforum
122 stef-guest 5320 egroupware-fudforum (removed from egroupware after sarge)
123 jmm-guest 1670
124     cvs:
125 jmm-guest 1755 gcvs (at least an additional script is included, check if there's more)
126 jmm-guest 1684
127     pcre:
128 jmm-guest 3042 all pythons
129 jmm-guest 1757 php4 (src included, but Debian package links dynamically)
130 joeyh 1834 analog (src included, but Debian package links dynamically)
131     libgoffice-1
132 nion 7629 vfu (removed linking against embedded copy in 4.06-4.1; #450754)
133 jmm-guest 2068 tf5 (since 5.0beta7 the Debian package links dynamically)
134 nion 7136 monotone (including this starting from 0.37)
135 micah 7271 glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
136 jamie-guest 7367 apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
137 jamie-guest 7368 exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
138 nion 7627 yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
139 stef-guest 7683 gtamsanalyzer.app (links dynamically since 0.42-5)
140 jmm-guest 1758
141     tiff:
142     wxpythongtk (check, which debian pkg this is in)
143     older kdegraphics/kpdf releases < 3.3 embedded a copy
144 joeyh 1802
145     uudeview:
146     libconvert-uulib-perl
147 jmm-guest 1824
148     sqlite: (not affected by security vulnerabilities so far)
149     amarok
150 stef-guest 6985 monotone
151 jmm-guest 7212 iceweasel
152 jmm-guest 1828
153 jmm-guest 2037 util-linux/mount:
154     loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
155 jmm-guest 2104
156     webmin:
157 stef-guest 5320 usermin (only in sarge)
158 jmm-guest 2714
159     sylpheed:
160     sylpheed-claws
161 jmm-guest 2751
162     phpsysinfo:
163     egroupware
164 jmm-guest 2800 phpgroupware
165    
166     phpldapadmin:
167 stef-guest 5320 egroupware (removed from egroupware after sarge)
168 jmm-guest 2800
169 jmm-guest 2889 chmlib:
170 nion 7385 kchmviewer (ships the code but links dynamically)
171 jmm-guest 2800
172 jmm-guest 7214 libavcodec/libavformat (source: ffmpeg):
173     mplayer (#395252)
174 stef-guest 5320 xvidcap
175 jmm-guest 3075 kino (links statically, does not include code)
176     vlc (links statically, does not include code)
177     smilutils (links statically, does not include code)
178     motion (links statically, does not include code)
179 fw 3061 gst-ffmpeg
180 stef-guest 5048 gstreamer0.10-ffmpeg
181     xmovie
182 jmm-guest 2948
183     mad MPEG decoding lib:
184     mad
185     xine-lib
186    
187     libdts:
188     libdts
189     xine-lib
190    
191     flac:
192     flac
193     xine-lib
194    
195     liba52:
196     a52dec
197     xine-lib
198    
199     libmpeg2:
200     mpeg2dec
201     xine-lib
202    
203 jmm-guest 2965 curl:
204     wget (code for NTLM authentication)
205 jmm-guest 3093
206     TODO evaluate:
207 jmm-guest 3320 gimp-gap (potentially using ffmpeg code as well)
208    
209     uw-imap:
210     pine
211 stef-guest 6985 alpine
212 jmm-guest 3402
213     imagemagick:
214 micah 3537 graphicsmagick
215    
216     halibut:
217     nsis
218    
219     libghttp:
220     hotway
221    
222 nion 6869 libsndfile:
223     ardour
224    
225     glibmm2.4:
226     ardour
227    
228     libgnomecanvasmm2.6:
229     ardour
230    
231     libsigc++-2.0:
232     ardour
233    
234     soundtouch:
235     ardour
236    
237 stef-guest 4495 libmms:
238     xine-lib
239     mimms
240 stef-guest 4517
241 jmm-guest 7383 FCKeditor: (packaged as fckeditor)
242 stef-guest 4517 knowledgeroot
243 jmm-guest 7383 moin (452599)
244     karrigell (452598)
245 jmm-guest 7384 gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
246 stef-guest 4517
247 jmm-guest 7383
248    
249 neilm 4838 Moodle contains lots of things:
250     AdoDB
251     AdoDB-XML Schema
252     ipatlas
253     PHPMailer
254     Smarty
255     htmlArea
256     TinyMCE
257     bennu
258    
259 stef-guest 4517 TinyMCE:
260     wordpress
261     moodle
262     knowledgeroot
263     joomla (ITP)
264    
265 micah 4767 scintilla:
266 micah 4561 scite
267     qscintilla
268 micah 7091 qscintilla2
269 micah 4561 geany
270 stef-guest 4706
271 micah 4767 libphp-adodb:
272 stef-guest 4706 gallery2
273     phppgadmin
274     egroupware
275     phpwiki
276 nion 7236 ipplan
277 nion 7226 typo3
278 stef-guest 4706 moodle
279 neilm 4835 cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
280 stef-guest 4706
281 micah 4767 gzip:
282     linux-kernel (lib/inflate.c)
283     klibc (based on linux-kernel gzip code)
284 micah 4808 busybox
285 micah 4767
286 neilm 4891 neon:
287     cadaver (all, but being worked on: #188381)
288     gnome-vfs2 (#395874)
289     litmus (#395875)
290     screem (sarge only)
291     sitecopy (#395876)
292     tla (etch/sid only: #395877)
293 stef-guest 5319
294     libmodplug:
295     gst-plugins-bad0.10
296 stef-guest 5320
297     libvncserver:
298     vino
299    
300     putty:
301     filezilla
302    
303     tinyxml (not packaged in Debian):
304     filezilla
305    
306     gv:
307     evince (ps/ tree from gv 3.5.8)
308     evince-gtk (not packaged in Debian)
309 stef-guest 5321
310     libXbae:
311     libpawlib2-lesstif package (from Cernlib)
312    
313     libXaw:
314     libpawlib2-lesstif package (from Cernlib)
315    
316     (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
317    
318     libgd2:
319     graphviz (lib/gd seems to be 2.0.33)
320 stef-guest 5440
321     rar:
322     unrar-nonfree
323    
324     unrar-free: (maybe this code is derived from the original rar, too?)
325     clamav (seems to be disabled in default config)
326    
327 keescook-guest 5526 mplayer (DirectMedia Object loader):
328     xine-lib (src/libw32dll/)
329     vlc (modules/codec/dmo/)
330 alec-guest 5564
331     libwpd (WordPerfect converter):
332     openoffice.org
333 keescook-guest 6298
334     fsplib (http://sourceforge.net/projects/fsp/):
335     gftp (lib/fsplib version 0.3)
336 keescook-guest 6498
337     librpcsecgss:
338     krb5
339 stef-guest 6985
340 keescook-guest 7007 jasper:
341     ghostscript
342     gs-gpl
343    
344 nion 7136 libidn:
345     monotone
346 micah 7134
347 nion 7136 liblua:
348     monotone
349    
350     libbotan:
351     montone
352    
353     NetXX:
354     monotone
355    
356 nion 7135 libgc:
357     mono
358 white 7203
359 jmm-guest 7212 lzma:
360     p7zip
361    
362     lzo:
363     grub2
364    
365 white 7203 pax code:
366     tar
367     cpio
368 jamie-guest 7487
369     t1lib:
370 jamie-guest 7503 tetex-bin (links to system t1lib since 2.0.2)
371     texlive-bin (links to system t1lib)
372 jamie-guest 7487

  ViewVC Help
Powered by ViewVC 1.1.5