Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)
The srcpkg might be some string to identify the code if there is no specific source package.

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged joeyh since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib <unfixed> (embed)
        NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)

tiff
        - wxpythongtk <unfixed> (embed)
        TODO: check, which debian pkg this is in

uudeview
        - libconvert-uulib-perl <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (embed)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin:
egroupware (removed from egroupware after sarge)

chmlib:
kchmviewer (ships the code but links dynamically)

libavcodec/libavformat (source: ffmpeg):
mplayer (#395252)
xvidcap
kino (links statically, does not include code)
vlc (links statically, does not include code)
smilutils (links statically, does not include code)
motion (links statically, does not include code)
gst-ffmpeg
gstreamer0.10-ffmpeg
xmovie

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	nion	7695	Embedded code copies
2			====================
3
4	jmm-guest	1586	This file collects cases, where a source package embeds code from
5	nion	7695	other projects which is considered bad for fixing security flaws
6			because the fix needs to be applied in multiple source packages.
7	jmm-guest	1586
8	nion	7695	Format:
9			<srcpkg> (<optional comment about srcpkg>)
10			- <embedding srcpkg> <status> (<sort>; bug #<number>)
11			NOTE: optional comments about the linkage of the embedding srcpkg
12
13	nion	7697	status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14	nion	7739	sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)
15	nion	7788	The srcpkg might be some string to identify the code if there is no specific source package.
16	jmm-guest	1586
17	nion	7696	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
18	jmm-guest	7743	NOTE: Fixed packages link to poppler library unless otherwise noted
19	nion	7697	- gpdf <removed>
20			[sarge] - gpdf <unfixed>
21			NOTE: has been replaced by evince in etch
22			- pdftohtml <unknown>
23			[sarge] - pdftohtml <unfixed>
24			[etch] - pdftohtml <unfixed>
25			NOTE: has been replaced by poppler-utils
26	nion	7739	- kdegraphics <unfixed> (embed; bug #436164)
27	nion	7696	NOTE: the kpdf replacement in KDE 4 is using poppler
28	nion	7739	- tetex-bin 3.0-12 (embed)
29	jmm-guest	7743	- texlive-bin 2007-1 (embed)
30	nion	7696	NOTE: links to poppler
31	nion	7739	- koffice <unfixed> (embed; bug #436163)
32			- libextractor 0.5.12-1 (embed)
33	jmm-guest	7743	NOTE: libextractor is using its own pdf decoder now
34	nion	7739	- libextractor 0.5.12-1 (embed)
35			- pdfkit.framework 0.8-4 (embed)
36			- ipe <unfixed> (embed)
37	nion	7696	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
38	nion	7739	- ruby-gnome2 <unknown> (embed)
39	nion	7696	NOTE: copy only present in source but links to poppler
40
41	nion	7791	ppmd
42	nion	7755	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
43
44	nion	7791	silc-toolkit
45	nion	7740	- silc-client 1.1~beta6-1 (embed)
46	nion	6965
47	nion	7791	dietlibc
48	nion	7740	- ccontrol 0.9.1+20071204-1 (static)
49	nion	6967
50	nion	7791	libiax
51	nion	7740	- iaxmodem <unfixed> (embed)
52	nion	6969
53	nion	7787	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
54			- dpkg <unfixed> (embed)
55			NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
56			- rsync <unfixed> (embed)
57			NOTE: somehow derived code base
58			- mono <unfixed> (embed)
59			TODO: check mozilla
60			- Linux kernels <unfixed> (embed)
61			- pvpgn 1.7.8-2 (embed)
62			- mrtg 2.12.2-1 (embed)
63			- rpm <unknown> (embed)
64	nion	7788	NOTE: pinged joeyh since when rpm was fixed
65	jmm-guest	1586
66	nion	7788	libbz2
67			- dpkg <unfixed> (static)
68	stef-guest	5320
69	nion	7788	ekg
70			- centericq <unfixed> (embed)
71			- gaim <unfixed> (embed)
72			- pigdin <unfixed> (embed)(links dynamically against libgadu)
73			- kopete 4:3.3.2-5 (embed)
74			- kadu <unfixed> (embed)
75			- gadu <unfixed> (embed)
76			NOTE: g/kadu not packaged in Debian yet
77	jmm-guest	1586
78	nion	7791	xmlrpc (which package is the "origin" of this code?)
79	nion	7788	- drupal <unfixed> (embed)
80			- phpgroupware <unfixed> (embed)
81			- egroupware <unfixed> (embed)
82			- phpwiki (embed)
83			- php4 <unfixed> (embed)
84			TODO: check, php-pear, IIRC this was reorganized some weeks ago?
85	jmm-guest	1586
86	nion	7791	shtool (affects build-time only)
87			- mysql-ocaml <unfixed> (embed)
88			- php4 <unfixed> (embed)
89	jmm-guest	1588
90	nion	7791	mozilla source code
91			- mozilla-firefox <unfixed> (embed)
92			- mozilla-thunderbird
93			- firefox <removed>
94			[etch] - firefox <unfixed> (embed)
95			- thunderbird <removed>
96			[etch] - thunderbird <unfixed> (embed)
97			- iceweasel <unfixed> (embed)
98			- iceape <unfixed> (embed)
99			- icedove <unfixed> (embed)
100			- xulrunner <unfixed> (embed)
101			- nvu <removed> (embed)
102	jmm-guest	1588
103	nion	7791	xli
104			- xloadimage <unfixed> (embed)
105	jmm-guest	1588
106	nion	7827	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
107			- openmotif <unfixed> (embed)
108			- xfree86/xorg <unfixed> (embed)
109			NOTE: in libxpm
110	jmm-guest	1588
111	nion	7827	kerberized apps with BSD origin
112			- krb4 <unfixed> (embed)
113			- krb5 <unfixed> (embed)
114			- heimdal <unfixed> (embed)
115	jmm-guest	1588
116	nion	7827	grip (which pkg is the origin?)
117			- libcdaudio
118			- grip
119			- gnome-vfs
120			TODO: check vfs2 as well
121	stef-guest	1608
122	nion	7827	fudforum
123			- phpgroupware-fudforum <unfixed> (embed)
124			- egroupware-fudforum <removed>
125			[sarge] - egroupware-fudforum <unfixed> (embed)
126	jmm-guest	1670
127	nion	7827	cvs
128			- gcvs <unfixed> (embed)
129			NOTE: see cvsunix/src in tarball
130	jmm-guest	1684
131	nion	7827	pcre
132			- python* <unfixed> (embed)
133			- php4 <unknown> (embed)
134			- analog 2:5.23-0woody1 (embed)
135			- libgoffice-1 <unfixed> (embed)
136			- vfu 4.06-4.1 (embed; bug #450754)
137			- tf5 5.0beta7-1 (embed)
138			- monotone <unfixed> (embed)
139			NOTE: this only affects versions >= 0.37
140			- glib <unfixed> (embed)
141			NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
142			- apache2 2.0.53-4 (embed)
143			- exim4 4.10-0.srh20.12 (embed)
144			- yacas <unfixed> (embed)
145			NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
146			- gtamsanalyzer.app 0.42-5 (embed)
147	jmm-guest	1758
148	nion	7827	tiff
149			- wxpythongtk <unfixed> (embed)
150			TODO: check, which debian pkg this is in
151	joeyh	1802
152	nion	7827	uudeview
153			- libconvert-uulib-perl <unfixed> (embed)
154	jmm-guest	1824
155	nion	7827	sqlite (not affected by security vulnerabilities so far)
156			- amarok <unfixed> (embed)
157			- monotone <unfixed> (embed)
158			- iceweasel <unfixed> (embed)
159	jmm-guest	1828
160	nion	7827	util-linux/mount
161			- loop-aes-utils <unfixed> (embed)
162			NOTE: contains code from util-linux' mount in the mount-aes-udeb
163	jmm-guest	2104
164	nion	7827	webmin
165			- usermin <unknown> (embed)
166			[sarge] - usermin <unfixed> (embed)
167	jmm-guest	2714
168	nion	7827	sylpheed
169			- sylpheed-claws <unfixed> (embed)
170	jmm-guest	2751
171	nion	7827	phpsysinfo
172			- egroupware <unfixed> (embed)
173			- phpgroupware <unfixed> (embed)
174	jmm-guest	2800
175			phpldapadmin:
176	stef-guest	5320	egroupware (removed from egroupware after sarge)
177	jmm-guest	2800
178	jmm-guest	2889	chmlib:
179	nion	7385	kchmviewer (ships the code but links dynamically)
180	jmm-guest	2800
181	jmm-guest	7214	libavcodec/libavformat (source: ffmpeg):
182			mplayer (#395252)
183	stef-guest	5320	xvidcap
184	jmm-guest	3075	kino (links statically, does not include code)
185			vlc (links statically, does not include code)
186			smilutils (links statically, does not include code)
187			motion (links statically, does not include code)
188	fw	3061	gst-ffmpeg
189	stef-guest	5048	gstreamer0.10-ffmpeg
190			xmovie
191	jmm-guest	2948
192			mad MPEG decoding lib:
193			mad
194			xine-lib
195
196			libdts:
197			libdts
198			xine-lib
199
200			flac:
201			flac
202			xine-lib
203
204			liba52:
205			a52dec
206			xine-lib
207
208			libmpeg2:
209			mpeg2dec
210			xine-lib
211
212	jmm-guest	2965	curl:
213			wget (code for NTLM authentication)
214	jmm-guest	3093
215			TODO evaluate:
216	jmm-guest	3320	gimp-gap (potentially using ffmpeg code as well)
217
218			uw-imap:
219			pine
220	stef-guest	6985	alpine
221	jmm-guest	3402
222			imagemagick:
223	micah	3537	graphicsmagick
224
225			halibut:
226			nsis
227
228			libghttp:
229			hotway
230
231	nion	6869	libsndfile:
232			ardour
233
234			glibmm2.4:
235			ardour
236
237			libgnomecanvasmm2.6:
238			ardour
239
240			libsigc++-2.0:
241			ardour
242
243			soundtouch:
244			ardour
245
246	stef-guest	4495	libmms:
247			xine-lib
248			mimms
249	stef-guest	4517
250	jmm-guest	7383	FCKeditor: (packaged as fckeditor)
251	stef-guest	4517	knowledgeroot
252	jmm-guest	7383	moin (452599)
253			karrigell (452598)
254	jmm-guest	7384	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
255	stef-guest	4517
256	jmm-guest	7383
257
258	neilm	4838	Moodle contains lots of things:
259			AdoDB
260			AdoDB-XML Schema
261			ipatlas
262			PHPMailer
263			Smarty
264			htmlArea
265			TinyMCE
266			bennu
267
268	stef-guest	4517	TinyMCE:
269			wordpress
270			moodle
271			knowledgeroot
272			joomla (ITP)
273
274	micah	4767	scintilla:
275	micah	4561	scite
276			qscintilla
277	micah	7091	qscintilla2
278	micah	4561	geany
279	stef-guest	4706
280	micah	4767	libphp-adodb:
281	stef-guest	4706	gallery2
282			phppgadmin
283			egroupware
284			phpwiki
285	nion	7236	ipplan
286	nion	7226	typo3
287	stef-guest	4706	moodle
288	neilm	4835	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
289	stef-guest	4706
290	micah	4767	gzip:
291			linux-kernel (lib/inflate.c)
292			klibc (based on linux-kernel gzip code)
293	micah	4808	busybox
294	micah	4767
295	neilm	4891	neon:
296			cadaver (all, but being worked on: #188381)
297			gnome-vfs2 (#395874)
298			litmus (#395875)
299			screem (sarge only)
300			sitecopy (#395876)
301			tla (etch/sid only: #395877)
302	stef-guest	5319
303			libmodplug:
304			gst-plugins-bad0.10
305	stef-guest	5320
306			libvncserver:
307			vino
308
309			putty:
310			filezilla
311
312			tinyxml (not packaged in Debian):
313			filezilla
314
315			gv:
316			evince (ps/ tree from gv 3.5.8)
317			evince-gtk (not packaged in Debian)
318	stef-guest	5321
319			libXbae:
320			libpawlib2-lesstif package (from Cernlib)
321
322			libXaw:
323			libpawlib2-lesstif package (from Cernlib)
324
325			(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
326
327			libgd2:
328			graphviz (lib/gd seems to be 2.0.33)
329	stef-guest	5440
330			rar:
331			unrar-nonfree
332
333			unrar-free: (maybe this code is derived from the original rar, too?)
334			clamav (seems to be disabled in default config)
335
336	keescook-guest	5526	mplayer (DirectMedia Object loader):
337			xine-lib (src/libw32dll/)
338			vlc (modules/codec/dmo/)
339	alec-guest	5564
340			libwpd (WordPerfect converter):
341			openoffice.org
342	keescook-guest	6298
343			fsplib (http://sourceforge.net/projects/fsp/):
344			gftp (lib/fsplib version 0.3)
345	keescook-guest	6498
346			librpcsecgss:
347			krb5
348	stef-guest	6985
349	keescook-guest	7007	jasper:
350			ghostscript
351			gs-gpl
352
353	nion	7136	libidn:
354			monotone
355	micah	7134
356	nion	7136	liblua:
357			monotone
358
359			libbotan:
360			montone
361
362			NetXX:
363			monotone
364
365	nion	7135	libgc:
366			mono
367	white	7203
368	jmm-guest	7212	lzma:
369			p7zip
370
371			lzo:
372			grub2
373
374	white	7203	pax code:
375			tar
376			cpio
377	jamie-guest	7487
378			t1lib:
379	jamie-guest	7503	tetex-bin (links to system t1lib since 2.0.2)
380			texlive-bin (links to system t1lib)
381	jamie-guest	7487