Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)

The srcpkg might be some string to identify the code if there is no specific source package.

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged joeyh since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib <unfixed> (embed)
        NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)

tiff
        - wxpythongtk <unfixed> (embed)
        TODO: check, which debian pkg this is in

uudeview
        - libconvert-uulib-perl <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin
        - [sarge] egroupware <unfixed> (embed)
        NOTE: removed from egroupware after sarge

chmlib
        - kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
        - mplayer <unfixed> (embed; bug #395252)
        - xvidcap <unfixed> (embed)
        - kino <unfixed> (static)
        - vlc <unfixed> (static)
        - smilutils <unfixed> (static)
        - motion <unfixed> (static)
        - gst-ffmpeg <unfixed> (embed)
        - gstreamer0.10-ffmpeg <unfixed> (embed)
        - xmovie <unfixed>

mad MPEG decoding lib
        - mad <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	nion	7695	Embedded code copies
2			====================
3
4	jmm-guest	1586	This file collects cases, where a source package embeds code from
5	nion	7695	other projects which is considered bad for fixing security flaws
6			because the fix needs to be applied in multiple source packages.
7	jmm-guest	1586
8	nion	7695	Format:
9			<srcpkg> (<optional comment about srcpkg>)
10			- <embedding srcpkg> <status> (<sort>; bug #<number>)
11			NOTE: optional comments about the linkage of the embedding srcpkg
12
13	nion	7697	status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14	nion	7828	sort: static (linking statically against a lib)
15			embed (embedding a copy of the library into another source package)
16			fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)
17
18	nion	7788	The srcpkg might be some string to identify the code if there is no specific source package.
19	jmm-guest	1586
20	nion	7696	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
21	jmm-guest	7743	NOTE: Fixed packages link to poppler library unless otherwise noted
22	nion	7697	- gpdf <removed>
23			[sarge] - gpdf <unfixed>
24			NOTE: has been replaced by evince in etch
25			- pdftohtml <unknown>
26			[sarge] - pdftohtml <unfixed>
27			[etch] - pdftohtml <unfixed>
28			NOTE: has been replaced by poppler-utils
29	nion	7739	- kdegraphics <unfixed> (embed; bug #436164)
30	nion	7696	NOTE: the kpdf replacement in KDE 4 is using poppler
31	nion	7739	- tetex-bin 3.0-12 (embed)
32	jmm-guest	7743	- texlive-bin 2007-1 (embed)
33	nion	7696	NOTE: links to poppler
34	nion	7739	- koffice <unfixed> (embed; bug #436163)
35			- libextractor 0.5.12-1 (embed)
36	jmm-guest	7743	NOTE: libextractor is using its own pdf decoder now
37	nion	7739	- libextractor 0.5.12-1 (embed)
38			- pdfkit.framework 0.8-4 (embed)
39			- ipe <unfixed> (embed)
40	nion	7696	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
41	nion	7739	- ruby-gnome2 <unknown> (embed)
42	nion	7696	NOTE: copy only present in source but links to poppler
43
44	nion	7791	ppmd
45	nion	7755	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
46
47	nion	7791	silc-toolkit
48	nion	7740	- silc-client 1.1~beta6-1 (embed)
49	nion	6965
50	nion	7791	dietlibc
51	nion	7740	- ccontrol 0.9.1+20071204-1 (static)
52	nion	6967
53	nion	7791	libiax
54	nion	7740	- iaxmodem <unfixed> (embed)
55	nion	6969
56	nion	7787	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
57			- dpkg <unfixed> (embed)
58			NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
59			- rsync <unfixed> (embed)
60			NOTE: somehow derived code base
61			- mono <unfixed> (embed)
62			TODO: check mozilla
63			- Linux kernels <unfixed> (embed)
64			- pvpgn 1.7.8-2 (embed)
65			- mrtg 2.12.2-1 (embed)
66			- rpm <unknown> (embed)
67	nion	7788	NOTE: pinged joeyh since when rpm was fixed
68	jmm-guest	1586
69	nion	7788	libbz2
70			- dpkg <unfixed> (static)
71	stef-guest	5320
72	nion	7788	ekg
73			- centericq <unfixed> (embed)
74			- gaim <unfixed> (embed)
75			- pigdin <unfixed> (embed)(links dynamically against libgadu)
76			- kopete 4:3.3.2-5 (embed)
77			- kadu <unfixed> (embed)
78			- gadu <unfixed> (embed)
79			NOTE: g/kadu not packaged in Debian yet
80	jmm-guest	1586
81	nion	7791	xmlrpc (which package is the "origin" of this code?)
82	nion	7788	- drupal <unfixed> (embed)
83			- phpgroupware <unfixed> (embed)
84			- egroupware <unfixed> (embed)
85			- phpwiki (embed)
86			- php4 <unfixed> (embed)
87			TODO: check, php-pear, IIRC this was reorganized some weeks ago?
88	jmm-guest	1586
89	nion	7791	shtool (affects build-time only)
90			- mysql-ocaml <unfixed> (embed)
91			- php4 <unfixed> (embed)
92	jmm-guest	1588
93	nion	7791	mozilla source code
94			- mozilla-firefox <unfixed> (embed)
95			- mozilla-thunderbird
96			- firefox <removed>
97			[etch] - firefox <unfixed> (embed)
98			- thunderbird <removed>
99			[etch] - thunderbird <unfixed> (embed)
100			- iceweasel <unfixed> (embed)
101			- iceape <unfixed> (embed)
102			- icedove <unfixed> (embed)
103			- xulrunner <unfixed> (embed)
104			- nvu <removed> (embed)
105	jmm-guest	1588
106	nion	7791	xli
107			- xloadimage <unfixed> (embed)
108	jmm-guest	1588
109	nion	7827	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
110			- openmotif <unfixed> (embed)
111			- xfree86/xorg <unfixed> (embed)
112			NOTE: in libxpm
113	jmm-guest	1588
114	nion	7827	kerberized apps with BSD origin
115			- krb4 <unfixed> (embed)
116			- krb5 <unfixed> (embed)
117			- heimdal <unfixed> (embed)
118	jmm-guest	1588
119	nion	7827	grip (which pkg is the origin?)
120			- libcdaudio
121			- grip
122			- gnome-vfs
123			TODO: check vfs2 as well
124	stef-guest	1608
125	nion	7827	fudforum
126			- phpgroupware-fudforum <unfixed> (embed)
127			- egroupware-fudforum <removed>
128			[sarge] - egroupware-fudforum <unfixed> (embed)
129	jmm-guest	1670
130	nion	7827	cvs
131			- gcvs <unfixed> (embed)
132			NOTE: see cvsunix/src in tarball
133	jmm-guest	1684
134	nion	7827	pcre
135			- python* <unfixed> (embed)
136			- php4 <unknown> (embed)
137			- analog 2:5.23-0woody1 (embed)
138			- libgoffice-1 <unfixed> (embed)
139			- vfu 4.06-4.1 (embed; bug #450754)
140			- tf5 5.0beta7-1 (embed)
141			- monotone <unfixed> (embed)
142			NOTE: this only affects versions >= 0.37
143			- glib <unfixed> (embed)
144			NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
145			- apache2 2.0.53-4 (embed)
146			- exim4 4.10-0.srh20.12 (embed)
147			- yacas <unfixed> (embed)
148			NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
149			- gtamsanalyzer.app 0.42-5 (embed)
150	jmm-guest	1758
151	nion	7827	tiff
152			- wxpythongtk <unfixed> (embed)
153			TODO: check, which debian pkg this is in
154	joeyh	1802
155	nion	7827	uudeview
156			- libconvert-uulib-perl <unfixed> (embed)
157	jmm-guest	1824
158	nion	7827	sqlite (not affected by security vulnerabilities so far)
159			- amarok <unfixed> (embed)
160			- monotone <unfixed> (embed)
161			- iceweasel <unfixed> (embed)
162	jmm-guest	1828
163	nion	7827	util-linux/mount
164			- loop-aes-utils <unfixed> (embed)
165			NOTE: contains code from util-linux' mount in the mount-aes-udeb
166	jmm-guest	2104
167	nion	7827	webmin
168			- usermin <unknown> (embed)
169			[sarge] - usermin <unfixed> (embed)
170	jmm-guest	2714
171	nion	7827	sylpheed
172	nion	7828	- sylpheed-claws <unfixed> (fork)
173	jmm-guest	2751
174	nion	7827	phpsysinfo
175			- egroupware <unfixed> (embed)
176			- phpgroupware <unfixed> (embed)
177	jmm-guest	2800
178	nion	7830	phpldapadmin
179			- [sarge] egroupware <unfixed> (embed)
180			NOTE: removed from egroupware after sarge
181	jmm-guest	2800
182	nion	7830	chmlib
183			- kchmviewer <unknown> (embed)
184	jmm-guest	2800
185	nion	7830	libavcodec/libavformat (source: ffmpeg)
186			- mplayer <unfixed> (embed; bug #395252)
187			- xvidcap <unfixed> (embed)
188			- kino <unfixed> (static)
189			- vlc <unfixed> (static)
190			- smilutils <unfixed> (static)
191			- motion <unfixed> (static)
192			- gst-ffmpeg <unfixed> (embed)
193			- gstreamer0.10-ffmpeg <unfixed> (embed)
194			- xmovie <unfixed>
195	jmm-guest	2948
196	nion	7830	mad MPEG decoding lib
197			- mad <unfixed> (embed)
198			- xine-lib <unfixed> (embed)
199	jmm-guest	2948
200			libdts:
201			libdts
202			xine-lib
203
204			flac:
205			flac
206			xine-lib
207
208			liba52:
209			a52dec
210			xine-lib
211
212			libmpeg2:
213			mpeg2dec
214			xine-lib
215
216	jmm-guest	2965	curl:
217			wget (code for NTLM authentication)
218	jmm-guest	3093
219			TODO evaluate:
220	jmm-guest	3320	gimp-gap (potentially using ffmpeg code as well)
221
222			uw-imap:
223			pine
224	stef-guest	6985	alpine
225	jmm-guest	3402
226			imagemagick:
227	micah	3537	graphicsmagick
228
229			halibut:
230			nsis
231
232			libghttp:
233			hotway
234
235	nion	6869	libsndfile:
236			ardour
237
238			glibmm2.4:
239			ardour
240
241			libgnomecanvasmm2.6:
242			ardour
243
244			libsigc++-2.0:
245			ardour
246
247			soundtouch:
248			ardour
249
250	stef-guest	4495	libmms:
251			xine-lib
252			mimms
253	stef-guest	4517
254	jmm-guest	7383	FCKeditor: (packaged as fckeditor)
255	stef-guest	4517	knowledgeroot
256	jmm-guest	7383	moin (452599)
257			karrigell (452598)
258	jmm-guest	7384	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
259	stef-guest	4517
260	jmm-guest	7383
261
262	neilm	4838	Moodle contains lots of things:
263			AdoDB
264			AdoDB-XML Schema
265			ipatlas
266			PHPMailer
267			Smarty
268			htmlArea
269			TinyMCE
270			bennu
271
272	stef-guest	4517	TinyMCE:
273			wordpress
274			moodle
275			knowledgeroot
276			joomla (ITP)
277
278	micah	4767	scintilla:
279	micah	4561	scite
280			qscintilla
281	micah	7091	qscintilla2
282	micah	4561	geany
283	stef-guest	4706
284	micah	4767	libphp-adodb:
285	stef-guest	4706	gallery2
286			phppgadmin
287			egroupware
288			phpwiki
289	nion	7236	ipplan
290	nion	7226	typo3
291	stef-guest	4706	moodle
292	neilm	4835	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
293	stef-guest	4706
294	micah	4767	gzip:
295			linux-kernel (lib/inflate.c)
296			klibc (based on linux-kernel gzip code)
297	micah	4808	busybox
298	micah	4767
299	neilm	4891	neon:
300			cadaver (all, but being worked on: #188381)
301			gnome-vfs2 (#395874)
302			litmus (#395875)
303			screem (sarge only)
304			sitecopy (#395876)
305			tla (etch/sid only: #395877)
306	stef-guest	5319
307			libmodplug:
308			gst-plugins-bad0.10
309	stef-guest	5320
310			libvncserver:
311			vino
312
313			putty:
314			filezilla
315
316			tinyxml (not packaged in Debian):
317			filezilla
318
319			gv:
320			evince (ps/ tree from gv 3.5.8)
321			evince-gtk (not packaged in Debian)
322	stef-guest	5321
323			libXbae:
324			libpawlib2-lesstif package (from Cernlib)
325
326			libXaw:
327			libpawlib2-lesstif package (from Cernlib)
328
329			(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
330
331			libgd2:
332			graphviz (lib/gd seems to be 2.0.33)
333	stef-guest	5440
334			rar:
335			unrar-nonfree
336
337			unrar-free: (maybe this code is derived from the original rar, too?)
338			clamav (seems to be disabled in default config)
339
340	keescook-guest	5526	mplayer (DirectMedia Object loader):
341			xine-lib (src/libw32dll/)
342			vlc (modules/codec/dmo/)
343	alec-guest	5564
344			libwpd (WordPerfect converter):
345			openoffice.org
346	keescook-guest	6298
347			fsplib (http://sourceforge.net/projects/fsp/):
348			gftp (lib/fsplib version 0.3)
349	keescook-guest	6498
350			librpcsecgss:
351			krb5
352	stef-guest	6985
353	keescook-guest	7007	jasper:
354			ghostscript
355			gs-gpl
356
357	nion	7136	libidn:
358			monotone
359	micah	7134
360	nion	7136	liblua:
361			monotone
362
363			libbotan:
364			montone
365
366			NetXX:
367			monotone
368
369	nion	7135	libgc:
370			mono
371	white	7203
372	jmm-guest	7212	lzma:
373			p7zip
374
375			lzo:
376			grub2
377
378	white	7203	pax code:
379			tar
380			cpio
381	jamie-guest	7487
382			t1lib:
383	jamie-guest	7503	tetex-bin (links to system t1lib since 2.0.2)
384			texlive-bin (links to system t1lib)
385	jamie-guest	7487