Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects source packages that embed code from other projects.
This is considered bad for fixing security flaws because the fix needs
to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed>,
        <itp> or <unknown> if the version number can not be determined
        <unfixable> for unavoidable cases (e.g., forks that add real value)
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and
            thus might share parts of the source code)
      old-version (the package is an older version of essentially
                   the same code)

The srcpkg might be some string to identify the code if there is no
specific source package.

Everything up to the next line is ignored.
---BEGIN
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - texlive-base 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

peercast
        - gnome-peercast <unfixed> (embed)
        NOTE: gnome-peercast may better be removed, see #466539

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged anibal since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib <unfixed> (embed)
        NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)
        - tin <unknown> (embed)
        - kazehakase 0.5.2-1
        - webkit <unfixed> (embed)
        - qt4-x11 <unfixed> (embed)
        NOTE: embedded via webkit copy

tiff
        - wxwindows2.4 2.2.1 (embed)

uudeview
        - libconvert-uulib-perl <unfixed> (embed)
        - pan <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin
        [sarge] - egroupware <unfixed> (embed)
        NOTE: removed from egroupware after sarge

chmlib
        - kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
        - mplayer <unfixed> (embed; bug #395252)
        - xvidcap <unfixed> (embed)
        - kino <unfixed> (static)
        - vlc <unfixed> (static)
        - smilutils <unfixed> (static)
        - motion <unfixed> (static)
        - gst-ffmpeg <unfixed> (embed)
        - gstreamer0.10-ffmpeg <unfixed> (embed)
        - xmovie <unfixed>
        TODO: gimp-gap (potentially using ffmpeg code as well)

mad MPEG decoding lib
        - mad <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libdts
        - xine-lib <unfixed> (embed)

flac
        - xine-lib <unfixed> (embed)

liba52
        - a52dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libmpeg2
        - mpeg2dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

curl
        - wget <unfixed> (embed)
        NOTE: code for NTLM authentication

uw-imap
        - pine <unfixed> (embed)
        - alpine <unfixed> (embed)

imagemagick
        - graphicsmagick <unfixed> (fork)

halibut
        - nsis <unfixed> (embed)

libghttp
        - hotway <unfixed> (embed)

libsndfile
        - ardour <unfixed> (embed)

glibmm2.4
        - ardour <unfixed> (embed)

libgnomecanvasmm2.6
        - ardour <unfixed> (embed)

libsigc++-2.0
        - ardour <unfixed> (embed)

soundtouch
        - ardour <unfixed> (embed)

libmms
        - xine-lib <unfixed> (embed)
        - mimms <unfixed> (embed)

fckeditor
        - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
        - moin <unfixed> (embed; bug #452599)
        - karrigell <unfixed> (embed; bug #452598)
        - gforge-plugins-extra 4.6.99+svn6225-1 (embed)

ipatlas (not packaged in Debian)
        - moodle <unfixed> (embed)

libphp-phpmailer
        - moodle <unfixed> (embed)

htmlArea (not packaged in Debian)
        - moodle <unfixed> (embed)

giflib:
        - wine <unfixed> (embed; bug #466181)

bennu (not packaged in Debian)
        - moodle <unfixed> (embed)

smarty:
        - moodle <unfixed> (embed; bug #471158)
        - gallery2 <unfixed> (embed; bug #471160)
        - mahara 0.9.2-2 (embed; bug #471201)
        - gosa 2.4beta1-1 (embed; bug #471200)

TinyMCE
        - wordpress <unfixed> (embed; bug #478257)
        - moodle <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - joomla <itp> (bug #326398)

scintilla
        - scite <unfixed> (embed)
        - qscintilla <unfixed> (embed)
        - qscintilla2 <unfixed> (embed)
        - geany <unfixed> (embed)

libphp-adodb
        - moodle <unfixed> (embed)
        NOTE: also AdoDB-XML Schema
        - gallery2 <unfixed> (embed)
        - phppgadmin <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki <unfixed> (embed)
        - ipplan <unfixed> (embed)
        - typo3 <unfixed> (embed)
        - moodle <unfixed> (embed)
        - cacti <unknown> (embed)
        [sarge] - cacti <unfixed> (embed)
        NOTE: dependency exists, but internal version is used

gzip
        - linux-kernel <unfixed> (embed)
        NOTE: lib/inflate.c
        - klibc <unfixed> (embed)
        NOTE: based on linux-kernel gzip code
        - busybox <unfixed> (embed)

neon
        - cadaver <unfixed> (embed; bug #188381)
        - gnome-vfs2 <unfixed> (embed; bug #395874)
        - litmus <unfixed> (embed; #395875)
        [sarge] - screem <unfixed> (embed)
        - sitecopy <unfixed> (embed; bug #395876)
        [etch] - tla <unfixed> (embed; bug #395877)
        [sarge] - tla <unfixed> (embed; bug #395877)

libmodplug
        - gst-plugins-bad0.10 <unfixed> (embed)

libvncserver
        - vino <unfixed> (embed)

putty
        - filezilla <unfixed> (embed)

tinyxml (not packaged in Debian)
        - filezilla <unfixed>

gv
        - evince <unfixed> (embed)
        NOTE: ps/ tree from gv 3.5.8
        - evince-gtk <unfixed> (embed)
        NOTE: not packaged in Debian

libXbae
        [etch] - libpawlib2-lesstif <unfixed> (embed)
        NOTE: from Cernlib

libXaw
        [etch] - libpawlib2-lesstif
        NOTE: from Cernlib
        NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty

libgd2
        - graphviz <unfixed> (embed)
        NOTE: lib/gd seems to be 2.0.33
        - wml <unfixed> (embed)
        NOTE: derived from gd 1.6.3

rar
        - unrar-nonfree <unfixed> (embed)

unrar-free (maybe this code is derived from the original rar, too?)
        - clamav <unfixed> (embed)
        NOTE: seems to be disabled in default config

mplayer (DirectMedia Object loader)
        - xine-lib <unfixed> (embed)
        NOTE: src/libw32dll/
        - vlc <unfixed> (embed)
        NOTE: modules/codec/dmo/

libwpd (WordPerfect converter)
        - openoffice.org <unfixed> (embed)

fsplib (http://sourceforge.net/projects/fsp/)
        - gftp <unfixed> (embed)
        NOTE: lib/fsplib version 0.3

librpcsecgss
        - krb5 <unfixed> (embed)

jasper
        - ghostscript <unfixed> (embed)
        - gs-gpl <unfixed> (embed)

libidn
        - monotone <unfixed> (embed)

liblua
        - monotone <unfixed> (embed)

libbotan
        - montone <unfixed> (embed)

NetXX
        - monotone <unfixed> (embed)

libgc
        - mono <unfixed> (embed)

lzma
        - p7zip <unfixed> (embed)

lzo
        - grub2 <unfixed> (embed)

yassl
        - mysql-dfsg-5.0 <unfixed> (embed)

pax code
        - tar <unfixed> (embed)
        - cpio <unfixed> (embed)

t1lib
        - tetex-bin 2.0.2-1 (embed)
        - texlive-bin <unknown> (embed)

guichan
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

tolua
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

asio-dev
        - luxrender <unfixed> (embed)
        NOTE: maintainer notified us, working on it
        NOTE: may be merged with boost "soon"

xine-lib
        - vlc <unfixed> (embed)
        NOTE: only parts included in modules/access/rtsp

netpbm
        - tcl8.3 <unfixed> (embed)
        - tcl8.4 <unfixed> (embed)
        - tcl8.5 <unfixed> (embed)
        NOTE: generic/tkImgGIF.c

tk8.5
        - tk8.0 <removed> (old-version)
        - tk8.3 <unfixed> (old-version)
        - tk8.4 <unfixed> (old-version)
        - perl-tk <unfixable> (fork)

samba
        - mc <unfixed> (embed)
        NOTE: maintainer is aware of this, currently searching a solution

plib1.8.4c2
        - boson <unfixed> (fork)
        NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar

fribidi
        - quesoglc <unfixed> (embed)

glew
        - quesoglc <unfixed> (embed)

minorGems
        - transcend <unfixed> (embed)
        - cultivation <unfixed> (embed)

tar
        - libarchive <unfixed> (embed)
        NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable

cpio
        - libarchive <unfixed> (embed)
        NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)

webkit
        - qt4-x11 <unfixed> (embed)

ftgl
        - blender 2.46+dfsg-1 (embed)

wv
        - abiword <unfixed>

qemu
        - kvm <unfixed> (embed)

speex
        - vorbis-tools <unfixed> (embed)
        NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
        - gst-plugins-good0.10 <unfixed> (embed)
        - xine-lib <unfixed> (embed)
        - libfishsound <unfixed> (embed)
        - libannodex <unfixed> (embed)
        - vlc <unfixed> (embed)
        - xmms-speex <unfixed> (embed)
        - libsdl-sound1.2 <unfixed> (embed)
        - sweep <unfixed> (embed)

libreadline
        - magic <unfixed> (old-version)
        NOTE: magic is currently an RFS

opcode
        - ode <unfixed> (embed)
        NOTE: opcode is not a package in debian, it is just embedded
        NOTE: http://www.codercorner.com/Opcode.htm

gimpact 
        - ode <unfixed> (embed)
        NOTE: gimpact is not a package in debian, it is just embedded
        NOTE: http://gimpact.sf.net

MochiKit.js
        - mahara <unfixed> (embed)
        - ntop <unfixed> (embed)
        - python-oherence <unfixed> (embed)
        - python-paste <unfixed> (embed)
        - python-turbogears <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)

prototype.js
        - netbeans-ide <unfixed> (embed)
        - auth2db-frontend <unfixed> (embed)
        - citadel-webcit <unfixed> (embed)
        - asterisk <unfixed> (embed)
        - doc-iana <unfixed> (embed)
        - libaws-doc <unfixed> (embed)
        - libgettext-ruby-data <unfixed> (embed)
        - libjson-ruby-doc <unfixed> (embed)
        - liblucene2-java-doc <unfixed> (embed)
        - libopenid-ruby <unfixed> (embed)
        - solr-common <unfixed> (embed)
        - glpi <unfixed> (embed)
        - hobbix <unfixed> (embed)
        - mnemo2 <unfixed> (embed)
        - nag2 <unfixed> (embed)
        - libjs-prototype <unfixed> (embed)
        - libjs-scriptaculous <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - mediatomb-common <unfixed> (embed)
        - mt-daapd <unfixed> (embed)
        - op-panel <unfixed> (embed)
        - ebug-http <unfixed> (embed)
        - phpgedview <removed> (embed)
        - poker-web <unfixed> (embed)
        - python-webhelpers <unfixed> (embed)
        - qwik <unfixed> (embed)
        - rails <unfixed> (embed)
        - typo3-src-4.1 <unfixed> (embed)
        - wordpress <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)
        - smokeping <unfixed> (embed)

1	nion	7695	Embedded code copies
2			====================
3
4	thijs	8078	This file collects source packages that embed code from other projects.
5			This is considered bad for fixing security flaws because the fix needs
6			to be applied in multiple source packages.
7	jmm-guest	1586
8	nion	7695	Format:
9			<srcpkg> (<optional comment about srcpkg>)
10			- <embedding srcpkg> <status> (<sort>; bug #<number>)
11			NOTE: optional comments about the linkage of the embedding srcpkg
12
13	thijs	8078	status: version number fixing the embedded copy, <unfixed>, <removed>,
14			<itp> or <unknown> if the version number can not be determined
15	fw	8142	<unfixable> for unavoidable cases (e.g., forks that add real value)
16	nion	7828	sort: static (linking statically against a lib)
17			embed (embedding a copy of the library into another source package)
18	thijs	8078	fork (the package is not just embedding code but it is a fork and
19			thus might share parts of the source code)
20	fw	8142	old-version (the package is an older version of essentially
21			the same code)
22	nion	7828
23	thijs	8078	The srcpkg might be some string to identify the code if there is no
24			specific source package.
25	jmm-guest	1586
26	thijs	8078	Everything up to the next line is ignored.
27	stef-guest	7923	---BEGIN
28	nion	7696	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
29	jmm-guest	7743	NOTE: Fixed packages link to poppler library unless otherwise noted
30	nion	7697	- gpdf <removed>
31			[sarge] - gpdf <unfixed>
32			NOTE: has been replaced by evince in etch
33			- pdftohtml <unknown>
34			[sarge] - pdftohtml <unfixed>
35			[etch] - pdftohtml <unfixed>
36			NOTE: has been replaced by poppler-utils
37	nion	7739	- kdegraphics <unfixed> (embed; bug #436164)
38	nion	7696	NOTE: the kpdf replacement in KDE 4 is using poppler
39	nion	8760	- texlive-base 3.0-12 (embed)
40	jmm-guest	7743	- texlive-bin 2007-1 (embed)
41	nion	7696	NOTE: links to poppler
42	nion	7739	- koffice <unfixed> (embed; bug #436163)
43			- libextractor 0.5.12-1 (embed)
44	jmm-guest	7743	NOTE: libextractor is using its own pdf decoder now
45	nion	7739	- libextractor 0.5.12-1 (embed)
46			- pdfkit.framework 0.8-4 (embed)
47			- ipe <unfixed> (embed)
48	nion	7696	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
49	nion	7739	- ruby-gnome2 <unknown> (embed)
50	nion	7696	NOTE: copy only present in source but links to poppler
51
52	nion	7791	ppmd
53	nion	7755	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
54
55	thijs	8189	peercast
56			- gnome-peercast <unfixed> (embed)
57			NOTE: gnome-peercast may better be removed, see #466539
58
59	nion	7791	silc-toolkit
60	nion	7740	- silc-client 1.1~beta6-1 (embed)
61	nion	6965
62	nion	7791	dietlibc
63	nion	7740	- ccontrol 0.9.1+20071204-1 (static)
64	nion	6967
65	nion	7791	libiax
66	nion	7740	- iaxmodem <unfixed> (embed)
67	nion	6969
68	nion	7787	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
69			- dpkg <unfixed> (embed)
70			NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
71			- rsync <unfixed> (embed)
72			NOTE: somehow derived code base
73			- mono <unfixed> (embed)
74			TODO: check mozilla
75			- Linux kernels <unfixed> (embed)
76			- pvpgn 1.7.8-2 (embed)
77			- mrtg 2.12.2-1 (embed)
78			- rpm <unknown> (embed)
79	nion	7841	NOTE: pinged anibal since when rpm was fixed
80	jmm-guest	1586
81	nion	7788	libbz2
82			- dpkg <unfixed> (static)
83	stef-guest	5320
84	nion	7788	ekg
85			- centericq <unfixed> (embed)
86			- gaim <unfixed> (embed)
87			- pigdin <unfixed> (embed)(links dynamically against libgadu)
88			- kopete 4:3.3.2-5 (embed)
89			- kadu <unfixed> (embed)
90			- gadu <unfixed> (embed)
91			NOTE: g/kadu not packaged in Debian yet
92	jmm-guest	1586
93	nion	7791	xmlrpc (which package is the "origin" of this code?)
94	nion	7788	- drupal <unfixed> (embed)
95			- phpgroupware <unfixed> (embed)
96			- egroupware <unfixed> (embed)
97			- phpwiki (embed)
98			- php4 <unfixed> (embed)
99			TODO: check, php-pear, IIRC this was reorganized some weeks ago?
100	jmm-guest	1586
101	nion	7791	shtool (affects build-time only)
102			- mysql-ocaml <unfixed> (embed)
103			- php4 <unfixed> (embed)
104	jmm-guest	1588
105	nion	7791	mozilla source code
106			- mozilla-firefox <unfixed> (embed)
107			- mozilla-thunderbird
108			- firefox <removed>
109			[etch] - firefox <unfixed> (embed)
110			- thunderbird <removed>
111			[etch] - thunderbird <unfixed> (embed)
112			- iceweasel <unfixed> (embed)
113			- iceape <unfixed> (embed)
114			- icedove <unfixed> (embed)
115			- xulrunner <unfixed> (embed)
116			- nvu <removed> (embed)
117	jmm-guest	1588
118	nion	7791	xli
119			- xloadimage <unfixed> (embed)
120	jmm-guest	1588
121	nion	7827	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
122			- openmotif <unfixed> (embed)
123			- xfree86/xorg <unfixed> (embed)
124			NOTE: in libxpm
125	jmm-guest	1588
126	nion	7827	kerberized apps with BSD origin
127			- krb4 <unfixed> (embed)
128			- krb5 <unfixed> (embed)
129			- heimdal <unfixed> (embed)
130	jmm-guest	1588
131	nion	7827	grip (which pkg is the origin?)
132			- libcdaudio
133			- grip
134			- gnome-vfs
135			TODO: check vfs2 as well
136	stef-guest	1608
137	nion	7827	fudforum
138			- phpgroupware-fudforum <unfixed> (embed)
139			- egroupware-fudforum <removed>
140			[sarge] - egroupware-fudforum <unfixed> (embed)
141	jmm-guest	1670
142	nion	7827	cvs
143			- gcvs <unfixed> (embed)
144			NOTE: see cvsunix/src in tarball
145	jmm-guest	1684
146	nion	7827	pcre
147			- python* <unfixed> (embed)
148			- php4 <unknown> (embed)
149			- analog 2:5.23-0woody1 (embed)
150			- libgoffice-1 <unfixed> (embed)
151			- vfu 4.06-4.1 (embed; bug #450754)
152			- tf5 5.0beta7-1 (embed)
153			- monotone <unfixed> (embed)
154			NOTE: this only affects versions >= 0.37
155			- glib <unfixed> (embed)
156			NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
157			- apache2 2.0.53-4 (embed)
158			- exim4 4.10-0.srh20.12 (embed)
159			- yacas <unfixed> (embed)
160			NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
161			- gtamsanalyzer.app 0.42-5 (embed)
162	nion	8392	- tin <unknown> (embed)
163	nion	8780	- kazehakase 0.5.2-1
164			- webkit <unfixed> (embed)
165			- qt4-x11 <unfixed> (embed)
166			NOTE: embedded via webkit copy
167	jmm-guest	1758
168	nion	7827	tiff
169	nion	8587	- wxwindows2.4 2.2.1 (embed)
170	joeyh	1802
171	nion	7827	uudeview
172			- libconvert-uulib-perl <unfixed> (embed)
173	nion	9012	- pan <unfixed> (embed)
174	jmm-guest	1824
175	nion	7827	sqlite (not affected by security vulnerabilities so far)
176			- amarok <unfixed> (embed)
177			- monotone <unfixed> (embed)
178			- iceweasel <unfixed> (embed)
179	jmm-guest	1828
180	nion	7827	util-linux/mount
181			- loop-aes-utils <unfixed> (embed)
182			NOTE: contains code from util-linux' mount in the mount-aes-udeb
183	jmm-guest	2104
184	nion	7827	webmin
185			- usermin <unknown> (embed)
186			[sarge] - usermin <unfixed> (embed)
187	jmm-guest	2714
188	nion	7827	sylpheed
189	nion	7828	- sylpheed-claws <unfixed> (fork)
190	jmm-guest	2751
191	nion	7827	phpsysinfo
192			- egroupware <unfixed> (embed)
193			- phpgroupware <unfixed> (embed)
194	jmm-guest	2800
195	nion	7830	phpldapadmin
196	stef-guest	7923	[sarge] - egroupware <unfixed> (embed)
197	nion	7830	NOTE: removed from egroupware after sarge
198	jmm-guest	2800
199	nion	7830	chmlib
200			- kchmviewer <unknown> (embed)
201	jmm-guest	2800
202	nion	7830	libavcodec/libavformat (source: ffmpeg)
203			- mplayer <unfixed> (embed; bug #395252)
204			- xvidcap <unfixed> (embed)
205			- kino <unfixed> (static)
206			- vlc <unfixed> (static)
207			- smilutils <unfixed> (static)
208			- motion <unfixed> (static)
209			- gst-ffmpeg <unfixed> (embed)
210			- gstreamer0.10-ffmpeg <unfixed> (embed)
211			- xmovie <unfixed>
212	nion	7841	TODO: gimp-gap (potentially using ffmpeg code as well)
213	jmm-guest	2948
214	nion	7830	mad MPEG decoding lib
215			- mad <unfixed> (embed)
216			- xine-lib <unfixed> (embed)
217	jmm-guest	2948
218			libdts
219	nion	7840	- xine-lib <unfixed> (embed)
220	jmm-guest	2948
221			flac
222	nion	7840	- xine-lib <unfixed> (embed)
223	jmm-guest	2948
224	nion	7840	liba52
225			- a52dec <unfixed> (embed)
226			- xine-lib <unfixed> (embed)
227	jmm-guest	2948
228	nion	7840	libmpeg2
229			- mpeg2dec <unfixed> (embed)
230			- xine-lib <unfixed> (embed)
231	jmm-guest	2948
232	nion	7840	curl
233			- wget <unfixed> (embed)
234			NOTE: code for NTLM authentication
235	jmm-guest	3093
236	nion	7840	uw-imap
237			- pine <unfixed> (embed)
238			- alpine <unfixed> (embed)
239	jmm-guest	3320
240	nion	7840	imagemagick
241			- graphicsmagick <unfixed> (fork)
242	jmm-guest	3402
243	nion	7840	halibut
244			- nsis <unfixed> (embed)
245	micah	3537
246	nion	7840	libghttp
247			- hotway <unfixed> (embed)
248	micah	3537
249	nion	7840	libsndfile
250			- ardour <unfixed> (embed)
251	micah	3537
252	nion	7840	glibmm2.4
253			- ardour <unfixed> (embed)
254	nion	6869
255	nion	7840	libgnomecanvasmm2.6
256			- ardour <unfixed> (embed)
257	nion	6869
258	nion	7840	libsigc++-2.0
259			- ardour <unfixed> (embed)
260	nion	6869
261	nion	7840	soundtouch
262			- ardour <unfixed> (embed)
263	nion	6869
264	nion	7840	libmms
265			- xine-lib <unfixed> (embed)
266			- mimms <unfixed> (embed)
267	nion	6869
268	nion	7840	fckeditor
269	nion	8085	- knowledgeroot 0.9.8.5-3 (embed; bug #461555)
270	nion	7840	- moin <unfixed> (embed; bug #452599)
271			- karrigell <unfixed> (embed; bug #452598)
272			- gforge-plugins-extra 4.6.99+svn6225-1 (embed)
273	stef-guest	4517
274	nion	7841	ipatlas (not packaged in Debian)
275			- moodle <unfixed> (embed)
276	jmm-guest	7383
277	nion	7841	libphp-phpmailer
278			- moodle <unfixed> (embed)
279	neilm	4838
280	nion	7841	htmlArea (not packaged in Debian)
281			- moodle <unfixed> (embed)
282
283	nion	8175	giflib:
284			- wine <unfixed> (embed; bug #466181)
285
286	nion	7841	bennu (not packaged in Debian)
287			- moodle <unfixed> (embed)
288
289			smarty:
290	thijs	8342	- moodle <unfixed> (embed; bug #471158)
291			- gallery2 <unfixed> (embed; bug #471160)
292	nion	8361	- mahara 0.9.2-2 (embed; bug #471201)
293	thijs	8347	- gosa 2.4beta1-1 (embed; bug #471200)
294	nion	7841
295	nion	7840	TinyMCE
296	micah	8739	- wordpress <unfixed> (embed; bug #478257)
297	nion	7840	- moodle <unfixed> (embed)
298			- knowledgeroot <unfixed> (embed)
299			- joomla <itp> (bug #326398)
300	stef-guest	4517
301	nion	7840	scintilla
302			- scite <unfixed> (embed)
303			- qscintilla <unfixed> (embed)
304			- qscintilla2 <unfixed> (embed)
305			- geany <unfixed> (embed)
306	stef-guest	4706
307	nion	7840	libphp-adodb
308	stef-guest	7923	- moodle <unfixed> (embed)
309			NOTE: also AdoDB-XML Schema
310	nion	7840	- gallery2 <unfixed> (embed)
311			- phppgadmin <unfixed> (embed)
312			- egroupware <unfixed> (embed)
313			- phpwiki <unfixed> (embed)
314			- ipplan <unfixed> (embed)
315			- typo3 <unfixed> (embed)
316			- moodle <unfixed> (embed)
317			- cacti <unknown> (embed)
318			[sarge] - cacti <unfixed> (embed)
319			NOTE: dependency exists, but internal version is used
320	stef-guest	4706
321	nion	7840	gzip
322	nion	7841	- linux-kernel <unfixed> (embed)
323			NOTE: lib/inflate.c
324			- klibc <unfixed> (embed)
325			NOTE: based on linux-kernel gzip code
326			- busybox <unfixed> (embed)
327	micah	4767
328	nion	7841	neon
329			- cadaver <unfixed> (embed; bug #188381)
330			- gnome-vfs2 <unfixed> (embed; bug #395874)
331			- litmus <unfixed> (embed; #395875)
332			[sarge] - screem <unfixed> (embed)
333			- sitecopy <unfixed> (embed; bug #395876)
334	stef-guest	7923	[etch] - tla <unfixed> (embed; bug #395877)
335			[sarge] - tla <unfixed> (embed; bug #395877)
336	stef-guest	5319
337	nion	7841	libmodplug
338			- gst-plugins-bad0.10 <unfixed> (embed)
339	stef-guest	5320
340	nion	7841	libvncserver
341			- vino <unfixed> (embed)
342	stef-guest	5320
343	nion	7841	putty
344			- filezilla <unfixed> (embed)
345	stef-guest	5320
346	nion	7841	tinyxml (not packaged in Debian)
347			- filezilla <unfixed>
348	stef-guest	5320
349	nion	7841	gv
350			- evince <unfixed> (embed)
351			NOTE: ps/ tree from gv 3.5.8
352			- evince-gtk <unfixed> (embed)
353			NOTE: not packaged in Debian
354	stef-guest	5321
355	nion	7841	libXbae
356			[etch] - libpawlib2-lesstif <unfixed> (embed)
357			NOTE: from Cernlib
358	stef-guest	5321
359	nion	7841	libXaw
360	stef-guest	7924	[etch] - libpawlib2-lesstif
361	nion	7841	NOTE: from Cernlib
362			NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
363	stef-guest	5321
364	nion	7841	libgd2
365			- graphviz <unfixed> (embed)
366			NOTE: lib/gd seems to be 2.0.33
367	nion	8098	- wml <unfixed> (embed)
368			NOTE: derived from gd 1.6.3
369	stef-guest	5321
370	nion	7841	rar
371			- unrar-nonfree <unfixed> (embed)
372	stef-guest	5440
373	nion	7841	unrar-free (maybe this code is derived from the original rar, too?)
374			- clamav <unfixed> (embed)
375			NOTE: seems to be disabled in default config
376	stef-guest	5440
377	nion	7841	mplayer (DirectMedia Object loader)
378			- xine-lib <unfixed> (embed)
379			NOTE: src/libw32dll/
380			- vlc <unfixed> (embed)
381			NOTE: modules/codec/dmo/
382	stef-guest	5440
383	nion	7841	libwpd (WordPerfect converter)
384			- openoffice.org <unfixed> (embed)
385	alec-guest	5564
386	nion	7841	fsplib (http://sourceforge.net/projects/fsp/)
387			- gftp <unfixed> (embed)
388			NOTE: lib/fsplib version 0.3
389	keescook-guest	6298
390	nion	7841	librpcsecgss
391			- krb5 <unfixed> (embed)
392	keescook-guest	6498
393	nion	7841	jasper
394			- ghostscript <unfixed> (embed)
395			- gs-gpl <unfixed> (embed)
396	stef-guest	6985
397	nion	7841	libidn
398			- monotone <unfixed> (embed)
399	keescook-guest	7007
400	nion	7841	liblua
401			- monotone <unfixed> (embed)
402	micah	7134
403	nion	7841	libbotan
404			- montone <unfixed> (embed)
405	nion	7136
406	nion	7841	NetXX
407			- monotone <unfixed> (embed)
408	nion	7136
409	nion	7841	libgc
410			- mono <unfixed> (embed)
411	nion	7136
412	nion	7841	lzma
413			- p7zip <unfixed> (embed)
414	white	7203
415	nion	7841	lzo
416			- grub2 <unfixed> (embed)
417	jmm-guest	7212
418	nion	7927	yassl
419			- mysql-dfsg-5.0 <unfixed> (embed)
420
421	nion	7841	pax code
422			- tar <unfixed> (embed)
423			- cpio <unfixed> (embed)
424	jmm-guest	7212
425	nion	7841	t1lib
426			- tetex-bin 2.0.2-1 (embed)
427			- texlive-bin <unknown> (embed)
428	thijs	7985
429			guichan
430			- boswars <unfixed> (embed)
431			NOTE: maintainer notified us, working on it
432
433			tolua
434			- boswars <unfixed> (embed)
435			NOTE: maintainer notified us, working on it
436
437			asio-dev
438			- luxrender <unfixed> (embed)
439			NOTE: maintainer notified us, working on it
440			NOTE: may be merged with boost "soon"
441
442	nion	7995	xine-lib
443			- vlc <unfixed> (embed)
444			NOTE: only parts included in modules/access/rtsp
445	stef-guest	8075
446			netpbm
447			- tcl8.3 <unfixed> (embed)
448			- tcl8.4 <unfixed> (embed)
449			- tcl8.5 <unfixed> (embed)
450			NOTE: generic/tkImgGIF.c
451	fw	8143
452			tk8.5
453			- tk8.0 <removed> (old-version)
454			- tk8.3 <unfixed> (old-version)
455			- tk8.4 <unfixed> (old-version)
456			- perl-tk <unfixable> (fork)
457	nion	8280
458	nion	8281	samba
459	nion	8280	- mc <unfixed> (embed)
460			NOTE: maintainer is aware of this, currently searching a solution
461	micah	8337
462			plib1.8.4c2
463			- boson <unfixed> (fork)
464			NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
465	micah	8370
466			fribidi
467			- quesoglc <unfixed> (embed)
468
469			glew
470			- quesoglc <unfixed> (embed)
471
472			minorGems
473			- transcend <unfixed> (embed)
474			- cultivation <unfixed> (embed)
475	jamie-guest	8413
476	jamie-guest	8728	tar
477			- libarchive <unfixed> (embed)
478	jamie-guest	8438	NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
479	jamie-guest	8728
480			cpio
481			- libarchive <unfixed> (embed)
482	jamie-guest	8438	NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
483	jamie-guest	8413
484	nion	8523	webkit
485			- qt4-x11 <unfixed> (embed)
486	white	8694
487			ftgl
488	thijs	8905	- blender 2.46+dfsg-1 (embed)
489	thijs	8700
490			wv
491			- abiword <unfixed>
492
493	jamie-guest	8728	qemu
494			- kvm <unfixed> (embed)
495
496	jamie-guest	8729	speex
497			- vorbis-tools <unfixed> (embed)
498			NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
499			- gst-plugins-good0.10 <unfixed> (embed)
500			- xine-lib <unfixed> (embed)
501			- libfishsound <unfixed> (embed)
502			- libannodex <unfixed> (embed)
503			- vlc <unfixed> (embed)
504			- xmms-speex <unfixed> (embed)
505			- libsdl-sound1.2 <unfixed> (embed)
506			- sweep <unfixed> (embed)
507
508	micah	8740	libreadline
509			- magic <unfixed> (old-version)
510	micah	8739	NOTE: magic is currently an RFS
511
512	micah	8740	opcode
513			- ode <unfixed> (embed)
514	micah	8739	NOTE: opcode is not a package in debian, it is just embedded
515			NOTE: http://www.codercorner.com/Opcode.htm
516	micah	8740
517			gimpact
518			- ode <unfixed> (embed)
519	micah	8739	NOTE: gimpact is not a package in debian, it is just embedded
520			NOTE: http://gimpact.sf.net
521	micah	8741
522			MochiKit.js
523			- mahara <unfixed> (embed)
524			- ntop <unfixed> (embed)
525			- python-oherence <unfixed> (embed)
526			- python-paste <unfixed> (embed)
527			- python-turbogears <unfixed> (embed)
528			- zope-plone3 <unfixed> (embed)
529
530			prototype.js
531			- netbeans-ide <unfixed> (embed)
532			- auth2db-frontend <unfixed> (embed)
533			- citadel-webcit <unfixed> (embed)
534			- asterisk <unfixed> (embed)
535			- doc-iana <unfixed> (embed)
536			- libaws-doc <unfixed> (embed)
537			- libgettext-ruby-data <unfixed> (embed)
538			- libjson-ruby-doc <unfixed> (embed)
539			- liblucene2-java-doc <unfixed> (embed)
540			- libopenid-ruby <unfixed> (embed)
541			- solr-common <unfixed> (embed)
542			- glpi <unfixed> (embed)
543			- hobbix <unfixed> (embed)
544			- mnemo2 <unfixed> (embed)
545			- nag2 <unfixed> (embed)
546			- libjs-prototype <unfixed> (embed)
547			- libjs-scriptaculous <unfixed> (embed)
548			- knowledgeroot <unfixed> (embed)
549			- mediatomb-common <unfixed> (embed)
550			- mt-daapd <unfixed> (embed)
551			- op-panel <unfixed> (embed)
552			- ebug-http <unfixed> (embed)
553	thijs	8871	- phpgedview <removed> (embed)
554	micah	8741	- poker-web <unfixed> (embed)
555			- python-webhelpers <unfixed> (embed)
556			- qwik <unfixed> (embed)
557			- rails <unfixed> (embed)
558			- typo3-src-4.1 <unfixed> (embed)
559			- wordpress <unfixed> (embed)
560			- zope-plone3 <unfixed> (embed)
561			- smokeping <unfixed> (embed)
562