/[secure-testing]/data/embedded-code-copies
ViewVC logotype

Diff of /data/embedded-code-copies

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 2964 by jmm-guest, Wed Dec 7 09:27:17 2005 UTC revision 10098 by stef-guest, Wed Oct 15 19:57:32 2008 UTC
# Line 1  Line 1 
1  This file collects cases, where a source package embeds code from  Embedded code copies
2  other projects, without linking dynamically:  ====================
3    
4  xpdf code: (some use xpdf 2, some xpdf 3)  This file collects source packages that embed code from other projects.
5  gpdf  This is considered bad for fixing security flaws because the fix needs
6  pdftohtml  to be applied in multiple source packages.
7  kdegraphics/kpdf  
8  tetex-bin  Format:
9  cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though)  <srcpkg> (<optional comment about srcpkg>)
10  poppler          - <embedding srcpkg> <status> (<sort>; bug #<number>)
11  koffice          NOTE: optional comments about the linkage of the embedding srcpkg
12  libextractor  
13    status: version number fixing the embedded copy, <unfixed>, <removed>,
14            <itp> or <unknown> if the version number can not be determined
15            <unfixable> for unavoidable cases (e.g., forks that add real value)
16    sort: static (linking statically against a lib)
17          embed (embedding a copy of the library into another source package)
18          fork (the package is not just embedding code but it is a fork and
19                thus might share parts of the source code)
20          old-version (the package is an older version of essentially
21                       the same code)
22    
23    The srcpkg might be some string to identify the code if there is no
24    specific source package.
25    
26    Everything up to the next line is ignored.
27    ---BEGIN
28    xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
29            NOTE: Fixed packages link to poppler library unless otherwise noted
30            - gpdf <removed>
31            [sarge] - gpdf <unfixed>
32            NOTE: has been replaced by evince in etch
33            - pdftohtml <unknown>
34            [sarge] - pdftohtml <unfixed>
35            [etch] - pdftohtml <unfixed>
36            NOTE: has been replaced by poppler-utils
37            - kdegraphics <unfixed> (embed; bug #436164)
38            NOTE: the kpdf replacement in KDE 4 is using poppler
39            - texlive-base 3.0-12 (embed)
40            - texlive-bin 2007-1 (embed)
41            NOTE: links to poppler
42            - koffice <unfixed> (embed; bug #436163)
43            - libextractor 0.5.12-1 (embed)
44            NOTE: libextractor is using its own pdf decoder now
45            - libextractor 0.5.12-1 (embed)
46            - pdfkit.framework 0.8-4 (embed)
47            - ipe <unfixed> (embed)
48            NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
49            - ruby-gnome2 <unknown> (embed)
50            NOTE: copy only present in source but links to poppler
51    
52    ppmd
53            - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
54    
55    peercast
56            - gnome-peercast <unfixed> (embed)
57            NOTE: gnome-peercast may better be removed, see #466539
58    
59    silc-toolkit
60            - silc-client 1.1~beta6-1 (embed)
61    
62    dietlibc
63            - ccontrol 0.9.1+20071204-1 (static)
64    
65    libiax
66            - iaxmodem <unfixed> (embed)
67    
68    zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
69            - dpkg <unfixed> (embed)
70            NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
71            - rsync <unfixed> (embed)
72            NOTE: somehow derived code base
73            - mono <unfixed> (embed)
74            TODO: check mozilla
75            - Linux kernels <unfixed> (embed)
76            - pvpgn 1.7.8-2 (embed)
77            - mrtg 2.12.2-1 (embed)
78            - rpm <unknown> (embed)
79            NOTE: pinged anibal since when rpm was fixed
80    
81    libbz2
82            - dpkg <unfixed> (static)
83    
84    ekg
85            - centericq <unfixed> (embed)
86            - gaim <unfixed> (embed)
87            - pigdin <unfixed> (embed)(links dynamically against libgadu)
88            - kopete 4:3.3.2-5 (embed)
89            - kadu <unfixed> (embed)
90            - gadu <unfixed> (embed)
91            NOTE: g/kadu not packaged in Debian yet
92    
93    xmlrpc (which package is the "origin" of this code?)
94            - drupal <unfixed> (embed)
95            - phpgroupware <unfixed> (embed)
96            - egroupware <unfixed> (embed)
97            - phpwiki (embed)
98            - php4 <unfixed> (embed)
99            TODO: check, php-pear, IIRC this was reorganized some weeks ago?
100    
101    shtool (affects build-time only)
102            - mysql-ocaml <unfixed> (embed)
103            - php4 <unfixed> (embed)
104    
105    mozilla source code
106            - mozilla-firefox <unfixed> (embed)
107            - mozilla-thunderbird
108            - firefox <removed>
109            [etch] - firefox <unfixed> (embed)
110            - thunderbird <removed>
111            [etch] - thunderbird <unfixed> (embed)
112            - iceweasel <unfixed> (embed)
113            - iceape <unfixed> (embed)
114            - icedove <unfixed> (embed)
115            - xulrunner <unfixed> (embed)
116            - nvu <removed> (embed)
117    
118    xli
119            - xloadimage <unfixed> (embed)
120    
121    lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
122            - openmotif <unfixed> (embed)
123            - xfree86/xorg <unfixed> (embed)
124            NOTE: in libxpm
125    
126    kerberized apps with BSD origin
127            - krb4 <unfixed> (embed)
128            - krb5 <unfixed> (embed)
129            - heimdal <unfixed> (embed)
130    
131    grip (which pkg is the origin?)
132            - libcdaudio
133            - grip
134            - gnome-vfs
135            TODO: check vfs2 as well
136    
137    fudforum
138            - phpgroupware-fudforum <unfixed> (embed)
139            - egroupware-fudforum <removed>
140            [sarge] - egroupware-fudforum <unfixed> (embed)
141    
142    cvs
143            - gcvs <unfixed> (embed)
144            NOTE: see cvsunix/src in tarball
145    
146    pcre
147            - python* <unfixed> (embed)
148            - php4 <unknown> (embed)
149            - analog 2:5.23-0woody1 (embed)
150            - libgoffice-1 <unfixed> (embed)
151            - vfu 4.06-4.1 (embed; bug #450754)
152            - tf5 5.0beta7-1 (embed)
153            - monotone <unfixed> (embed)
154            NOTE: this only affects versions >= 0.37
155            - glib2.0 2.15.2-1 (embed)
156            - apache2 2.0.53-4 (embed)
157            - exim4 4.10-0.srh20.12 (embed)
158            - yacas <unfixed> (embed)
159            NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
160            - gtamsanalyzer.app 0.42-5 (embed)
161            - tin <unknown> (embed)
162            - kazehakase 0.5.2-1
163            - webkit <unfixed> (embed)
164            - qt4-x11 <unfixed> (embed)
165            NOTE: embedded via webkit copy
166    
167    tiff
168            - wxwindows2.4 2.2.1 (embed)
169    
170    uudeview
171            - libconvert-uulib-perl <unfixed> (embed)
172            - pan <unfixed> (embed)
173    
174    sqlite (not affected by security vulnerabilities so far)
175            - amarok <unfixed> (embed)
176            - monotone <unfixed> (embed)
177            - iceweasel <unfixed> (embed)
178    
179    util-linux/mount
180            - loop-aes-utils <unfixed> (embed)
181            NOTE: contains code from util-linux' mount in the mount-aes-udeb
182    
183    webmin
184            - usermin <unknown> (embed)
185            [sarge] - usermin <unfixed> (embed)
186    
187    sylpheed
188            - sylpheed-claws <unfixed> (fork)
189    
190    phpsysinfo
191            - egroupware <unfixed> (embed)
192            - phpgroupware <unfixed> (embed)
193    
194    phpldapadmin
195            [sarge] - egroupware <unfixed> (embed)
196            NOTE: removed from egroupware after sarge
197    
198    chmlib
199            - kchmviewer <unknown> (embed)
200    
201    libavcodec/libavformat (source: ffmpeg)
202            - mplayer 1.0~rc2-14 (embed; bug #395252)
203            - kino 1.0.0-1
204            - vlc <not-affected> (Links dynamically since initial release)
205            - smilutils 0.3.0-10
206            NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
207            - motion 3.1.19-1
208            - gstreamer0.10-ffmpeg 0.10.3-2
209            - xmovie <unfixed>
210            TODO: gimp-gap (potentially using ffmpeg code as well)
211    
212    mad MPEG decoding lib
213            - mad <unfixed> (embed)
214            - xine-lib <unfixed> (embed)
215    
 zlib code: (separate between 1.2 and 1.1)  
 dpkg  
 rsync  
 mozilla-firefox  
 mozilla(?)  
 Linux kernels  
 pvpgn (links dynamically since 1.7.8-2)  
   
   
 libgadu/ekg:  
 centericq  
 gaim  
 kopete (ships the code, but links dynamically in the Debian package)  
 kadu (not packaged in Debian)  
 GNU gadu (not packaged in Debian)  
   
   
 xmlrpc: (which package is the "origin" of this code?)  
 drupal  
 phpgroupware  
 egroupware  
 phpwiki  
 php4 (php-pear, IIRC this was reorganized some weeks ago?)  
 tikiwiki (not packaged in Debian)  
   
   
 shtool: (affects build-time only)  
 mysql-ocaml  
 php4  
   
   
 mozilla:  
 mozilla-firefox  
 mozilla-thunderbird  
 nvu  
   
   
 xli:  
 xloadimage  
   
   
 lesstif: (beware: two different lesstif APIs supported in one package, 1.2 discarded upstream)  
 openmotif  
 xfree86/xorg (in libxpm, still the case with x.org?  
   
   
 kerberized apps with BSD origin:  
 krb4  
 krb5  
 heimdal  
   
   
 grip: (which pkg is the origin?)  
 libcdaudio  
 grip  
 gnome-vfs (vfs2 as well?)  
   
   
 fudforum:  
 phpgroupware-fudforum  
 egroupware-fudforum  
   
 cvs:  
 gcvs (at least an additional script is included, check if there's more)  
   
 pcre:  
 python  
 php4 (src included, but Debian package links dynamically)  
 analog (src included, but Debian package links dynamically)  
 libgoffice-1  
 tf5 (since 5.0beta7 the Debian package links dynamically)  
   
 tiff:  
 wxpythongtk (check, which debian pkg this is in)  
 older kdegraphics/kpdf releases < 3.3 embedded a copy  
   
 uudeview:  
 libconvert-uulib-perl  
   
 sqlite: (not affected by security vulnerabilities so far)  
 amarok  
   
 uudeview:  
 libconvert-uulib-perl  
   
 util-linux/mount:  
 loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb  
   
 webmin:  
 usermin (they share at least a miniserv.pl mini web server)  
   
 sylpheed:  
 sylpheed-claws  
   
 phpsysinfo:  
 egroupware  
 phpgroupware  
   
 phpldapadmin:  
 egroupware  
   
 chmlib:  
 kchmviewer (not packaged in Debian)  
   
 libavcodec/libavformat:  
 ffmpeg  
 xine-lib  
   
 mad MPEG decoding lib:  
 mad  
 xine-lib  
   
 libdts:  
216  libdts  libdts
217  xine-lib          - xine-lib <unfixed> (embed)
218    
 flac:  
219  flac  flac
220  xine-lib          - xine-lib <unfixed> (embed)
221    
222  liba52:  liba52
223  a52dec          - a52dec <unfixed> (embed)
224  xine-lib          - xine-lib <unfixed> (embed)
225    
226    libmpeg2
227            - mpeg2dec <unfixed> (embed)
228            - xine-lib <unfixed> (embed)
229    
230    curl
231            - wget <unfixed> (embed)
232            NOTE: code for NTLM authentication
233    
234    uw-imap
235            - pine <unfixed> (embed)
236            - alpine <unfixed> (embed)
237    
238    imagemagick
239            - graphicsmagick <unfixed> (fork)
240    
241    halibut
242            - nsis <unfixed> (embed)
243    
244    libghttp
245            - hotway <unfixed> (embed)
246    
247    libsndfile
248            - ardour <unfixed> (embed)
249    
250    glibmm2.4
251            - ardour <unfixed> (embed)
252    
253    libgnomecanvasmm2.6
254            - ardour <unfixed> (embed)
255    
256    libsigc++-2.0
257            - ardour <unfixed> (embed)
258    
259    soundtouch
260            - ardour <unfixed> (embed)
261    
262    libmms
263            - xine-lib <unfixed> (embed)
264            - mimms <unfixed> (embed)
265    
266    fckeditor
267            - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
268            - moin <unfixed> (embed; bug #452599)
269            - karrigell <removed> (embed; bug #452598)
270            - gforge-plugins-extra 4.6.99+svn6225-1 (embed)
271    
272    ipatlas (not packaged in Debian)
273            - moodle <unfixed> (embed)
274    
275    libphp-phpmailer
276            - moodle <unfixed> (embed)
277    
278    htmlArea (not packaged in Debian)
279            - moodle <unfixed> (embed)
280    
281    giflib:
282            - wine <unfixed> (embed; bug #466181)
283    
284    bennu (not packaged in Debian)
285            - moodle <unfixed> (embed)
286    
287    smarty:
288            - moodle <unfixed> (embed; bug #471158)
289            - gallery2 2.2.5-2 (embed; bug #471160)
290            - mahara 0.9.2-2 (embed; bug #471201)
291            - gosa 2.4beta1-1 (embed; bug #471200)
292    
293    TinyMCE
294            - wordpress 2.5.1-3 (embed; bug #478257)
295            - moodle <unfixed> (embed)
296            - knowledgeroot <unfixed> (embed)
297            - joomla <itp> (bug #326398)
298    
299    scintilla
300            - scite <unfixed> (embed)
301            - qscintilla <unfixed> (embed)
302            - qscintilla2 <unfixed> (embed)
303            - geany <unfixed> (embed)
304    
305    libphp-adodb
306            - moodle <unfixed> (embed)
307            NOTE: also AdoDB-XML Schema
308            - gallery2 <unfixed> (embed)
309            - phppgadmin <unfixed> (embed)
310            - egroupware <unfixed> (embed)
311            - phpwiki <unfixed> (embed)
312            - ipplan <unfixed> (embed)
313            - typo3 <unfixed> (embed)
314            - moodle <unfixed> (embed)
315            - cacti <unknown> (embed)
316            [sarge] - cacti <unfixed> (embed)
317            NOTE: dependency exists, but internal version is used
318    
319    gzip
320            - linux-kernel <unfixed> (embed)
321            NOTE: lib/inflate.c
322            - klibc <unfixed> (embed)
323            NOTE: based on linux-kernel gzip code
324            - busybox <unfixed> (embed)
325    
326    neon
327            - cadaver <unfixed> (embed; bug #188381)
328            - gnome-vfs2 <unfixed> (embed; bug #395874)
329            - litmus <unfixed> (embed; #395875)
330            [sarge] - screem <unfixed> (embed)
331            - sitecopy <unfixed> (embed; bug #395876)
332            [etch] - tla <unfixed> (embed; bug #395877)
333            [sarge] - tla <unfixed> (embed; bug #395877)
334    
335    libmodplug
336            - gst-plugins-bad0.10 <unfixed> (embed)
337    
338    libvncserver
339            - vino <unfixed> (embed)
340    
341    putty
342            - filezilla <unfixed> (embed)
343    
344    tinyxml (not packaged in Debian)
345            - filezilla <unfixed>
346    
347    gv
348            - evince <unfixed> (embed)
349            NOTE: ps/ tree from gv 3.5.8
350            - evince-gtk <unfixed> (embed)
351            NOTE: not packaged in Debian
352    
353    libXbae
354            [etch] - libpawlib2-lesstif <unfixed> (embed)
355            NOTE: from Cernlib
356    
357    libXaw
358            [etch] - libpawlib2-lesstif
359            NOTE: from Cernlib
360            NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
361    
362    libgd2
363            - graphviz <unfixed> (embed)
364            NOTE: lib/gd seems to be 2.0.33
365            - wml <unfixed> (embed)
366            NOTE: derived from gd 1.6.3
367    
368    rar
369            - unrar-nonfree <unfixed> (embed)
370    
371    unrar-free (maybe this code is derived from the original rar, too?)
372            - clamav <unfixed> (embed)
373            NOTE: seems to be disabled in default config
374    
375    mplayer (DirectMedia Object loader)
376            - xine-lib <unfixed> (embed)
377            NOTE: src/libw32dll/
378            - vlc <unfixed> (embed)
379            NOTE: modules/codec/dmo/
380    
381    libwpd (WordPerfect converter)
382            - openoffice.org <unfixed> (embed)
383    
384    fsplib (http://sourceforge.net/projects/fsp/)
385            - gftp <unfixed> (embed)
386            NOTE: lib/fsplib version 0.3
387    
388    sprng
389            - tree-puzzle <unfixed> (embed)
390    
391    librpcsecgss
392            - krb5 <unfixed> (embed)
393    
394    jasper
395            - ghostscript <unfixed> (embed)
396            - gs-gpl <unfixed> (embed)
397    
398    libidn
399            - monotone <unfixed> (embed)
400    
401    liblua
402            - monotone <unfixed> (embed)
403    
404    libbotan
405            - montone <unfixed> (embed)
406    
407    NetXX
408            - monotone <unfixed> (embed)
409    
410    libgc
411            - mono <unfixed> (embed)
412    
413    lzma
414            - p7zip <unfixed> (embed)
415    
416    lzo
417            - grub2 <unfixed> (embed)
418    
419    yassl
420            - mysql-dfsg-5.0 <unfixed> (embed)
421    
422    pax code
423            - tar <unfixed> (embed)
424            - cpio <unfixed> (embed)
425    
426    t1lib
427            - tetex-bin 2.0.2-1 (embed)
428            - texlive-bin <unknown> (embed)
429    
430    guichan
431            - boswars <unfixed> (embed)
432            NOTE: maintainer notified us, working on it
433    
434    tolua
435            - boswars <unfixed> (embed)
436            NOTE: maintainer notified us, working on it
437    
438    asio-dev
439            - luxrender <unfixed> (embed)
440            NOTE: maintainer notified us, working on it
441            NOTE: may be merged with boost "soon"
442    
 libmpeg2:  
 mpeg2dec  
443  xine-lib  xine-lib
444            - vlc <unfixed> (embed)
445            NOTE: only parts included in modules/access/rtsp
446    
447    netpbm
448            - tcl8.3 <unfixed> (embed)
449            - tcl8.4 <unfixed> (embed)
450            - tcl8.5 <unfixed> (embed)
451            NOTE: generic/tkImgGIF.c
452    
453    tk8.5
454            - tk8.0 <removed> (old-version)
455            - tk8.3 <unfixed> (old-version)
456            - tk8.4 <unfixed> (old-version)
457            - perl-tk <unfixable> (fork)
458    
459    samba
460            - mc <unfixed> (embed)
461            NOTE: maintainer is aware of this, currently searching a solution
462    
463    plib1.8.4c2
464            - boson <unfixed> (fork)
465            NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
466    
467    fribidi
468            - quesoglc <unfixed> (embed)
469    
470    glew
471            - quesoglc <unfixed> (embed)
472    
473    minorGems
474            - transcend <unfixed> (embed)
475            - cultivation <unfixed> (embed)
476    
477    tar
478            - libarchive <unfixed> (embed)
479            NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
480    
481    cpio
482            - libarchive <unfixed> (embed)
483            NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
484    
485    webkit
486            - qt4-x11 <unfixed> (embed)
487    
488    ftgl
489            - blender 2.46+dfsg-1 (embed)
490    
491    wv
492            - abiword <unfixed>
493    
494    qemu
495            - kvm <unfixed> (embed)
496            - xen-3 <unfixed> (embed)
497            - xen-unstable <unfixed> (embed)
498    
499    bochs
500            - kvm <unfixed> (embed; bug #489442)
501    
502    speex
503            - vorbis-tools <unfixed> (embed)
504            NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
505            - gst-plugins-good0.10 <unfixed> (embed)
506            - xine-lib <unfixed> (embed)
507            - libfishsound <unfixed> (embed)
508            - libannodex <unfixed> (embed)
509            - vlc <unfixed> (embed)
510            - xmms-speex <unfixed> (embed)
511            - libsdl-sound1.2 <unfixed> (embed)
512            - sweep <unfixed> (embed)
513    
514    libreadline
515            - magic <unfixed> (old-version)
516            NOTE: magic is currently an RFS
517    
518    opcode
519            - ode <unfixed> (embed)
520            NOTE: opcode is not a package in debian, it is just embedded
521            NOTE: http://www.codercorner.com/Opcode.htm
522    
523    gimpact
524            - ode <unfixed> (embed)
525            NOTE: gimpact is not a package in debian, it is just embedded
526            NOTE: http://gimpact.sf.net
527    
528    MochiKit.js
529            - mahara <unfixed> (embed)
530            - ntop <unfixed> (embed)
531            - python-oherence <unfixed> (embed)
532            - python-paste <unfixed> (embed)
533            - python-turbogears <unfixed> (embed)
534            - zope-plone3 <unfixed> (embed)
535    
536    prototype.js
537            - netbeans-ide <unfixed> (embed)
538            - auth2db-frontend <unfixed> (embed)
539            - citadel-webcit <unfixed> (embed)
540            - asterisk <unfixed> (embed)
541            - doc-iana <unfixed> (embed)
542            - libaws-doc <unfixed> (embed)
543            - libgettext-ruby-data <unfixed> (embed)
544            - libjson-ruby-doc <unfixed> (embed)
545            - liblucene2-java-doc <unfixed> (embed)
546            - libopenid-ruby <unfixed> (embed)
547            - solr-common <unfixed> (embed)
548            - glpi <unfixed> (embed)
549            - hobbix <unfixed> (embed)
550            - mnemo2 <unfixed> (embed)
551            - nag2 <unfixed> (embed)
552            - libjs-prototype <unfixed> (embed)
553            - libjs-scriptaculous <unfixed> (embed)
554            - knowledgeroot <unfixed> (embed)
555            - mediatomb-common <unfixed> (embed)
556            - mt-daapd <unfixed> (embed)
557            - op-panel <unfixed> (embed)
558            - ebug-http <unfixed> (embed)
559            - phpgedview <removed> (embed)
560            - poker-web <unfixed> (embed)
561            - python-webhelpers <unfixed> (embed)
562            - qwik <unfixed> (embed)
563            - rails <unfixed> (embed)
564            - typo3-src-4.1 <unfixed> (embed)
565            - wordpress <unfixed> (embed)
566            - zope-plone3 <unfixed> (embed)
567            - smokeping <unfixed> (embed)
568    
569    gdb
570            - insight <unfixed> (embed)
571    
572    e2fsprogs
573            - ldiskfsprogs <unfixable> (fork)
574    
575    quazip (not packaged in Debian)
576            - qcake <unfixed> (embed)
577            NOTE: starting with upstream version 0.6.4
578    
579    exo
580            - pcmanfm <unfixed> (embed; bug #499677)
581            NOTE: slightly modified source code
582    
583    java
584            - openjdk-6 <unfixed>
585            - sun-java5 <unfixed>
586            - sun-java6 <unfixed>
Legend:
Removed from v.2964  
changed lines
  Added in v.10098
  ViewVC Help
Powered by ViewVC 1.1.5