/[secure-testing]/data/embedded-code-copies
ViewVC logotype

Diff of /data/embedded-code-copies

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 3064 by jmm-guest, Thu Dec 15 23:01:23 2005 UTC revision 7700 by jmm-guest, Sun Dec 23 10:58:57 2007 UTC
# Line 1  Line 1 
1    Embedded code copies
2    ====================
3    
4  This file collects cases, where a source package embeds code from  This file collects cases, where a source package embeds code from
5  other projects, without linking dynamically:  other projects which is considered bad for fixing security flaws
6    because the fix needs to be applied in multiple source packages.
7    
8    Format:
9    <srcpkg> (<optional comment about srcpkg>)
10            - <embedding srcpkg> <status> (<sort>; bug #<number>)
11            NOTE: optional comments about the linkage of the embedding srcpkg
12    
13    status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14    sort: static/dynamic
15    
16    xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
17            - gpdf <removed>
18            [sarge] - gpdf <unfixed>
19            NOTE: has been replaced by evince in etch
20            - pdftohtml <unknown>
21            [sarge] - pdftohtml <unfixed>
22            [etch] - pdftohtml <unfixed>
23            NOTE: has been replaced by poppler-utils
24            - kdegraphics <unfixed> (static; bug #436164)
25            NOTE: the kpdf replacement in KDE 4 is using poppler
26            - tetex-bin 3.0-12 (dynamic)
27            NOTE: links to poppler
28            - texlive-bin <unknown> (dynamic)
29            NOTE: links to poppler
30            - koffice <unfixed> (static; bug #436163)
31            - libextractor 0.5.12-1 (static)
32            NOTE: libextractor is using its own pdf decoder
33            - libextractor 0.5.12-1 (dynamic)
34            NOTE: links to poppler
35            - pdfkit.framework 0.8-4 (dynamic)
36            NOTE: links to poppler
37            - ipe <unfixed> (static)
38            NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
39            - ruby-gnome2 <unknown> (dynamic)
40            NOTE: copy only present in source but links to poppler
41    
42  xpdf code: (some use xpdf 2, some xpdf 3)  silc-toolkit:
43  gpdf  silc-client (uses libsilc and libsilcclient)
 pdftohtml  
 kdegraphics/kpdf  
 tetex-bin (the very latest tetex-bin started to use poppler)  
 cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though)  
 poppler  
 koffice  
 libextractor  
44    
45    dietlibc:
46    ccontrol (linked statically until 0.9.1+20071204-1, affects Etch only)
47    
48    libiax:
49    iaxmodem
50    
51  zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)  zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
52  dpkg  dpkg
53  rsync (somehow derived code base)  rsync (somehow derived code base)
54    mono
55  mozilla(?)  mozilla(?)
56  Linux kernels  Linux kernels
57  pvpgn (links dynamically since 1.7.8-2)  pvpgn (links dynamically since 1.7.8-2)
58    mrtg (links dynamically since 2.12.2-1)
59    rpm
60    
61    libbz2:
62    dpkg (statically linked)
63    
64  libgadu/ekg:  libgadu/ekg:
65  centericq  centericq
66  gaim  gaim
67    pigdin (links dynamically against libgadu)
68  kopete (ships the code, but links dynamically in the Debian package)  kopete (ships the code, but links dynamically in the Debian package)
69  kadu (not packaged in Debian)  kadu (not packaged in Debian)
70  GNU gadu (not yet packaged in Debian)  GNU gadu (not yet packaged in Debian)
71    
   
72  xmlrpc: (which package is the "origin" of this code?)  xmlrpc: (which package is the "origin" of this code?)
73  drupal  drupal
74  phpgroupware  phpgroupware
75  egroupware  egroupware
76  phpwiki  phpwiki
77  php4 (php-pear, IIRC this was reorganized some weeks ago?)  php4 (php-pear, IIRC this was reorganized some weeks ago?)
 tikiwiki (not packaged in Debian)  
   
78    
79  shtool: (affects build-time only)  shtool: (affects build-time only)
80  mysql-ocaml  mysql-ocaml
81  php4  php4
82    
   
83  mozilla:  mozilla:
84  mozilla-firefox  mozilla-firefox
85  mozilla-thunderbird  mozilla-thunderbird
86  nvu  firefox (to be removed)
87    thunderbird (to be removed)
88    iceweasel
89    iceape
90    icedove
91    xulrunner
92    nvu (no longer in Debian)
93    
94  xli:  xli:
95  xloadimage  xloadimage
96    
   
97  lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)  lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
98  openmotif  openmotif
99  xfree86/xorg (in libxpm)  xfree86/xorg (in libxpm)
100    
   
101  kerberized apps with BSD origin:  kerberized apps with BSD origin:
102  krb4  krb4
103  krb5  krb5
104  heimdal  heimdal
105    
   
106  grip: (which pkg is the origin?)  grip: (which pkg is the origin?)
107  libcdaudio  libcdaudio
108  grip  grip
109  gnome-vfs (vfs2 as well?)  gnome-vfs (vfs2 as well?)
110    
   
111  fudforum:  fudforum:
112  phpgroupware-fudforum  phpgroupware-fudforum
113  egroupware-fudforum  egroupware-fudforum (removed from egroupware after sarge)
114    
115  cvs:  cvs:
116  gcvs (at least an additional script is included, check if there's more)  gcvs (at least an additional script is included, check if there's more)
# Line 81  all pythons Line 120  all pythons
120  php4 (src included, but Debian package links dynamically)  php4 (src included, but Debian package links dynamically)
121  analog (src included, but Debian package links dynamically)  analog (src included, but Debian package links dynamically)
122  libgoffice-1  libgoffice-1
123    vfu (removed linking against embedded copy in 4.06-4.1; #450754)
124  tf5 (since 5.0beta7 the Debian package links dynamically)  tf5 (since 5.0beta7 the Debian package links dynamically)
125    monotone (including this starting from 0.37)
126    glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
127    apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
128    exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
129    yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
130    gtamsanalyzer.app (links dynamically since 0.42-5)
131    
132  tiff:  tiff:
133  wxpythongtk (check, which debian pkg this is in)  wxpythongtk (check, which debian pkg this is in)
134  older kdegraphics/kpdf releases < 3.3 embedded a copy  older kdegraphics/kpdf releases < 3.3 embedded a copy
135    
   
136  uudeview:  uudeview:
137  libconvert-uulib-perl  libconvert-uulib-perl
138    
139  sqlite: (not affected by security vulnerabilities so far)  sqlite: (not affected by security vulnerabilities so far)
140  amarok  amarok
141    monotone
142    iceweasel
143    
144  util-linux/mount:  util-linux/mount:
145  loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb  loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
146    
147  webmin:  webmin:
148  usermin  usermin (only in sarge)
149    
150  sylpheed:  sylpheed:
151  sylpheed-claws  sylpheed-claws
# Line 108  egroupware Line 155  egroupware
155  phpgroupware  phpgroupware
156    
157  phpldapadmin:  phpldapadmin:
158  egroupware  egroupware (removed from egroupware after sarge)
159    
160  chmlib:  chmlib:
161  kchmviewer (not packaged in Debian)  kchmviewer (ships the code but links dynamically)
162    
163  libavcodec/libavformat:  libavcodec/libavformat (source: ffmpeg):
164  ffmpeg  mplayer (#395252)
165  xine-lib  xvidcap
166  xvidcap (currently in NEW)  kino (links statically, does not include code)
167  kino(?)  vlc (links statically, does not include code)
168  gst-ffmpeg  smilutils (links statically, does not include code)
169  xmovie (currently in NEW)  motion (links statically, does not include code)
170  gst-ffmpeg  gst-ffmpeg
171    gstreamer0.10-ffmpeg
172    xmovie
173    
174  mad MPEG decoding lib:  mad MPEG decoding lib:
175  mad  mad
# Line 144  xine-lib Line 193  xine-lib
193    
194  curl:  curl:
195  wget (code for NTLM authentication)  wget (code for NTLM authentication)
196    
197    TODO evaluate:
198    gimp-gap (potentially using ffmpeg code as well)
199    
200    uw-imap:
201    pine
202    alpine
203    
204    imagemagick:
205    graphicsmagick
206    
207    halibut:
208    nsis
209    
210    libghttp:
211    hotway
212    
213    libsndfile:
214    ardour
215    
216    glibmm2.4:
217    ardour
218    
219    libgnomecanvasmm2.6:
220    ardour
221    
222    libsigc++-2.0:
223    ardour
224    
225    soundtouch:
226    ardour
227    
228    libmms:
229    xine-lib
230    mimms
231    
232    FCKeditor: (packaged as fckeditor)
233    knowledgeroot
234    moin (452599)
235    karrigell (452598)
236    gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
237    
238    
239    
240    Moodle contains lots of things:
241    AdoDB
242    AdoDB-XML Schema
243    ipatlas
244    PHPMailer
245    Smarty
246    htmlArea
247    TinyMCE
248    bennu
249    
250    TinyMCE:
251    wordpress
252    moodle
253    knowledgeroot
254    joomla (ITP)
255    
256    scintilla:
257    scite
258    qscintilla
259    qscintilla2
260    geany
261    
262    libphp-adodb:
263    gallery2
264    phppgadmin
265    egroupware
266    phpwiki
267    ipplan
268    typo3
269    moodle
270    cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
271    
272    gzip:
273    linux-kernel (lib/inflate.c)
274    klibc (based on linux-kernel gzip code)
275    busybox
276    
277    neon:
278    cadaver (all, but being worked on: #188381)
279    gnome-vfs2 (#395874)
280    litmus (#395875)
281    screem (sarge only)
282    sitecopy (#395876)
283    tla (etch/sid only: #395877)
284    
285    libmodplug:
286    gst-plugins-bad0.10
287    
288    libvncserver:
289    vino
290    
291    putty:
292    filezilla
293    
294    tinyxml (not packaged in Debian):
295    filezilla
296    
297    gv:
298    evince (ps/ tree from gv 3.5.8)
299    evince-gtk (not packaged in Debian)
300    
301    libXbae:
302    libpawlib2-lesstif package (from Cernlib)
303    
304    libXaw:
305    libpawlib2-lesstif package (from Cernlib)
306    
307    (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
308    
309    libgd2:
310    graphviz (lib/gd seems to be 2.0.33)
311    
312    rar:
313    unrar-nonfree
314    
315    unrar-free: (maybe this code is derived from the original rar, too?)
316    clamav (seems to be disabled in default config)
317    
318    mplayer (DirectMedia Object loader):
319    xine-lib (src/libw32dll/)
320    vlc (modules/codec/dmo/)
321    
322    libwpd (WordPerfect converter):
323    openoffice.org
324    
325    fsplib (http://sourceforge.net/projects/fsp/):
326    gftp (lib/fsplib version 0.3)
327    
328    librpcsecgss:
329    krb5
330    
331    jasper:
332    ghostscript
333    gs-gpl
334    
335    libidn:
336    monotone
337    
338    liblua:
339    monotone
340    
341    libbotan:
342    montone
343    
344    NetXX:
345    monotone
346    
347    libgc:
348    mono
349    
350    lzma:
351    p7zip
352    
353    lzo:
354    grub2
355    
356    pax code:
357    tar
358    cpio
359    
360    t1lib:
361    tetex-bin (links to system t1lib since 2.0.2)
362    texlive-bin (links to system t1lib)
363    
Legend:
Removed from v.3064  
changed lines
  Added in v.7700
  ViewVC Help
Powered by ViewVC 1.1.5