| 1 |
|
Embedded code copies |
| 2 |
|
==================== |
| 3 |
|
|
| 4 |
This file collects cases, where a source package embeds code from |
This file collects cases, where a source package embeds code from |
| 5 |
other projects, without linking dynamically: |
other projects which is considered bad for fixing security flaws |
| 6 |
|
because the fix needs to be applied in multiple source packages. |
| 7 |
|
|
| 8 |
|
Format: |
| 9 |
|
<srcpkg> (<optional comment about srcpkg>) |
| 10 |
|
- <embedding srcpkg> <status> (<sort>; bug #<number>) |
| 11 |
|
NOTE: optional comments about the linkage of the embedding srcpkg |
| 12 |
|
|
| 13 |
|
status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined |
| 14 |
|
sort: static/dynamic |
| 15 |
|
|
| 16 |
|
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code) |
| 17 |
|
- gpdf <removed> |
| 18 |
|
[sarge] - gpdf <unfixed> |
| 19 |
|
NOTE: has been replaced by evince in etch |
| 20 |
|
- pdftohtml <unknown> |
| 21 |
|
[sarge] - pdftohtml <unfixed> |
| 22 |
|
[etch] - pdftohtml <unfixed> |
| 23 |
|
NOTE: has been replaced by poppler-utils |
| 24 |
|
- kdegraphics <unfixed> (static; bug #436164) |
| 25 |
|
NOTE: the kpdf replacement in KDE 4 is using poppler |
| 26 |
|
- tetex-bin 3.0-12 (dynamic) |
| 27 |
|
NOTE: links to poppler |
| 28 |
|
- texlive-bin <unknown> (dynamic) |
| 29 |
|
NOTE: links to poppler |
| 30 |
|
- koffice <unfixed> (static; bug #436163) |
| 31 |
|
- libextractor 0.5.12-1 (static) |
| 32 |
|
NOTE: libextractor is using its own pdf decoder |
| 33 |
|
- libextractor 0.5.12-1 (dynamic) |
| 34 |
|
NOTE: links to poppler |
| 35 |
|
- pdfkit.framework 0.8-4 (dynamic) |
| 36 |
|
NOTE: links to poppler |
| 37 |
|
- ipe <unfixed> (static) |
| 38 |
|
NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp |
| 39 |
|
- ruby-gnome2 <unknown> (dynamic) |
| 40 |
|
NOTE: copy only present in source but links to poppler |
| 41 |
|
|
| 42 |
|
silc-toolkit: |
| 43 |
|
silc-client (uses libsilc and libsilcclient) |
| 44 |
|
|
| 45 |
xpdf code: (some use xpdf 2, some xpdf 3) |
dietlibc: |
| 46 |
gpdf (will be replaced by evince in Gnome 2.12) |
ccontrol (linked statically until 0.9.1+20071204-1, affects Etch only) |
| 47 |
pdftohtml (current poppler source package has a ported version, pinged maintainer) |
|
| 48 |
kdegraphics/kpdf (upstream is working on using poppler, probably not in time for Etch) |
libiax: |
| 49 |
tetex-bin (links to poppler since 3.0-12) |
iaxmodem |
|
cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though) |
|
|
poppler |
|
|
koffice/kword (upstream is working on using poppler, probably not in time for Etch) |
|
|
libextractor (uses internal pdf decoder since 0.5.12-1) |
|
|
pdfkit.framework (links to poppler since 0.8-4) |
|
| 50 |
|
|
| 51 |
zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions) |
zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions) |
| 52 |
dpkg |
dpkg |
| 53 |
rsync (somehow derived code base) |
rsync (somehow derived code base) |
| 54 |
|
mono |
| 55 |
mozilla(?) |
mozilla(?) |
| 56 |
Linux kernels |
Linux kernels |
| 57 |
pvpgn (links dynamically since 1.7.8-2) |
pvpgn (links dynamically since 1.7.8-2) |
| 64 |
libgadu/ekg: |
libgadu/ekg: |
| 65 |
centericq |
centericq |
| 66 |
gaim |
gaim |
| 67 |
|
pigdin (links dynamically against libgadu) |
| 68 |
kopete (ships the code, but links dynamically in the Debian package) |
kopete (ships the code, but links dynamically in the Debian package) |
| 69 |
kadu (not packaged in Debian) |
kadu (not packaged in Debian) |
| 70 |
GNU gadu (not yet packaged in Debian) |
GNU gadu (not yet packaged in Debian) |
| 75 |
egroupware |
egroupware |
| 76 |
phpwiki |
phpwiki |
| 77 |
php4 (php-pear, IIRC this was reorganized some weeks ago?) |
php4 (php-pear, IIRC this was reorganized some weeks ago?) |
|
tikiwiki |
|
| 78 |
|
|
| 79 |
shtool: (affects build-time only) |
shtool: (affects build-time only) |
| 80 |
mysql-ocaml |
mysql-ocaml |
| 120 |
php4 (src included, but Debian package links dynamically) |
php4 (src included, but Debian package links dynamically) |
| 121 |
analog (src included, but Debian package links dynamically) |
analog (src included, but Debian package links dynamically) |
| 122 |
libgoffice-1 |
libgoffice-1 |
| 123 |
|
vfu (removed linking against embedded copy in 4.06-4.1; #450754) |
| 124 |
tf5 (since 5.0beta7 the Debian package links dynamically) |
tf5 (since 5.0beta7 the Debian package links dynamically) |
| 125 |
|
monotone (including this starting from 0.37) |
| 126 |
|
glib (2.14 series for gregex support, only for udeb, regular packag links dynamic) |
| 127 |
|
apache2 (since 2.0.53-4 uses 040_link_external_pcre patch) |
| 128 |
|
exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre) |
| 129 |
|
yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway) |
| 130 |
|
gtamsanalyzer.app (links dynamically since 0.42-5) |
| 131 |
|
|
| 132 |
tiff: |
tiff: |
| 133 |
wxpythongtk (check, which debian pkg this is in) |
wxpythongtk (check, which debian pkg this is in) |
| 138 |
|
|
| 139 |
sqlite: (not affected by security vulnerabilities so far) |
sqlite: (not affected by security vulnerabilities so far) |
| 140 |
amarok |
amarok |
| 141 |
|
monotone |
| 142 |
|
iceweasel |
| 143 |
|
|
| 144 |
util-linux/mount: |
util-linux/mount: |
| 145 |
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb |
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb |
| 158 |
egroupware (removed from egroupware after sarge) |
egroupware (removed from egroupware after sarge) |
| 159 |
|
|
| 160 |
chmlib: |
chmlib: |
| 161 |
kchmviewer (not packaged in Debian) |
kchmviewer (ships the code but links dynamically) |
| 162 |
|
|
| 163 |
libavcodec/libavformat: |
libavcodec/libavformat (source: ffmpeg): |
| 164 |
ffmpeg |
mplayer (#395252) |
|
xine-lib |
|
| 165 |
xvidcap |
xvidcap |
| 166 |
kino (links statically, does not include code) |
kino (links statically, does not include code) |
| 167 |
vlc (links statically, does not include code) |
vlc (links statically, does not include code) |
| 199 |
|
|
| 200 |
uw-imap: |
uw-imap: |
| 201 |
pine |
pine |
| 202 |
|
alpine |
| 203 |
|
|
| 204 |
imagemagick: |
imagemagick: |
| 205 |
graphicsmagick |
graphicsmagick |
| 210 |
libghttp: |
libghttp: |
| 211 |
hotway |
hotway |
| 212 |
|
|
| 213 |
etl-dev (will be renamed to libetl-dev soon): |
libsndfile: |
| 214 |
synfig |
ardour |
| 215 |
|
|
| 216 |
|
glibmm2.4: |
| 217 |
|
ardour |
| 218 |
|
|
| 219 |
|
libgnomecanvasmm2.6: |
| 220 |
|
ardour |
| 221 |
|
|
| 222 |
|
libsigc++-2.0: |
| 223 |
|
ardour |
| 224 |
|
|
| 225 |
|
soundtouch: |
| 226 |
|
ardour |
| 227 |
|
|
| 228 |
libmms: |
libmms: |
| 229 |
xine-lib |
xine-lib |
| 230 |
mimms |
mimms |
| 231 |
|
|
| 232 |
FCKeditor: |
FCKeditor: (packaged as fckeditor) |
| 233 |
knowledgeroot |
knowledgeroot |
| 234 |
|
moin (452599) |
| 235 |
|
karrigell (452598) |
| 236 |
|
gforge-plugins-extra (fixed since 4.6.99+svn6225-1) |
| 237 |
|
|
| 238 |
|
|
| 239 |
|
|
| 240 |
Moodle contains lots of things: |
Moodle contains lots of things: |
| 241 |
AdoDB |
AdoDB |
| 256 |
scintilla: |
scintilla: |
| 257 |
scite |
scite |
| 258 |
qscintilla |
qscintilla |
| 259 |
|
qscintilla2 |
| 260 |
geany |
geany |
| 261 |
|
|
| 262 |
libphp-adodb: |
libphp-adodb: |
| 264 |
phppgadmin |
phppgadmin |
| 265 |
egroupware |
egroupware |
| 266 |
phpwiki |
phpwiki |
| 267 |
|
ipplan |
| 268 |
|
typo3 |
| 269 |
moodle |
moodle |
| 270 |
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch) |
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch) |
| 271 |
|
|
| 274 |
klibc (based on linux-kernel gzip code) |
klibc (based on linux-kernel gzip code) |
| 275 |
busybox |
busybox |
| 276 |
|
|
|
ffmpeg: |
|
|
mplayer (#395252) |
|
|
|
|
| 277 |
neon: |
neon: |
| 278 |
cadaver (all, but being worked on: #188381) |
cadaver (all, but being worked on: #188381) |
| 279 |
gnome-vfs2 (#395874) |
gnome-vfs2 (#395874) |
| 308 |
|
|
| 309 |
libgd2: |
libgd2: |
| 310 |
graphviz (lib/gd seems to be 2.0.33) |
graphviz (lib/gd seems to be 2.0.33) |
| 311 |
|
|
| 312 |
|
rar: |
| 313 |
|
unrar-nonfree |
| 314 |
|
|
| 315 |
|
unrar-free: (maybe this code is derived from the original rar, too?) |
| 316 |
|
clamav (seems to be disabled in default config) |
| 317 |
|
|
| 318 |
|
mplayer (DirectMedia Object loader): |
| 319 |
|
xine-lib (src/libw32dll/) |
| 320 |
|
vlc (modules/codec/dmo/) |
| 321 |
|
|
| 322 |
|
libwpd (WordPerfect converter): |
| 323 |
|
openoffice.org |
| 324 |
|
|
| 325 |
|
fsplib (http://sourceforge.net/projects/fsp/): |
| 326 |
|
gftp (lib/fsplib version 0.3) |
| 327 |
|
|
| 328 |
|
librpcsecgss: |
| 329 |
|
krb5 |
| 330 |
|
|
| 331 |
|
jasper: |
| 332 |
|
ghostscript |
| 333 |
|
gs-gpl |
| 334 |
|
|
| 335 |
|
libidn: |
| 336 |
|
monotone |
| 337 |
|
|
| 338 |
|
liblua: |
| 339 |
|
monotone |
| 340 |
|
|
| 341 |
|
libbotan: |
| 342 |
|
montone |
| 343 |
|
|
| 344 |
|
NetXX: |
| 345 |
|
monotone |
| 346 |
|
|
| 347 |
|
libgc: |
| 348 |
|
mono |
| 349 |
|
|
| 350 |
|
lzma: |
| 351 |
|
p7zip |
| 352 |
|
|
| 353 |
|
lzo: |
| 354 |
|
grub2 |
| 355 |
|
|
| 356 |
|
pax code: |
| 357 |
|
tar |
| 358 |
|
cpio |
| 359 |
|
|
| 360 |
|
t1lib: |
| 361 |
|
tetex-bin (links to system t1lib since 2.0.2) |
| 362 |
|
texlive-bin (links to system t1lib) |
| 363 |
|
|
Parent Directory
| 
Revision Log
| 
Patch