/[secure-testing]/data/embedded-code-copies

Diff of /data/embedded-code-copies

Parent Directory | Revision Log | View Patch Patch

-revision 6356 by jmm-guest,
Sun Aug 19 10:01:33 2007 UTC
+revision 7695 by nion,
Sat Dec 22 16:01:32 2007 UTC
 Line 1
+ Embedded code copies
+ ====================
  This file collects cases, where a source package embeds code from
- other projects, without linking dynamically:
+ other projects which is considered bad for fixing security flaws
+ because the fix needs to be applied in multiple source packages.
+ Format:
+ <srcpkg> (<optional comment about srcpkg>)
+         - <embedding srcpkg> <status> (<sort>; bug #<number>)
+         NOTE: optional comments about the linkage of the embedding srcpkg
  xpdf code: (some use xpdf 2, some xpdf 3)
  gpdf (has been replaced by evince - which uses poppler - in Etch)
  pdftohtml (has been replaced by poppler-utils from the poppler source package, still in Etch, though)
  kdegraphics/kpdf (okular, the kpdf replacement in KDE 4 is using poppler, #436164)
  tetex-bin (links to poppler since 3.0-12)
+ texlive-bin (links to poppler)
  cupsys (uses xpdf-utils, it's still present in the src, though)
  poppler
  koffice/kword (upstream is working on using poppler, #436163)
  libextractor (uses internal pdf decoder since 0.5.12-1)
  pdfkit.framework (links to poppler since 0.8-4)
  ipe (only small parts, but with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp)
+ ruby-gnome2 (has a copy of poppler but links against the shared lib)
+ silc-toolkit:
+ silc-client (uses libsilc and libsilcclient)
+ dietlibc:
+ ccontrol (links statically)
+ libiax:
+ iaxmodem
  zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
  dpkg
  rsync (somehow derived code base)
+ mono
  mozilla(?)
  Linux kernels
  pvpgn (links dynamically since 1.7.8-2)
-Line 28 
 dpkg (statically linked)
+Line 49 
 dpkg (statically linked)
  libgadu/ekg:
  centericq
  gaim
+ pigdin (links dynamically against libgadu)
  kopete (ships the code, but links dynamically in the Debian package)
  kadu (not packaged in Debian)
  GNU gadu (not yet packaged in Debian)
-Line 38 
 phpgroupware
+Line 60 
 phpgroupware
  egroupware
  phpwiki
  php4 (php-pear, IIRC this was reorganized some weeks ago?)
- tikiwiki
  shtool: (affects build-time only)
  mysql-ocaml
-Line 84 
 all pythons
+Line 105 
 all pythons
  php4 (src included, but Debian package links dynamically)
  analog (src included, but Debian package links dynamically)
  libgoffice-1
+ vfu (removed linking against embedded copy in 4.06-4.1; #450754)
  tf5 (since 5.0beta7 the Debian package links dynamically)
+ monotone (including this starting from 0.37)
+ glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
+ apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
+ exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
+ yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
+ gtamsanalyzer.app (links dynamically since 0.42-5)
  tiff:
  wxpythongtk (check, which debian pkg this is in)
-Line 95 
 libconvert-uulib-perl
+Line 123 
 libconvert-uulib-perl
  sqlite: (not affected by security vulnerabilities so far)
  amarok
+ monotone
+ iceweasel
  util-linux/mount:
  loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
-Line 113 
 phpldapadmin:
+Line 143 
 phpldapadmin:
  egroupware (removed from egroupware after sarge)
  chmlib:
- kchmviewer (not packaged in Debian)
+ kchmviewer (ships the code but links dynamically)
- libavcodec/libavformat:
+ libavcodec/libavformat (source: ffmpeg):
- ffmpeg
+ mplayer (#395252)
- xine-lib
  xvidcap
  kino (links statically, does not include code)
  vlc (links statically, does not include code)
-Line 155 
 gimp-gap (potentially using ffmpeg code
+Line 184 
 gimp-gap (potentially using ffmpeg code
  uw-imap:
  pine
+ alpine
  imagemagick:
  graphicsmagick
-Line 165 
 nsis
+Line 195 
 nsis
  libghttp:
  hotway
- etl-dev (will be renamed to libetl-dev soon):
+ libsndfile:
- synfig
+ ardour
+ glibmm2.4:
+ ardour
+ libgnomecanvasmm2.6:
+ ardour
+ libsigc++-2.0:
+ ardour
+ soundtouch:
+ ardour
  libmms:
  xine-lib
  mimms
- FCKeditor:
+ FCKeditor: (packaged as fckeditor)
  knowledgeroot
+ moin (452599)
+ karrigell (452598)
+ gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
  Moodle contains lots of things:
  AdoDB
-Line 194 
 joomla (ITP)
+Line 241 
 joomla (ITP)
  scintilla:
  scite
  qscintilla
+ qscintilla2
  geany
  libphp-adodb:
-Line 201 
 gallery2
+Line 249 
 gallery2
  phppgadmin
  egroupware
  phpwiki
+ ipplan
+ typo3
  moodle
  cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
-Line 209 
 linux-kernel (lib/inflate.c)
+Line 259 
 linux-kernel (lib/inflate.c)
  klibc (based on linux-kernel gzip code)
  busybox
- ffmpeg:
- mplayer (#395252)
  neon:
  cadaver (all, but being worked on: #188381)
  gnome-vfs2 (#395874)
-Line 262 
 openoffice.org
+Line 309 
 openoffice.org
  fsplib (http://sourceforge.net/projects/fsp/):
  gftp (lib/fsplib version 0.3)
+ librpcsecgss:
+ krb5
+ jasper:
+ ghostscript
+ gs-gpl
+ libidn:
+ monotone
+ liblua:
+ monotone
+ libbotan:
+ montone
+ NetXX:
+ monotone
+ libgc:
+ mono
+ lzma:
+ p7zip
+ lzo:
+ grub2
+ pax code:
+ tar
+ cpio
+ t1lib:
+ tetex-bin (links to system t1lib since 2.0.2)
+ texlive-bin (links to system t1lib)

 Legend:



Removed from v.6356
 


changed lines


 
Added in v.7695
 Legend:



Removed from v.6356
 


changed lines


 
Added in v.7695
-Removed from v.6356
+Added in v.7695

	ViewVC Help
Powered by ViewVC 1.1.5