/[secure-testing]/data/embedded-code-copies
ViewVC logotype

Diff of /data/embedded-code-copies

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 3551 by jmm-guest, Wed Mar 1 14:36:47 2006 UTC revision 7755 by nion, Sat Dec 29 14:05:24 2007 UTC
# Line 1  Line 1 
1    Embedded code copies
2    ====================
3    
4  This file collects cases, where a source package embeds code from  This file collects cases, where a source package embeds code from
5  other projects, without linking dynamically:  other projects which is considered bad for fixing security flaws
6    because the fix needs to be applied in multiple source packages.
7    
8  xpdf code: (some use xpdf 2, some xpdf 3)  Format:
9  gpdf (will be replaced by evince in Gnome 2.12)  <srcpkg> (<optional comment about srcpkg>)
10  pdftohtml (current poppler source package has a ported version, pinged maintainer)          - <embedding srcpkg> <status> (<sort>; bug #<number>)
11  kdegraphics/kpdf (upstream is working on using poppler, probably not in time for Etch)          NOTE: optional comments about the linkage of the embedding srcpkg
12  tetex-bin (links to poppler since 3.0-12)  
13  cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though)  status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14  poppler  sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)
15  koffice (upstream is working on using poppler, probably not in time for Etch)  
16  libextractor  xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
17  pdfkit.framework (links to poppler since 0.8-4)          NOTE: Fixed packages link to poppler library unless otherwise noted
18            - gpdf <removed>
19            [sarge] - gpdf <unfixed>
20            NOTE: has been replaced by evince in etch
21            - pdftohtml <unknown>
22            [sarge] - pdftohtml <unfixed>
23            [etch] - pdftohtml <unfixed>
24            NOTE: has been replaced by poppler-utils
25            - kdegraphics <unfixed> (embed; bug #436164)
26            NOTE: the kpdf replacement in KDE 4 is using poppler
27            - tetex-bin 3.0-12 (embed)
28            - texlive-bin 2007-1 (embed)
29            NOTE: links to poppler
30            - koffice <unfixed> (embed; bug #436163)
31            - libextractor 0.5.12-1 (embed)
32            NOTE: libextractor is using its own pdf decoder now
33            - libextractor 0.5.12-1 (embed)
34            - pdfkit.framework 0.8-4 (embed)
35            - ipe <unfixed> (embed)
36            NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
37            - ruby-gnome2 <unknown> (embed)
38            NOTE: copy only present in source but links to poppler
39    
40    ppmd:
41            - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
42    
43    silc-toolkit:
44            - silc-client 1.1~beta6-1 (embed)
45    
46    dietlibc:
47            - ccontrol 0.9.1+20071204-1 (static)
48    
49    libiax:
50            - iaxmodem <unfixed> (embed)
51    
52  zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)  zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
53  dpkg  dpkg
54  rsync (somehow derived code base)  rsync (somehow derived code base)
55    mono
56  mozilla(?)  mozilla(?)
57  Linux kernels  Linux kernels
58  pvpgn (links dynamically since 1.7.8-2)  pvpgn (links dynamically since 1.7.8-2)
59  mrtg (links dynamically since 2.12.2-1)  mrtg (links dynamically since 2.12.2-1)
60    rpm
61    
62    libbz2:
63    dpkg (statically linked)
64    
65  libgadu/ekg:  libgadu/ekg:
66  centericq  centericq
67  gaim  gaim
68    pigdin (links dynamically against libgadu)
69  kopete (ships the code, but links dynamically in the Debian package)  kopete (ships the code, but links dynamically in the Debian package)
70  kadu (not packaged in Debian)  kadu (not packaged in Debian)
71  GNU gadu (not yet packaged in Debian)  GNU gadu (not yet packaged in Debian)
72    
   
73  xmlrpc: (which package is the "origin" of this code?)  xmlrpc: (which package is the "origin" of this code?)
74  drupal  drupal
75  phpgroupware  phpgroupware
76  egroupware  egroupware
77  phpwiki  phpwiki
78  php4 (php-pear, IIRC this was reorganized some weeks ago?)  php4 (php-pear, IIRC this was reorganized some weeks ago?)
 tikiwiki (not packaged in Debian)  
   
79    
80  shtool: (affects build-time only)  shtool: (affects build-time only)
81  mysql-ocaml  mysql-ocaml
82  php4  php4
83    
   
84  mozilla:  mozilla:
85  mozilla-firefox  mozilla-firefox
86  mozilla-thunderbird  mozilla-thunderbird
87  nvu  firefox (to be removed)
88    thunderbird (to be removed)
89    iceweasel
90    iceape
91    icedove
92    xulrunner
93    nvu (no longer in Debian)
94    
95  xli:  xli:
96  xloadimage  xloadimage
97    
   
98  lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)  lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
99  openmotif  openmotif
100  xfree86/xorg (in libxpm)  xfree86/xorg (in libxpm)
101    
   
102  kerberized apps with BSD origin:  kerberized apps with BSD origin:
103  krb4  krb4
104  krb5  krb5
105  heimdal  heimdal
106    
   
107  grip: (which pkg is the origin?)  grip: (which pkg is the origin?)
108  libcdaudio  libcdaudio
109  grip  grip
110  gnome-vfs (vfs2 as well?)  gnome-vfs (vfs2 as well?)
111    
   
112  fudforum:  fudforum:
113  phpgroupware-fudforum  phpgroupware-fudforum
114  egroupware-fudforum  egroupware-fudforum (removed from egroupware after sarge)
115    
116  cvs:  cvs:
117  gcvs (at least an additional script is included, check if there's more)  gcvs (at least an additional script is included, check if there's more)
# Line 82  all pythons Line 121  all pythons
121  php4 (src included, but Debian package links dynamically)  php4 (src included, but Debian package links dynamically)
122  analog (src included, but Debian package links dynamically)  analog (src included, but Debian package links dynamically)
123  libgoffice-1  libgoffice-1
124    vfu (removed linking against embedded copy in 4.06-4.1; #450754)
125  tf5 (since 5.0beta7 the Debian package links dynamically)  tf5 (since 5.0beta7 the Debian package links dynamically)
126    monotone (including this starting from 0.37)
127    glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
128    apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
129    exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
130    yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
131    gtamsanalyzer.app (links dynamically since 0.42-5)
132    
133  tiff:  tiff:
134  wxpythongtk (check, which debian pkg this is in)  wxpythongtk (check, which debian pkg this is in)
135  older kdegraphics/kpdf releases < 3.3 embedded a copy  older kdegraphics/kpdf releases < 3.3 embedded a copy
136    
   
137  uudeview:  uudeview:
138  libconvert-uulib-perl  libconvert-uulib-perl
139    
140  sqlite: (not affected by security vulnerabilities so far)  sqlite: (not affected by security vulnerabilities so far)
141  amarok  amarok
142    monotone
143    iceweasel
144    
145  util-linux/mount:  util-linux/mount:
146  loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb  loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
147    
148  webmin:  webmin:
149  usermin  usermin (only in sarge)
150    
151  sylpheed:  sylpheed:
152  sylpheed-claws  sylpheed-claws
# Line 109  egroupware Line 156  egroupware
156  phpgroupware  phpgroupware
157    
158  phpldapadmin:  phpldapadmin:
159  egroupware  egroupware (removed from egroupware after sarge)
160    
161  chmlib:  chmlib:
162  kchmviewer (not packaged in Debian)  kchmviewer (ships the code but links dynamically)
163    
164  libavcodec/libavformat:  libavcodec/libavformat (source: ffmpeg):
165  ffmpeg  mplayer (#395252)
166  xine-lib  xvidcap
 xvidcap (currently in NEW)  
167  kino (links statically, does not include code)  kino (links statically, does not include code)
168  vlc (links statically, does not include code)  vlc (links statically, does not include code)
169  smilutils (links statically, does not include code)  smilutils (links statically, does not include code)
170  motion (links statically, does not include code)  motion (links statically, does not include code)
171  gst-ffmpeg  gst-ffmpeg
172  xmovie (currently in NEW)  gstreamer0.10-ffmpeg
173  gst-ffmpeg  xmovie
174    
175  mad MPEG decoding lib:  mad MPEG decoding lib:
176  mad  mad
# Line 154  gimp-gap (potentially using ffmpeg code Line 200  gimp-gap (potentially using ffmpeg code
200    
201  uw-imap:  uw-imap:
202  pine  pine
203    alpine
204    
205  imagemagick:  imagemagick:
206  graphicsmagick  graphicsmagick
# Line 164  nsis Line 211  nsis
211  libghttp:  libghttp:
212  hotway  hotway
213    
214  etl-dev (will be renamed to libetl-dev soon):  libsndfile:
215  synfig  ardour
216    
217    glibmm2.4:
218    ardour
219    
220    libgnomecanvasmm2.6:
221    ardour
222    
223    libsigc++-2.0:
224    ardour
225    
226    soundtouch:
227    ardour
228    
229    libmms:
230    xine-lib
231    mimms
232    
233    FCKeditor: (packaged as fckeditor)
234    knowledgeroot
235    moin (452599)
236    karrigell (452598)
237    gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
238    
239    
240    
241    Moodle contains lots of things:
242    AdoDB
243    AdoDB-XML Schema
244    ipatlas
245    PHPMailer
246    Smarty
247    htmlArea
248    TinyMCE
249    bennu
250    
251    TinyMCE:
252    wordpress
253    moodle
254    knowledgeroot
255    joomla (ITP)
256    
257    scintilla:
258    scite
259    qscintilla
260    qscintilla2
261    geany
262    
263    libphp-adodb:
264    gallery2
265    phppgadmin
266    egroupware
267    phpwiki
268    ipplan
269    typo3
270    moodle
271    cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
272    
273    gzip:
274    linux-kernel (lib/inflate.c)
275    klibc (based on linux-kernel gzip code)
276    busybox
277    
278    neon:
279    cadaver (all, but being worked on: #188381)
280    gnome-vfs2 (#395874)
281    litmus (#395875)
282    screem (sarge only)
283    sitecopy (#395876)
284    tla (etch/sid only: #395877)
285    
286    libmodplug:
287    gst-plugins-bad0.10
288    
289    libvncserver:
290    vino
291    
292    putty:
293    filezilla
294    
295    tinyxml (not packaged in Debian):
296    filezilla
297    
298    gv:
299    evince (ps/ tree from gv 3.5.8)
300    evince-gtk (not packaged in Debian)
301    
302    libXbae:
303    libpawlib2-lesstif package (from Cernlib)
304    
305    libXaw:
306    libpawlib2-lesstif package (from Cernlib)
307    
308    (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
309    
310    libgd2:
311    graphviz (lib/gd seems to be 2.0.33)
312    
313    rar:
314    unrar-nonfree
315    
316    unrar-free: (maybe this code is derived from the original rar, too?)
317    clamav (seems to be disabled in default config)
318    
319    mplayer (DirectMedia Object loader):
320    xine-lib (src/libw32dll/)
321    vlc (modules/codec/dmo/)
322    
323    libwpd (WordPerfect converter):
324    openoffice.org
325    
326    fsplib (http://sourceforge.net/projects/fsp/):
327    gftp (lib/fsplib version 0.3)
328    
329    librpcsecgss:
330    krb5
331    
332    jasper:
333    ghostscript
334    gs-gpl
335    
336    libidn:
337    monotone
338    
339    liblua:
340    monotone
341    
342    libbotan:
343    montone
344    
345    NetXX:
346    monotone
347    
348    libgc:
349    mono
350    
351    lzma:
352    p7zip
353    
354    lzo:
355    grub2
356    
357    pax code:
358    tar
359    cpio
360    
361    t1lib:
362    tetex-bin (links to system t1lib since 2.0.2)
363    texlive-bin (links to system t1lib)
364    
Legend:
Removed from v.3551  
changed lines
  Added in v.7755
  ViewVC Help
Powered by ViewVC 1.1.5