--- data/embedded-code-copies 2007/12/29 14:05:24 7755 +++ data/embedded-code-copies 2008/02/19 13:22:31 8189 @@ -1,18 +1,30 @@ Embedded code copies ==================== -This file collects cases, where a source package embeds code from -other projects which is considered bad for fixing security flaws -because the fix needs to be applied in multiple source packages. +This file collects source packages that embed code from other projects. +This is considered bad for fixing security flaws because the fix needs +to be applied in multiple source packages. Format: () - (; bug #) NOTE: optional comments about the linkage of the embedding srcpkg -status: version number fixing the embedded copy, , or if the version number can not be determined -sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package) +status: version number fixing the embedded copy, , , + or if the version number can not be determined + for unavoidable cases (e.g., forks that add real value) +sort: static (linking statically against a lib) + embed (embedding a copy of the library into another source package) + fork (the package is not just embedding code but it is a fork and + thus might share parts of the source code) + old-version (the package is an older version of essentially + the same code) +The srcpkg might be some string to identify the code if there is no +specific source package. + +Everything up to the next line is ignored. +---BEGIN xpdf (some srcpkgs use xpdf2 code, some xpdf3 code) NOTE: Fixed packages link to poppler library unless otherwise noted - gpdf @@ -37,328 +49,400 @@ - ruby-gnome2 (embed) NOTE: copy only present in source but links to poppler -ppmd: +ppmd - libcomplearn-mod-ppmd (embed; bug #458152) -silc-toolkit: +peercast + - gnome-peercast (embed) + NOTE: gnome-peercast may better be removed, see #466539 + +silc-toolkit - silc-client 1.1~beta6-1 (embed) -dietlibc: +dietlibc - ccontrol 0.9.1+20071204-1 (static) -libiax: +libiax - iaxmodem (embed) -zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions) -dpkg -rsync (somehow derived code base) -mono -mozilla(?) -Linux kernels -pvpgn (links dynamically since 1.7.8-2) -mrtg (links dynamically since 2.12.2-1) -rpm - -libbz2: -dpkg (statically linked) - -libgadu/ekg: -centericq -gaim -pigdin (links dynamically against libgadu) -kopete (ships the code, but links dynamically in the Debian package) -kadu (not packaged in Debian) -GNU gadu (not yet packaged in Debian) - -xmlrpc: (which package is the "origin" of this code?) -drupal -phpgroupware -egroupware -phpwiki -php4 (php-pear, IIRC this was reorganized some weeks ago?) - -shtool: (affects build-time only) -mysql-ocaml -php4 - -mozilla: -mozilla-firefox -mozilla-thunderbird -firefox (to be removed) -thunderbird (to be removed) -iceweasel -iceape -icedove -xulrunner -nvu (no longer in Debian) - -xli: -xloadimage - -lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream) -openmotif -xfree86/xorg (in libxpm) - -kerberized apps with BSD origin: -krb4 -krb5 -heimdal - -grip: (which pkg is the origin?) -libcdaudio -grip -gnome-vfs (vfs2 as well?) - -fudforum: -phpgroupware-fudforum -egroupware-fudforum (removed from egroupware after sarge) - -cvs: -gcvs (at least an additional script is included, check if there's more) - -pcre: -all pythons -php4 (src included, but Debian package links dynamically) -analog (src included, but Debian package links dynamically) -libgoffice-1 -vfu (removed linking against embedded copy in 4.06-4.1; #450754) -tf5 (since 5.0beta7 the Debian package links dynamically) -monotone (including this starting from 0.37) -glib (2.14 series for gregex support, only for udeb, regular packag links dynamic) -apache2 (since 2.0.53-4 uses 040_link_external_pcre patch) -exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre) -yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway) -gtamsanalyzer.app (links dynamically since 0.42-5) - -tiff: -wxpythongtk (check, which debian pkg this is in) -older kdegraphics/kpdf releases < 3.3 embedded a copy - -uudeview: -libconvert-uulib-perl - -sqlite: (not affected by security vulnerabilities so far) -amarok -monotone -iceweasel - -util-linux/mount: -loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb - -webmin: -usermin (only in sarge) - -sylpheed: -sylpheed-claws - -phpsysinfo: -egroupware -phpgroupware - -phpldapadmin: -egroupware (removed from egroupware after sarge) - -chmlib: -kchmviewer (ships the code but links dynamically) - -libavcodec/libavformat (source: ffmpeg): -mplayer (#395252) -xvidcap -kino (links statically, does not include code) -vlc (links statically, does not include code) -smilutils (links statically, does not include code) -motion (links statically, does not include code) -gst-ffmpeg -gstreamer0.10-ffmpeg -xmovie +zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions) + - dpkg (embed) + NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion + - rsync (embed) + NOTE: somehow derived code base + - mono (embed) + TODO: check mozilla + - Linux kernels (embed) + - pvpgn 1.7.8-2 (embed) + - mrtg 2.12.2-1 (embed) + - rpm (embed) + NOTE: pinged anibal since when rpm was fixed + +libbz2 + - dpkg (static) + +ekg + - centericq (embed) + - gaim (embed) + - pigdin (embed)(links dynamically against libgadu) + - kopete 4:3.3.2-5 (embed) + - kadu (embed) + - gadu (embed) + NOTE: g/kadu not packaged in Debian yet + +xmlrpc (which package is the "origin" of this code?) + - drupal (embed) + - phpgroupware (embed) + - egroupware (embed) + - phpwiki (embed) + - php4 (embed) + TODO: check, php-pear, IIRC this was reorganized some weeks ago? + +shtool (affects build-time only) + - mysql-ocaml (embed) + - php4 (embed) + +mozilla source code + - mozilla-firefox (embed) + - mozilla-thunderbird + - firefox + [etch] - firefox (embed) + - thunderbird + [etch] - thunderbird (embed) + - iceweasel (embed) + - iceape (embed) + - icedove (embed) + - xulrunner (embed) + - nvu (embed) + +xli + - xloadimage (embed) + +lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream) + - openmotif (embed) + - xfree86/xorg (embed) + NOTE: in libxpm + +kerberized apps with BSD origin + - krb4 (embed) + - krb5 (embed) + - heimdal (embed) + +grip (which pkg is the origin?) + - libcdaudio + - grip + - gnome-vfs + TODO: check vfs2 as well + +fudforum + - phpgroupware-fudforum (embed) + - egroupware-fudforum + [sarge] - egroupware-fudforum (embed) + +cvs + - gcvs (embed) + NOTE: see cvsunix/src in tarball + +pcre + - python* (embed) + - php4 (embed) + - analog 2:5.23-0woody1 (embed) + - libgoffice-1 (embed) + - vfu 4.06-4.1 (embed; bug #450754) + - tf5 5.0beta7-1 (embed) + - monotone (embed) + NOTE: this only affects versions >= 0.37 + - glib (embed) + NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic + - apache2 2.0.53-4 (embed) + - exim4 4.10-0.srh20.12 (embed) + - yacas (embed) + NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway + - gtamsanalyzer.app 0.42-5 (embed) + +tiff + - wxpythongtk (embed) + TODO: check, which debian pkg this is in + +uudeview + - libconvert-uulib-perl (embed) + +sqlite (not affected by security vulnerabilities so far) + - amarok (embed) + - monotone (embed) + - iceweasel (embed) + +util-linux/mount + - loop-aes-utils (embed) + NOTE: contains code from util-linux' mount in the mount-aes-udeb + +webmin + - usermin (embed) + [sarge] - usermin (embed) + +sylpheed + - sylpheed-claws (fork) + +phpsysinfo + - egroupware (embed) + - phpgroupware (embed) + +phpldapadmin + [sarge] - egroupware (embed) + NOTE: removed from egroupware after sarge + +chmlib + - kchmviewer (embed) + +libavcodec/libavformat (source: ffmpeg) + - mplayer (embed; bug #395252) + - xvidcap (embed) + - kino (static) + - vlc (static) + - smilutils (static) + - motion (static) + - gst-ffmpeg (embed) + - gstreamer0.10-ffmpeg (embed) + - xmovie + TODO: gimp-gap (potentially using ffmpeg code as well) + +mad MPEG decoding lib + - mad (embed) + - xine-lib (embed) -mad MPEG decoding lib: -mad -xine-lib - -libdts: libdts -xine-lib + - xine-lib (embed) -flac: flac -xine-lib - -liba52: -a52dec -xine-lib - -libmpeg2: -mpeg2dec -xine-lib - -curl: -wget (code for NTLM authentication) - -TODO evaluate: -gimp-gap (potentially using ffmpeg code as well) - -uw-imap: -pine -alpine - -imagemagick: -graphicsmagick - -halibut: -nsis - -libghttp: -hotway - -libsndfile: -ardour - -glibmm2.4: -ardour - -libgnomecanvasmm2.6: -ardour + - xine-lib (embed) -libsigc++-2.0: -ardour +liba52 + - a52dec (embed) + - xine-lib (embed) -soundtouch: -ardour +libmpeg2 + - mpeg2dec (embed) + - xine-lib (embed) -libmms: -xine-lib -mimms - -FCKeditor: (packaged as fckeditor) -knowledgeroot -moin (452599) -karrigell (452598) -gforge-plugins-extra (fixed since 4.6.99+svn6225-1) - - - -Moodle contains lots of things: -AdoDB -AdoDB-XML Schema -ipatlas -PHPMailer -Smarty -htmlArea -TinyMCE -bennu - -TinyMCE: -wordpress -moodle -knowledgeroot -joomla (ITP) - -scintilla: -scite -qscintilla -qscintilla2 -geany - -libphp-adodb: -gallery2 -phppgadmin -egroupware -phpwiki -ipplan -typo3 -moodle -cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch) - -gzip: -linux-kernel (lib/inflate.c) -klibc (based on linux-kernel gzip code) -busybox +curl + - wget (embed) + NOTE: code for NTLM authentication -neon: -cadaver (all, but being worked on: #188381) -gnome-vfs2 (#395874) -litmus (#395875) -screem (sarge only) -sitecopy (#395876) -tla (etch/sid only: #395877) +uw-imap + - pine (embed) + - alpine (embed) -libmodplug: -gst-plugins-bad0.10 +imagemagick + - graphicsmagick (fork) -libvncserver: -vino +halibut + - nsis (embed) -putty: -filezilla +libghttp + - hotway (embed) -tinyxml (not packaged in Debian): -filezilla +libsndfile + - ardour (embed) -gv: -evince (ps/ tree from gv 3.5.8) -evince-gtk (not packaged in Debian) +glibmm2.4 + - ardour (embed) -libXbae: -libpawlib2-lesstif package (from Cernlib) +libgnomecanvasmm2.6 + - ardour (embed) -libXaw: -libpawlib2-lesstif package (from Cernlib) +libsigc++-2.0 + - ardour (embed) -(I plan to deal with the above two cases after Etch release. -- KevinMcCarty) +soundtouch + - ardour (embed) -libgd2: -graphviz (lib/gd seems to be 2.0.33) +libmms + - xine-lib (embed) + - mimms (embed) -rar: -unrar-nonfree +fckeditor + - knowledgeroot 0.9.8.5-3 (embed; bug #461555) + - moin (embed; bug #452599) + - karrigell (embed; bug #452598) + - gforge-plugins-extra 4.6.99+svn6225-1 (embed) -unrar-free: (maybe this code is derived from the original rar, too?) -clamav (seems to be disabled in default config) +ipatlas (not packaged in Debian) + - moodle (embed) -mplayer (DirectMedia Object loader): -xine-lib (src/libw32dll/) -vlc (modules/codec/dmo/) +libphp-phpmailer + - moodle (embed) -libwpd (WordPerfect converter): -openoffice.org +htmlArea (not packaged in Debian) + - moodle (embed) -fsplib (http://sourceforge.net/projects/fsp/): -gftp (lib/fsplib version 0.3) +giflib: + - wine (embed; bug #466181) -librpcsecgss: -krb5 +bennu (not packaged in Debian) + - moodle (embed) -jasper: -ghostscript -gs-gpl +smarty: + - moodle (embed) -libidn: -monotone - -liblua: -monotone - -libbotan: -montone - -NetXX: -monotone - -libgc: -mono - -lzma: -p7zip - -lzo: -grub2 - -pax code: -tar -cpio +TinyMCE + - wordpress (embed) + - moodle (embed) + - knowledgeroot (embed) + - joomla (bug #326398) + +scintilla + - scite (embed) + - qscintilla (embed) + - qscintilla2 (embed) + - geany (embed) + +libphp-adodb + - moodle (embed) + NOTE: also AdoDB-XML Schema + - gallery2 (embed) + - phppgadmin (embed) + - egroupware (embed) + - phpwiki (embed) + - ipplan (embed) + - typo3 (embed) + - moodle (embed) + - cacti (embed) + [sarge] - cacti (embed) + NOTE: dependency exists, but internal version is used + +gzip + - linux-kernel (embed) + NOTE: lib/inflate.c + - klibc (embed) + NOTE: based on linux-kernel gzip code + - busybox (embed) + +neon + - cadaver (embed; bug #188381) + - gnome-vfs2 (embed; bug #395874) + - litmus (embed; #395875) + [sarge] - screem (embed) + - sitecopy (embed; bug #395876) + [etch] - tla (embed; bug #395877) + [sarge] - tla (embed; bug #395877) + +libmodplug + - gst-plugins-bad0.10 (embed) + +libvncserver + - vino (embed) + +putty + - filezilla (embed) + +tinyxml (not packaged in Debian) + - filezilla + +gv + - evince (embed) + NOTE: ps/ tree from gv 3.5.8 + - evince-gtk (embed) + NOTE: not packaged in Debian + +libXbae + [etch] - libpawlib2-lesstif (embed) + NOTE: from Cernlib + +libXaw + [etch] - libpawlib2-lesstif + NOTE: from Cernlib + NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty + +libgd2 + - graphviz (embed) + NOTE: lib/gd seems to be 2.0.33 + - wml (embed) + NOTE: derived from gd 1.6.3 + +rar + - unrar-nonfree (embed) + +unrar-free (maybe this code is derived from the original rar, too?) + - clamav (embed) + NOTE: seems to be disabled in default config + +mplayer (DirectMedia Object loader) + - xine-lib (embed) + NOTE: src/libw32dll/ + - vlc (embed) + NOTE: modules/codec/dmo/ + +libwpd (WordPerfect converter) + - openoffice.org (embed) + +fsplib (http://sourceforge.net/projects/fsp/) + - gftp (embed) + NOTE: lib/fsplib version 0.3 + +librpcsecgss + - krb5 (embed) + +jasper + - ghostscript (embed) + - gs-gpl (embed) + +libidn + - monotone (embed) + +liblua + - monotone (embed) + +libbotan + - montone (embed) + +NetXX + - monotone (embed) + +libgc + - mono (embed) + +lzma + - p7zip (embed) + +lzo + - grub2 (embed) + +yassl + - mysql-dfsg-5.0 (embed) + +pax code + - tar (embed) + - cpio (embed) + +t1lib + - tetex-bin 2.0.2-1 (embed) + - texlive-bin (embed) + +guichan + - boswars (embed) + NOTE: maintainer notified us, working on it + +tolua + - boswars (embed) + NOTE: maintainer notified us, working on it + +asio-dev + - luxrender (embed) + NOTE: maintainer notified us, working on it + NOTE: may be merged with boost "soon" -t1lib: -tetex-bin (links to system t1lib since 2.0.2) -texlive-bin (links to system t1lib) +xine-lib + - vlc (embed) + NOTE: only parts included in modules/access/rtsp +netpbm + - tcl8.3 (embed) + - tcl8.4 (embed) + - tcl8.5 (embed) + NOTE: generic/tkImgGIF.c + +tk8.5 + - tk8.0 (old-version) + - tk8.3 (old-version) + - tk8.4 (old-version) + - perl-tk (fork)