/[secure-testing]/data/embedded-code-copies

Diff of /data/embedded-code-copies

Parent Directory | Revision Log | View Patch Patch

-revision 2104 by jmm-guest,
Thu Sep 22 21:12:38 2005 UTC
+revision 7830 by nion,
Fri Jan  4 18:01:23 2008 UTC
 Line 1
+ Embedded code copies
+ ====================
  This file collects cases, where a source package embeds code from
- other projects, without linking dynamically:
+ other projects which is considered bad for fixing security flaws
+ because the fix needs to be applied in multiple source packages.
- xpdf code: (some use xpdf 2, some xpdf 3)
+ Format:
- gpdf
+ <srcpkg> (<optional comment about srcpkg>)
- pdftohtml
+         - <embedding srcpkg> <status> (<sort>; bug #<number>)
- kdegraphics/kpdf
+         NOTE: optional comments about the linkage of the embedding srcpkg
- tetex-bin
- cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though)
+ status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
- poppler
+ sort: static (linking statically against a lib)
+       embed (embedding a copy of the library into another source package)
- zlib code: (separate between 1.2 and 1.1)
+       fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)
- dpkg
- rsync
+ The srcpkg might be some string to identify the code if there is no specific source package.
- mozilla-firefox
- mozilla(?)
+ xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
- Linux kernels
+         NOTE: Fixed packages link to poppler library unless otherwise noted
+         - gpdf <removed>
+         [sarge] - gpdf <unfixed>
- libgadu/ekg:
+         NOTE: has been replaced by evince in etch
- centericq
+         - pdftohtml <unknown>
- gaim
+         [sarge] - pdftohtml <unfixed>
- kopete (ships the code, but links dynamically in the Debian package)
+         [etch] - pdftohtml <unfixed>
- kadu (not packaged in Debian)
+         NOTE: has been replaced by poppler-utils
- GNU gadu (not packaged in Debian)
+         - kdegraphics <unfixed> (embed; bug #436164)
+         NOTE: the kpdf replacement in KDE 4 is using poppler
+         - tetex-bin 3.0-12 (embed)
- xmlrpc: (which package is the "origin" of this code?)
+         - texlive-bin 2007-1 (embed)
- drupal
+         NOTE: links to poppler
- phpgroupware
+         - koffice <unfixed> (embed; bug #436163)
+         - libextractor 0.5.12-1 (embed)
+         NOTE: libextractor is using its own pdf decoder now
+         - libextractor 0.5.12-1 (embed)
+         - pdfkit.framework 0.8-4 (embed)
+         - ipe <unfixed> (embed)
+         NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
+         - ruby-gnome2 <unknown> (embed)
+         NOTE: copy only present in source but links to poppler
+ ppmd
+         - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
+ silc-toolkit
+         - silc-client 1.1~beta6-1 (embed)
+ dietlibc
+         - ccontrol 0.9.1+20071204-1 (static)
+ libiax
+         - iaxmodem <unfixed> (embed)
+ zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
+         - dpkg <unfixed> (embed)
+         NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
+         - rsync <unfixed> (embed)
+         NOTE: somehow derived code base
+         - mono <unfixed> (embed)
+         TODO: check mozilla
+         - Linux kernels <unfixed> (embed)
+         - pvpgn 1.7.8-2 (embed)
+         - mrtg 2.12.2-1 (embed)
+         - rpm <unknown> (embed)
+         NOTE: pinged joeyh since when rpm was fixed
+ libbz2
+         - dpkg <unfixed> (static)
+ ekg
+         - centericq <unfixed> (embed)
+         - gaim <unfixed> (embed)
+         - pigdin <unfixed> (embed)(links dynamically against libgadu)
+         - kopete 4:3.3.2-5 (embed)
+         - kadu <unfixed> (embed)
+         - gadu <unfixed> (embed)
+         NOTE: g/kadu not packaged in Debian yet
+ xmlrpc (which package is the "origin" of this code?)
+         - drupal <unfixed> (embed)
+         - phpgroupware <unfixed> (embed)
+         - egroupware <unfixed> (embed)
+         - phpwiki (embed)
+         - php4 <unfixed> (embed)
+         TODO: check, php-pear, IIRC this was reorganized some weeks ago?
+ shtool (affects build-time only)
+         - mysql-ocaml <unfixed> (embed)
+         - php4 <unfixed> (embed)
+ mozilla source code
+         - mozilla-firefox <unfixed> (embed)
+         - mozilla-thunderbird
+         - firefox <removed>
+         [etch] - firefox <unfixed> (embed)
+         - thunderbird <removed>
+         [etch] - thunderbird <unfixed> (embed)
+         - iceweasel <unfixed> (embed)
+         - iceape <unfixed> (embed)
+         - icedove <unfixed> (embed)
+         - xulrunner <unfixed> (embed)
+         - nvu <removed> (embed)
+ xli
+         - xloadimage <unfixed> (embed)
+ lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
+         - openmotif <unfixed> (embed)
+         - xfree86/xorg <unfixed> (embed)
+         NOTE: in libxpm
+ kerberized apps with BSD origin
+         - krb4 <unfixed> (embed)
+         - krb5 <unfixed> (embed)
+         - heimdal <unfixed> (embed)
+ grip (which pkg is the origin?)
+         - libcdaudio
+         - grip
+         - gnome-vfs
+         TODO: check vfs2 as well
+ fudforum
+         - phpgroupware-fudforum <unfixed> (embed)
+         - egroupware-fudforum <removed>
+         [sarge] - egroupware-fudforum <unfixed> (embed)
+ cvs
+         - gcvs <unfixed> (embed)
+         NOTE: see cvsunix/src in tarball
+ pcre
+         - python* <unfixed> (embed)
+         - php4 <unknown> (embed)
+         - analog 2:5.23-0woody1 (embed)
+         - libgoffice-1 <unfixed> (embed)
+         - vfu 4.06-4.1 (embed; bug #450754)
+         - tf5 5.0beta7-1 (embed)
+         - monotone <unfixed> (embed)
+         NOTE: this only affects versions >= 0.37
+         - glib <unfixed> (embed)
+         NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
+         - apache2 2.0.53-4 (embed)
+         - exim4 4.10-0.srh20.12 (embed)
+         - yacas <unfixed> (embed)
+         NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
+         - gtamsanalyzer.app 0.42-5 (embed)
+ tiff
+         - wxpythongtk <unfixed> (embed)
+         TODO: check, which debian pkg this is in
+ uudeview
+         - libconvert-uulib-perl <unfixed> (embed)
+ sqlite (not affected by security vulnerabilities so far)
+         - amarok <unfixed> (embed)
+         - monotone <unfixed> (embed)
+         - iceweasel <unfixed> (embed)
+ util-linux/mount
+         - loop-aes-utils <unfixed> (embed)
+         NOTE: contains code from util-linux' mount in the mount-aes-udeb
+ webmin
+         - usermin <unknown> (embed)
+         [sarge] - usermin <unfixed> (embed)
+ sylpheed
+         - sylpheed-claws <unfixed> (fork)
+ phpsysinfo
+         - egroupware <unfixed> (embed)
+         - phpgroupware <unfixed> (embed)
+ phpldapadmin
+         - [sarge] egroupware <unfixed> (embed)
+         NOTE: removed from egroupware after sarge
+ chmlib
+         - kchmviewer <unknown> (embed)
+ libavcodec/libavformat (source: ffmpeg)
+         - mplayer <unfixed> (embed; bug #395252)
+         - xvidcap <unfixed> (embed)
+         - kino <unfixed> (static)
+         - vlc <unfixed> (static)
+         - smilutils <unfixed> (static)
+         - motion <unfixed> (static)
+         - gst-ffmpeg <unfixed> (embed)
+         - gstreamer0.10-ffmpeg <unfixed> (embed)
+         - xmovie <unfixed>
+ mad MPEG decoding lib
+         - mad <unfixed> (embed)
+         - xine-lib <unfixed> (embed)
+ libdts:
+ libdts
+ xine-lib
+ flac:
+ flac
+ xine-lib
+ liba52:
+ a52dec
+ xine-lib
+ libmpeg2:
+ mpeg2dec
+ xine-lib
+ curl:
+ wget (code for NTLM authentication)
+ TODO evaluate:
+ gimp-gap (potentially using ffmpeg code as well)
+ uw-imap:
+ pine
+ alpine
+ imagemagick:
+ graphicsmagick
+ halibut:
+ nsis
+ libghttp:
+ hotway
+ libsndfile:
+ ardour
+ glibmm2.4:
+ ardour
+ libgnomecanvasmm2.6:
+ ardour
+ libsigc++-2.0:
+ ardour
+ soundtouch:
+ ardour
+ libmms:
+ xine-lib
+ mimms
+ FCKeditor: (packaged as fckeditor)
+ knowledgeroot
+ moin (452599)
+ karrigell (452598)
+ gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
+ Moodle contains lots of things:
+ AdoDB
+ AdoDB-XML Schema
+ ipatlas
+ PHPMailer
+ Smarty
+ htmlArea
+ TinyMCE
+ bennu
+ TinyMCE:
+ wordpress
+ moodle
+ knowledgeroot
+ joomla (ITP)
+ scintilla:
+ scite
+ qscintilla
+ qscintilla2
+ geany
+ libphp-adodb:
+ gallery2
+ phppgadmin
  egroupware
  phpwiki
- php4 (php-pear, IIRC this was reorganized some weeks ago?)
+ ipplan
- tikiwiki (not packaged in Debian)
+ typo3
+ moodle
+ cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
+ gzip:
+ linux-kernel (lib/inflate.c)
+ klibc (based on linux-kernel gzip code)
+ busybox
- shtool: (affects build-time only)
+ neon:
- mysql-ocaml
+ cadaver (all, but being worked on: #188381)
- php4
+ gnome-vfs2 (#395874)
+ litmus (#395875)
+ screem (sarge only)
+ sitecopy (#395876)
+ tla (etch/sid only: #395877)
+ libmodplug:
+ gst-plugins-bad0.10
- mozilla:
+ libvncserver:
- mozilla-firefox
+ vino
- mozilla-thunderbird
- nvu
+ putty:
+ filezilla
- xli:
+ tinyxml (not packaged in Debian):
- xloadimage
+ filezilla
+ gv:
+ evince (ps/ tree from gv 3.5.8)
+ evince-gtk (not packaged in Debian)
- lesstif: (beware: two different lesstif APIs supported in one package, 1.2 discarded upstream)
+ libXbae:
- openmotif
+ libpawlib2-lesstif package (from Cernlib)
- xfree86/xorg (in libxpm, still the case with x.org?
+ libXaw:
+ libpawlib2-lesstif package (from Cernlib)
- kerberized apps with BSD origin:
+ (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
- krb4
- krb5
+ libgd2:
- heimdal
+ graphviz (lib/gd seems to be 2.0.33)
+ rar:
+ unrar-nonfree
+ unrar-free: (maybe this code is derived from the original rar, too?)
+ clamav (seems to be disabled in default config)
- grip: (which pkg is the origin?)
+ mplayer (DirectMedia Object loader):
- libcdaudio
+ xine-lib (src/libw32dll/)
- grip
+ vlc (modules/codec/dmo/)
- gnome-vfs (vfs2 as well?)
+ libwpd (WordPerfect converter):
+ openoffice.org
+ fsplib (http://sourceforge.net/projects/fsp/):
+ gftp (lib/fsplib version 0.3)
+ librpcsecgss:
+ krb5
+ jasper:
+ ghostscript
+ gs-gpl
- fudforum:
+ libidn:
- phpgroupware-fudforum
+ monotone
- egroupware-fudforum
+ liblua:
+ monotone
- cvs:
+ libbotan:
- gcvs (at least an additional script is included, check if there's more)
+ montone
- pcre:
+ NetXX:
- python
+ monotone
- php4 (src included, but Debian package links dynamically)
- analog (src included, but Debian package links dynamically)
- libgoffice-1
- tf5 (since 5.0beta7 the Debian package links dynamically)
- tiff:
+ libgc:
- wxpythongtk (check, which debian pkg this is in)
+ mono
- older kdegraphics/kpdf releases < 3.3 embedded a copy
- uudeview:
+ lzma:
- libconvert-uulib-perl
+ p7zip
- sqlite: (not affected by security vulnerabilities so far)
+ lzo:
- amarok
+ grub2
- uudeview:
+ pax code:
- libconvert-uulib-perl
+ tar
+ cpio
- util-linux/mount:
+ t1lib:
- loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
+ tetex-bin (links to system t1lib since 2.0.2)
+ texlive-bin (links to system t1lib)
- webmin:
- usermin (they share at least a miniserv.pl mini web server)

 Legend:



Removed from v.2104
 


changed lines


 
Added in v.7830
 Legend:



Removed from v.2104
 


changed lines


 
Added in v.7830
-Removed from v.2104
+Added in v.7830

	ViewVC Help
Powered by ViewVC 1.1.5