/[secure-testing]/data/embedded-code-copies

Diff of /data/embedded-code-copies

Parent Directory | Revision Log | View Patch Patch

-revision 7830 by nion,
Fri Jan  4 18:01:23 2008 UTC
+revision 8587 by nion,
Sun Apr 20 18:24:56 2008 UTC
 Line 1
  Embedded code copies
  ====================
- This file collects cases, where a source package embeds code from
+ This file collects source packages that embed code from other projects.
- other projects which is considered bad for fixing security flaws
+ This is considered bad for fixing security flaws because the fix needs
- because the fix needs to be applied in multiple source packages.
+ to be applied in multiple source packages.
  Format:
  <srcpkg> (<optional comment about srcpkg>)
          - <embedding srcpkg> <status> (<sort>; bug #<number>)
          NOTE: optional comments about the linkage of the embedding srcpkg
- status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
+ status: version number fixing the embedded copy, <unfixed>, <removed>,
+         <itp> or <unknown> if the version number can not be determined
+         <unfixable> for unavoidable cases (e.g., forks that add real value)
  sort: static (linking statically against a lib)
        embed (embedding a copy of the library into another source package)
-       fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)
+       fork (the package is not just embedding code but it is a fork and
+             thus might share parts of the source code)
+       old-version (the package is an older version of essentially
+                    the same code)
- The srcpkg might be some string to identify the code if there is no specific source package.
+ The srcpkg might be some string to identify the code if there is no
+ specific source package.
+ Everything up to the next line is ignored.
+ ---BEGIN
  xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
          NOTE: Fixed packages link to poppler library unless otherwise noted
          - gpdf <removed>
-Line 44 
 xpdf (some srcpkgs use xpdf2 code, some
+Line 52 
 xpdf (some srcpkgs use xpdf2 code, some
  ppmd
          - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
+ peercast
+         - gnome-peercast <unfixed> (embed)
+         NOTE: gnome-peercast may better be removed, see #466539
  silc-toolkit
          - silc-client 1.1~beta6-1 (embed)
-Line 64 
 zlib (lots of apps embed a copy, but lin
+Line 76 
 zlib (lots of apps embed a copy, but lin
          - pvpgn 1.7.8-2 (embed)
          - mrtg 2.12.2-1 (embed)
          - rpm <unknown> (embed)
-         NOTE: pinged joeyh since when rpm was fixed
+         NOTE: pinged anibal since when rpm was fixed
  libbz2
          - dpkg <unfixed> (static)
-Line 147 
 pcre
+Line 159 
 pcre
          - yacas <unfixed> (embed)
          NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
          - gtamsanalyzer.app 0.42-5 (embed)
+         - tin <unknown> (embed)
  tiff
-         - wxpythongtk <unfixed> (embed)
+         - wxwindows2.4 2.2.1 (embed)
-         TODO: check, which debian pkg this is in
  uudeview
          - libconvert-uulib-perl <unfixed> (embed)
-Line 176 
 phpsysinfo
+Line 188 
 phpsysinfo
          - phpgroupware <unfixed> (embed)
  phpldapadmin
-         - [sarge] egroupware <unfixed> (embed)
+         [sarge] - egroupware <unfixed> (embed)
          NOTE: removed from egroupware after sarge
  chmlib
-Line 192 
 libavcodec/libavformat (source: ffmpeg)
+Line 204 
 libavcodec/libavformat (source: ffmpeg)
          - gst-ffmpeg <unfixed> (embed)
          - gstreamer0.10-ffmpeg <unfixed> (embed)
          - xmovie <unfixed>
+         TODO: gimp-gap (potentially using ffmpeg code as well)
  mad MPEG decoding lib
          - mad <unfixed> (embed)
          - xine-lib <unfixed> (embed)
- libdts:
  libdts
- xine-lib
+         - xine-lib <unfixed> (embed)
- flac:
  flac
- xine-lib
+         - xine-lib <unfixed> (embed)
- liba52:
- a52dec
- xine-lib
- libmpeg2:
- mpeg2dec
- xine-lib
- curl:
- wget (code for NTLM authentication)
- TODO evaluate:
+ liba52
- gimp-gap (potentially using ffmpeg code as well)
+         - a52dec <unfixed> (embed)
+         - xine-lib <unfixed> (embed)
- uw-imap:
+ libmpeg2
- pine
+         - mpeg2dec <unfixed> (embed)
- alpine
+         - xine-lib <unfixed> (embed)
- imagemagick:
+ curl
- graphicsmagick
+         - wget <unfixed> (embed)
+         NOTE: code for NTLM authentication
- halibut:
+ uw-imap
- nsis
+         - pine <unfixed> (embed)
+         - alpine <unfixed> (embed)
- libghttp:
+ imagemagick
- hotway
+         - graphicsmagick <unfixed> (fork)
- libsndfile:
+ halibut
- ardour
+         - nsis <unfixed> (embed)
- glibmm2.4:
+ libghttp
- ardour
+         - hotway <unfixed> (embed)
- libgnomecanvasmm2.6:
+ libsndfile
- ardour
+         - ardour <unfixed> (embed)
- libsigc++-2.0:
+ glibmm2.4
- ardour
+         - ardour <unfixed> (embed)
- soundtouch:
+ libgnomecanvasmm2.6
- ardour
+         - ardour <unfixed> (embed)
- libmms:
+ libsigc++-2.0
- xine-lib
+         - ardour <unfixed> (embed)
- mimms
- FCKeditor: (packaged as fckeditor)
+ soundtouch
- knowledgeroot
+         - ardour <unfixed> (embed)
- moin (452599)
- karrigell (452598)
- gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
+ libmms
+         - xine-lib <unfixed> (embed)
+         - mimms <unfixed> (embed)
+ fckeditor
+         - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
+         - moin <unfixed> (embed; bug #452599)
+         - karrigell <unfixed> (embed; bug #452598)
+         - gforge-plugins-extra 4.6.99+svn6225-1 (embed)
+ ipatlas (not packaged in Debian)
+         - moodle <unfixed> (embed)
+ libphp-phpmailer
+         - moodle <unfixed> (embed)
+ htmlArea (not packaged in Debian)
+         - moodle <unfixed> (embed)
+ giflib:
+         - wine <unfixed> (embed; bug #466181)
+ bennu (not packaged in Debian)
+         - moodle <unfixed> (embed)
+ smarty:
+         - moodle <unfixed> (embed; bug #471158)
+         - gallery2 <unfixed> (embed; bug #471160)
+         - mahara 0.9.2-2 (embed; bug #471201)
+         - gosa 2.4beta1-1 (embed; bug #471200)
- Moodle contains lots of things:
- AdoDB
- AdoDB-XML Schema
- ipatlas
- PHPMailer
- Smarty
- htmlArea
  TinyMCE
- bennu
+         - wordpress <unfixed> (embed)
+         - moodle <unfixed> (embed)
- TinyMCE:
+         - knowledgeroot <unfixed> (embed)
- wordpress
+         - joomla <itp> (bug #326398)
- moodle
- knowledgeroot
+ scintilla
- joomla (ITP)
+         - scite <unfixed> (embed)
+         - qscintilla <unfixed> (embed)
- scintilla:
+         - qscintilla2 <unfixed> (embed)
- scite
+         - geany <unfixed> (embed)
- qscintilla
- qscintilla2
+ libphp-adodb
- geany
+         - moodle <unfixed> (embed)
+         NOTE: also AdoDB-XML Schema
- libphp-adodb:
+         - gallery2 <unfixed> (embed)
- gallery2
+         - phppgadmin <unfixed> (embed)
- phppgadmin
+         - egroupware <unfixed> (embed)
- egroupware
+         - phpwiki <unfixed> (embed)
- phpwiki
+         - ipplan <unfixed> (embed)
- ipplan
+         - typo3 <unfixed> (embed)
- typo3
+         - moodle <unfixed> (embed)
- moodle
+         - cacti <unknown> (embed)
- cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
+         [sarge] - cacti <unfixed> (embed)
+         NOTE: dependency exists, but internal version is used
- gzip:
- linux-kernel (lib/inflate.c)
+ gzip
- klibc (based on linux-kernel gzip code)
+         - linux-kernel <unfixed> (embed)
- busybox
+         NOTE: lib/inflate.c
+         - klibc <unfixed> (embed)
- neon:
+         NOTE: based on linux-kernel gzip code
- cadaver (all, but being worked on: #188381)
+         - busybox <unfixed> (embed)
- gnome-vfs2 (#395874)
- litmus (#395875)
+ neon
- screem (sarge only)
+         - cadaver <unfixed> (embed; bug #188381)
- sitecopy (#395876)
+         - gnome-vfs2 <unfixed> (embed; bug #395874)
- tla (etch/sid only: #395877)
+         - litmus <unfixed> (embed; #395875)
+         [sarge] - screem <unfixed> (embed)
- libmodplug:
+         - sitecopy <unfixed> (embed; bug #395876)
- gst-plugins-bad0.10
+         [etch] - tla <unfixed> (embed; bug #395877)
+         [sarge] - tla <unfixed> (embed; bug #395877)
- libvncserver:
- vino
+ libmodplug
+         - gst-plugins-bad0.10 <unfixed> (embed)
- putty:
- filezilla
+ libvncserver
+         - vino <unfixed> (embed)
- tinyxml (not packaged in Debian):
- filezilla
+ putty
+         - filezilla <unfixed> (embed)
- gv:
- evince (ps/ tree from gv 3.5.8)
+ tinyxml (not packaged in Debian)
- evince-gtk (not packaged in Debian)
+         - filezilla <unfixed>
- libXbae:
+ gv
- libpawlib2-lesstif package (from Cernlib)
+         - evince <unfixed> (embed)
+         NOTE: ps/ tree from gv 3.5.8
- libXaw:
+         - evince-gtk <unfixed> (embed)
- libpawlib2-lesstif package (from Cernlib)
+         NOTE: not packaged in Debian
- (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
+ libXbae
+         [etch] - libpawlib2-lesstif <unfixed> (embed)
- libgd2:
+         NOTE: from Cernlib
- graphviz (lib/gd seems to be 2.0.33)
+ libXaw
- rar:
+         [etch] - libpawlib2-lesstif
- unrar-nonfree
+         NOTE: from Cernlib
+         NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
- unrar-free: (maybe this code is derived from the original rar, too?)
- clamav (seems to be disabled in default config)
+ libgd2
+         - graphviz <unfixed> (embed)
+         NOTE: lib/gd seems to be 2.0.33
+         - wml <unfixed> (embed)
+         NOTE: derived from gd 1.6.3
+ rar
+         - unrar-nonfree <unfixed> (embed)
+ unrar-free (maybe this code is derived from the original rar, too?)
+         - clamav <unfixed> (embed)
+         NOTE: seems to be disabled in default config
- mplayer (DirectMedia Object loader):
+ mplayer (DirectMedia Object loader)
- xine-lib (src/libw32dll/)
+         - xine-lib <unfixed> (embed)
- vlc (modules/codec/dmo/)
+         NOTE: src/libw32dll/
+         - vlc <unfixed> (embed)
+         NOTE: modules/codec/dmo/
+ libwpd (WordPerfect converter)
+         - openoffice.org <unfixed> (embed)
+ fsplib (http://sourceforge.net/projects/fsp/)
+         - gftp <unfixed> (embed)
+         NOTE: lib/fsplib version 0.3
- libwpd (WordPerfect converter):
+ librpcsecgss
- openoffice.org
+         - krb5 <unfixed> (embed)
- fsplib (http://sourceforge.net/projects/fsp/):
+ jasper
- gftp (lib/fsplib version 0.3)
+         - ghostscript <unfixed> (embed)
+         - gs-gpl <unfixed> (embed)
- librpcsecgss:
+ libidn
- krb5
+         - monotone <unfixed> (embed)
- jasper:
+ liblua
- ghostscript
+         - monotone <unfixed> (embed)
- gs-gpl
- libidn:
+ libbotan
- monotone
+         - montone <unfixed> (embed)
- liblua:
+ NetXX
- monotone
+         - monotone <unfixed> (embed)
- libbotan:
+ libgc
- montone
+         - mono <unfixed> (embed)
- NetXX:
+ lzma
- monotone
+         - p7zip <unfixed> (embed)
- libgc:
+ lzo
- mono
+         - grub2 <unfixed> (embed)
- lzma:
+ yassl
- p7zip
+         - mysql-dfsg-5.0 <unfixed> (embed)
- lzo:
+ pax code
- grub2
+         - tar <unfixed> (embed)
+         - cpio <unfixed> (embed)
+ t1lib
+         - tetex-bin 2.0.2-1 (embed)
+         - texlive-bin <unknown> (embed)
+ guichan
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+ tolua
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+ asio-dev
+         - luxrender <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+         NOTE: may be merged with boost "soon"
- pax code:
+ xine-lib
- tar
+         - vlc <unfixed> (embed)
- cpio
+         NOTE: only parts included in modules/access/rtsp
- t1lib:
+ netpbm
- tetex-bin (links to system t1lib since 2.0.2)
+         - tcl8.3 <unfixed> (embed)
- texlive-bin (links to system t1lib)
+         - tcl8.4 <unfixed> (embed)
+         - tcl8.5 <unfixed> (embed)
+         NOTE: generic/tkImgGIF.c
+ tk8.5
+         - tk8.0 <removed> (old-version)
+         - tk8.3 <unfixed> (old-version)
+         - tk8.4 <unfixed> (old-version)
+         - perl-tk <unfixable> (fork)
+ samba
+         - mc <unfixed> (embed)
+         NOTE: maintainer is aware of this, currently searching a solution
+ plib1.8.4c2
+         - boson <unfixed> (fork)
+         NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
+ fribidi
+         - quesoglc <unfixed> (embed)
+ glew
+         - quesoglc <unfixed> (embed)
+ minorGems
+         - transcend <unfixed> (embed)
+         - cultivation <unfixed> (embed)
+ libarchive
+         - tar <unfixed> (embed)
+         NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
+         - cpio <unfixed> (embed)
+         NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
+ webkit
+         - qt4-x11 <unfixed> (embed)

 Legend:



Removed from v.7830
 


changed lines


 
Added in v.8587
 Legend:



Removed from v.7830
 


changed lines


 
Added in v.8587
-Removed from v.7830
+Added in v.8587

	ViewVC Help
Powered by ViewVC 1.1.5