/[secure-testing]/data/embedded-code-copies

Diff of /data/embedded-code-copies

Parent Directory | Revision Log | View Patch Patch

-revision 5440 by stef-guest,
Sun Feb 11 21:08:25 2007 UTC
+revision 8175 by nion,
Sun Feb 17 13:31:09 2008 UTC
 Line 1
- This file collects cases, where a source package embeds code from
+ Embedded code copies
- other projects, without linking dynamically:
+ ====================
- xpdf code: (some use xpdf 2, some xpdf 3)
+ This file collects source packages that embed code from other projects.
- gpdf (will be replaced by evince in Gnome 2.12)
+ This is considered bad for fixing security flaws because the fix needs
- pdftohtml (current poppler source package has a ported version, pinged maintainer)
+ to be applied in multiple source packages.
- kdegraphics/kpdf (upstream is working on using poppler, probably not in time for Etch)
- tetex-bin (links to poppler since 3.0-12)
+ Format:
- cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though)
+ <srcpkg> (<optional comment about srcpkg>)
- poppler
+         - <embedding srcpkg> <status> (<sort>; bug #<number>)
- koffice/kword (upstream is working on using poppler, probably not in time for Etch)
+         NOTE: optional comments about the linkage of the embedding srcpkg
- libextractor (uses internal pdf decoder since 0.5.12-1)
- pdfkit.framework (links to poppler since 0.8-4)
+ status: version number fixing the embedded copy, <unfixed>, <removed>,
+         <itp> or <unknown> if the version number can not be determined
- zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
+         <unfixable> for unavoidable cases (e.g., forks that add real value)
- dpkg
+ sort: static (linking statically against a lib)
- rsync (somehow derived code base)
+       embed (embedding a copy of the library into another source package)
- mozilla(?)
+       fork (the package is not just embedding code but it is a fork and
- Linux kernels
+             thus might share parts of the source code)
- pvpgn (links dynamically since 1.7.8-2)
+       old-version (the package is an older version of essentially
- mrtg (links dynamically since 2.12.2-1)
+                    the same code)
- rpm
+ The srcpkg might be some string to identify the code if there is no
- libbz2:
+ specific source package.
- dpkg (statically linked)
+ Everything up to the next line is ignored.
- libgadu/ekg:
+ ---BEGIN
- centericq
+ xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
- gaim
+         NOTE: Fixed packages link to poppler library unless otherwise noted
- kopete (ships the code, but links dynamically in the Debian package)
+         - gpdf <removed>
- kadu (not packaged in Debian)
+         [sarge] - gpdf <unfixed>
- GNU gadu (not yet packaged in Debian)
+         NOTE: has been replaced by evince in etch
+         - pdftohtml <unknown>
- xmlrpc: (which package is the "origin" of this code?)
+         [sarge] - pdftohtml <unfixed>
- drupal
+         [etch] - pdftohtml <unfixed>
- phpgroupware
+         NOTE: has been replaced by poppler-utils
- egroupware
+         - kdegraphics <unfixed> (embed; bug #436164)
- phpwiki
+         NOTE: the kpdf replacement in KDE 4 is using poppler
- php4 (php-pear, IIRC this was reorganized some weeks ago?)
+         - tetex-bin 3.0-12 (embed)
- tikiwiki
+         - texlive-bin 2007-1 (embed)
+         NOTE: links to poppler
- shtool: (affects build-time only)
+         - koffice <unfixed> (embed; bug #436163)
- mysql-ocaml
+         - libextractor 0.5.12-1 (embed)
- php4
+         NOTE: libextractor is using its own pdf decoder now
+         - libextractor 0.5.12-1 (embed)
- mozilla:
+         - pdfkit.framework 0.8-4 (embed)
- mozilla-firefox
+         - ipe <unfixed> (embed)
- mozilla-thunderbird
+         NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
- firefox (to be removed)
+         - ruby-gnome2 <unknown> (embed)
- thunderbird (to be removed)
+         NOTE: copy only present in source but links to poppler
- iceweasel
- iceape
+ ppmd
- icedove
+         - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
- xulrunner
- nvu (no longer in Debian)
+ silc-toolkit
+         - silc-client 1.1~beta6-1 (embed)
- xli:
- xloadimage
+ dietlibc
+         - ccontrol 0.9.1+20071204-1 (static)
- lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
- openmotif
+ libiax
- xfree86/xorg (in libxpm)
+         - iaxmodem <unfixed> (embed)
- kerberized apps with BSD origin:
+ zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
- krb4
+         - dpkg <unfixed> (embed)
- krb5
+         NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
- heimdal
+         - rsync <unfixed> (embed)
+         NOTE: somehow derived code base
- grip: (which pkg is the origin?)
+         - mono <unfixed> (embed)
- libcdaudio
+         TODO: check mozilla
- grip
+         - Linux kernels <unfixed> (embed)
- gnome-vfs (vfs2 as well?)
+         - pvpgn 1.7.8-2 (embed)
+         - mrtg 2.12.2-1 (embed)
- fudforum:
+         - rpm <unknown> (embed)
- phpgroupware-fudforum
+         NOTE: pinged anibal since when rpm was fixed
- egroupware-fudforum (removed from egroupware after sarge)
+ libbz2
- cvs:
+         - dpkg <unfixed> (static)
- gcvs (at least an additional script is included, check if there's more)
+ ekg
- pcre:
+         - centericq <unfixed> (embed)
- all pythons
+         - gaim <unfixed> (embed)
- php4 (src included, but Debian package links dynamically)
+         - pigdin <unfixed> (embed)(links dynamically against libgadu)
- analog (src included, but Debian package links dynamically)
+         - kopete 4:3.3.2-5 (embed)
- libgoffice-1
+         - kadu <unfixed> (embed)
- tf5 (since 5.0beta7 the Debian package links dynamically)
+         - gadu <unfixed> (embed)
+         NOTE: g/kadu not packaged in Debian yet
- tiff:
- wxpythongtk (check, which debian pkg this is in)
+ xmlrpc (which package is the "origin" of this code?)
- older kdegraphics/kpdf releases < 3.3 embedded a copy
+         - drupal <unfixed> (embed)
+         - phpgroupware <unfixed> (embed)
- uudeview:
+         - egroupware <unfixed> (embed)
- libconvert-uulib-perl
+         - phpwiki (embed)
+         - php4 <unfixed> (embed)
- sqlite: (not affected by security vulnerabilities so far)
+         TODO: check, php-pear, IIRC this was reorganized some weeks ago?
- amarok
+ shtool (affects build-time only)
- util-linux/mount:
+         - mysql-ocaml <unfixed> (embed)
- loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
+         - php4 <unfixed> (embed)
- webmin:
+ mozilla source code
- usermin (only in sarge)
+         - mozilla-firefox <unfixed> (embed)
+         - mozilla-thunderbird
- sylpheed:
+         - firefox <removed>
- sylpheed-claws
+         [etch] - firefox <unfixed> (embed)
+         - thunderbird <removed>
- phpsysinfo:
+         [etch] - thunderbird <unfixed> (embed)
- egroupware
+         - iceweasel <unfixed> (embed)
- phpgroupware
+         - iceape <unfixed> (embed)
+         - icedove <unfixed> (embed)
+         - xulrunner <unfixed> (embed)
+         - nvu <removed> (embed)
+ xli
+         - xloadimage <unfixed> (embed)
+ lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
+         - openmotif <unfixed> (embed)
+         - xfree86/xorg <unfixed> (embed)
+         NOTE: in libxpm
+ kerberized apps with BSD origin
+         - krb4 <unfixed> (embed)
+         - krb5 <unfixed> (embed)
+         - heimdal <unfixed> (embed)
+ grip (which pkg is the origin?)
+         - libcdaudio
+         - grip
+         - gnome-vfs
+         TODO: check vfs2 as well
+ fudforum
+         - phpgroupware-fudforum <unfixed> (embed)
+         - egroupware-fudforum <removed>
+         [sarge] - egroupware-fudforum <unfixed> (embed)
+ cvs
+         - gcvs <unfixed> (embed)
+         NOTE: see cvsunix/src in tarball
+ pcre
+         - python* <unfixed> (embed)
+         - php4 <unknown> (embed)
+         - analog 2:5.23-0woody1 (embed)
+         - libgoffice-1 <unfixed> (embed)
+         - vfu 4.06-4.1 (embed; bug #450754)
+         - tf5 5.0beta7-1 (embed)
+         - monotone <unfixed> (embed)
+         NOTE: this only affects versions >= 0.37
+         - glib <unfixed> (embed)
+         NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
+         - apache2 2.0.53-4 (embed)
+         - exim4 4.10-0.srh20.12 (embed)
+         - yacas <unfixed> (embed)
+         NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
+         - gtamsanalyzer.app 0.42-5 (embed)
+ tiff
+         - wxpythongtk <unfixed> (embed)
+         TODO: check, which debian pkg this is in
+ uudeview
+         - libconvert-uulib-perl <unfixed> (embed)
+ sqlite (not affected by security vulnerabilities so far)
+         - amarok <unfixed> (embed)
+         - monotone <unfixed> (embed)
+         - iceweasel <unfixed> (embed)
+ util-linux/mount
+         - loop-aes-utils <unfixed> (embed)
+         NOTE: contains code from util-linux' mount in the mount-aes-udeb
+ webmin
+         - usermin <unknown> (embed)
+         [sarge] - usermin <unfixed> (embed)
+ sylpheed
+         - sylpheed-claws <unfixed> (fork)
+ phpsysinfo
+         - egroupware <unfixed> (embed)
+         - phpgroupware <unfixed> (embed)
+ phpldapadmin
+         [sarge] - egroupware <unfixed> (embed)
+         NOTE: removed from egroupware after sarge
+ chmlib
+         - kchmviewer <unknown> (embed)
+ libavcodec/libavformat (source: ffmpeg)
+         - mplayer <unfixed> (embed; bug #395252)
+         - xvidcap <unfixed> (embed)
+         - kino <unfixed> (static)
+         - vlc <unfixed> (static)
+         - smilutils <unfixed> (static)
+         - motion <unfixed> (static)
+         - gst-ffmpeg <unfixed> (embed)
+         - gstreamer0.10-ffmpeg <unfixed> (embed)
+         - xmovie <unfixed>
+         TODO: gimp-gap (potentially using ffmpeg code as well)
+ mad MPEG decoding lib
+         - mad <unfixed> (embed)
+         - xine-lib <unfixed> (embed)
- phpldapadmin:
+ libdts
- egroupware (removed from egroupware after sarge)
+         - xine-lib <unfixed> (embed)
- chmlib:
+ flac
- kchmviewer (not packaged in Debian)
+         - xine-lib <unfixed> (embed)
- libavcodec/libavformat:
+ liba52
- ffmpeg
+         - a52dec <unfixed> (embed)
- xine-lib
+         - xine-lib <unfixed> (embed)
- xvidcap
- kino (links statically, does not include code)
- vlc (links statically, does not include code)
- smilutils (links statically, does not include code)
- motion (links statically, does not include code)
- gst-ffmpeg
- gstreamer0.10-ffmpeg
- xmovie
- mad MPEG decoding lib:
+ libmpeg2
- mad
+         - mpeg2dec <unfixed> (embed)
- xine-lib
+         - xine-lib <unfixed> (embed)
- libdts:
+ curl
- libdts
+         - wget <unfixed> (embed)
- xine-lib
+         NOTE: code for NTLM authentication
- flac:
+ uw-imap
- flac
+         - pine <unfixed> (embed)
- xine-lib
+         - alpine <unfixed> (embed)
- liba52:
+ imagemagick
- a52dec
+         - graphicsmagick <unfixed> (fork)
- xine-lib
- libmpeg2:
+ halibut
- mpeg2dec
+         - nsis <unfixed> (embed)
- xine-lib
- curl:
+ libghttp
- wget (code for NTLM authentication)
+         - hotway <unfixed> (embed)
- TODO evaluate:
+ libsndfile
- gimp-gap (potentially using ffmpeg code as well)
+         - ardour <unfixed> (embed)
- uw-imap:
+ glibmm2.4
- pine
+         - ardour <unfixed> (embed)
- imagemagick:
+ libgnomecanvasmm2.6
- graphicsmagick
+         - ardour <unfixed> (embed)
- halibut:
+ libsigc++-2.0
- nsis
+         - ardour <unfixed> (embed)
- libghttp:
+ soundtouch
- hotway
+         - ardour <unfixed> (embed)
- etl-dev (will be renamed to libetl-dev soon):
+ libmms
- synfig
+         - xine-lib <unfixed> (embed)
+         - mimms <unfixed> (embed)
- libmms:
+ fckeditor
- xine-lib
+         - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
- mimms
+         - moin <unfixed> (embed; bug #452599)
+         - karrigell <unfixed> (embed; bug #452598)
+         - gforge-plugins-extra 4.6.99+svn6225-1 (embed)
- FCKeditor:
+ ipatlas (not packaged in Debian)
- knowledgeroot
+         - moodle <unfixed> (embed)
- Moodle contains lots of things:
+ libphp-phpmailer
- AdoDB
+         - moodle <unfixed> (embed)
- AdoDB-XML Schema
- ipatlas
- PHPMailer
- Smarty
- htmlArea
- TinyMCE
- bennu
- TinyMCE:
+ htmlArea (not packaged in Debian)
- wordpress
+         - moodle <unfixed> (embed)
- moodle
- knowledgeroot
- joomla (ITP)
- scintilla:
- scite
- qscintilla
- geany
- libphp-adodb:
- gallery2
- phppgadmin
- egroupware
- phpwiki
- moodle
- cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
- gzip:
- linux-kernel (lib/inflate.c)
- klibc (based on linux-kernel gzip code)
- busybox
- ffmpeg:
- mplayer (#395252)
- neon:
- cadaver (all, but being worked on: #188381)
- gnome-vfs2 (#395874)
- litmus (#395875)
- screem (sarge only)
- sitecopy (#395876)
- tla (etch/sid only: #395877)
- libmodplug:
- gst-plugins-bad0.10
- libvncserver:
- vino
- putty:
- filezilla
- tinyxml (not packaged in Debian):
- filezilla
- gv:
- evince (ps/ tree from gv 3.5.8)
- evince-gtk (not packaged in Debian)
- libXbae:
- libpawlib2-lesstif package (from Cernlib)
- libXaw:
- libpawlib2-lesstif package (from Cernlib)
- (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
- libgd2:
+ giflib:
- graphviz (lib/gd seems to be 2.0.33)
+         - wine <unfixed> (embed; bug #466181)
- rar:
+ bennu (not packaged in Debian)
- unrar-nonfree
+         - moodle <unfixed> (embed)
- unrar-free: (maybe this code is derived from the original rar, too?)
+ smarty:
- clamav (seems to be disabled in default config)
+         - moodle <unfixed> (embed)
+ TinyMCE
+         - wordpress <unfixed> (embed)
+         - moodle <unfixed> (embed)
+         - knowledgeroot <unfixed> (embed)
+         - joomla <itp> (bug #326398)
+ scintilla
+         - scite <unfixed> (embed)
+         - qscintilla <unfixed> (embed)
+         - qscintilla2 <unfixed> (embed)
+         - geany <unfixed> (embed)
+ libphp-adodb
+         - moodle <unfixed> (embed)
+         NOTE: also AdoDB-XML Schema
+         - gallery2 <unfixed> (embed)
+         - phppgadmin <unfixed> (embed)
+         - egroupware <unfixed> (embed)
+         - phpwiki <unfixed> (embed)
+         - ipplan <unfixed> (embed)
+         - typo3 <unfixed> (embed)
+         - moodle <unfixed> (embed)
+         - cacti <unknown> (embed)
+         [sarge] - cacti <unfixed> (embed)
+         NOTE: dependency exists, but internal version is used
+ gzip
+         - linux-kernel <unfixed> (embed)
+         NOTE: lib/inflate.c
+         - klibc <unfixed> (embed)
+         NOTE: based on linux-kernel gzip code
+         - busybox <unfixed> (embed)
+ neon
+         - cadaver <unfixed> (embed; bug #188381)
+         - gnome-vfs2 <unfixed> (embed; bug #395874)
+         - litmus <unfixed> (embed; #395875)
+         [sarge] - screem <unfixed> (embed)
+         - sitecopy <unfixed> (embed; bug #395876)
+         [etch] - tla <unfixed> (embed; bug #395877)
+         [sarge] - tla <unfixed> (embed; bug #395877)
+ libmodplug
+         - gst-plugins-bad0.10 <unfixed> (embed)
+ libvncserver
+         - vino <unfixed> (embed)
+ putty
+         - filezilla <unfixed> (embed)
+ tinyxml (not packaged in Debian)
+         - filezilla <unfixed>
+ gv
+         - evince <unfixed> (embed)
+         NOTE: ps/ tree from gv 3.5.8
+         - evince-gtk <unfixed> (embed)
+         NOTE: not packaged in Debian
+ libXbae
+         [etch] - libpawlib2-lesstif <unfixed> (embed)
+         NOTE: from Cernlib
+ libXaw
+         [etch] - libpawlib2-lesstif
+         NOTE: from Cernlib
+         NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
+ libgd2
+         - graphviz <unfixed> (embed)
+         NOTE: lib/gd seems to be 2.0.33
+         - wml <unfixed> (embed)
+         NOTE: derived from gd 1.6.3
+ rar
+         - unrar-nonfree <unfixed> (embed)
+ unrar-free (maybe this code is derived from the original rar, too?)
+         - clamav <unfixed> (embed)
+         NOTE: seems to be disabled in default config
+ mplayer (DirectMedia Object loader)
+         - xine-lib <unfixed> (embed)
+         NOTE: src/libw32dll/
+         - vlc <unfixed> (embed)
+         NOTE: modules/codec/dmo/
+ libwpd (WordPerfect converter)
+         - openoffice.org <unfixed> (embed)
+ fsplib (http://sourceforge.net/projects/fsp/)
+         - gftp <unfixed> (embed)
+         NOTE: lib/fsplib version 0.3
+ librpcsecgss
+         - krb5 <unfixed> (embed)
+ jasper
+         - ghostscript <unfixed> (embed)
+         - gs-gpl <unfixed> (embed)
+ libidn
+         - monotone <unfixed> (embed)
+ liblua
+         - monotone <unfixed> (embed)
+ libbotan
+         - montone <unfixed> (embed)
+ NetXX
+         - monotone <unfixed> (embed)
+ libgc
+         - mono <unfixed> (embed)
+ lzma
+         - p7zip <unfixed> (embed)
+ lzo
+         - grub2 <unfixed> (embed)
+ yassl
+         - mysql-dfsg-5.0 <unfixed> (embed)
+ pax code
+         - tar <unfixed> (embed)
+         - cpio <unfixed> (embed)
+ t1lib
+         - tetex-bin 2.0.2-1 (embed)
+         - texlive-bin <unknown> (embed)
+ guichan
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+ tolua
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+ asio-dev
+         - luxrender <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+         NOTE: may be merged with boost "soon"
+ xine-lib
+         - vlc <unfixed> (embed)
+         NOTE: only parts included in modules/access/rtsp
+ netpbm
+         - tcl8.3 <unfixed> (embed)
+         - tcl8.4 <unfixed> (embed)
+         - tcl8.5 <unfixed> (embed)
+         NOTE: generic/tkImgGIF.c
+ tk8.5
+         - tk8.0 <removed> (old-version)
+         - tk8.3 <unfixed> (old-version)
+         - tk8.4 <unfixed> (old-version)
+         - perl-tk <unfixable> (fork)

 Legend:



Removed from v.5440
 


changed lines


 
Added in v.8175
 Legend:



Removed from v.5440
 


changed lines


 
Added in v.8175
-Removed from v.5440
+Added in v.8175

	ViewVC Help
Powered by ViewVC 1.1.5