/[secure-testing]/data/embedded-code-copies
ViewVC logotype

Diff of /data/embedded-code-copies

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 7136 by nion, Mon Oct 29 08:12:38 2007 UTC revision 8281 by nion, Thu Mar 6 13:49:15 2008 UTC
# Line 1  Line 1 
1  This file collects cases, where a source package embeds code from  Embedded code copies
2  other projects, without linking dynamically:  ====================
3    
4  xpdf code: (some use xpdf 2, some xpdf 3)  This file collects source packages that embed code from other projects.
5  gpdf (has been replaced by evince - which uses poppler - in Etch)  This is considered bad for fixing security flaws because the fix needs
6  pdftohtml (has been replaced by poppler-utils from the poppler source package, still in Etch, though)  to be applied in multiple source packages.
7  kdegraphics/kpdf (okular, the kpdf replacement in KDE 4 is using poppler, #436164)  
8  tetex-bin (links to poppler since 3.0-12)  Format:
9  cupsys (uses xpdf-utils, it's still present in the src, though)  <srcpkg> (<optional comment about srcpkg>)
10  poppler          - <embedding srcpkg> <status> (<sort>; bug #<number>)
11  koffice/kword (upstream is working on using poppler, #436163)          NOTE: optional comments about the linkage of the embedding srcpkg
12  libextractor (uses internal pdf decoder since 0.5.12-1)  
13  pdfkit.framework (links to poppler since 0.8-4)  status: version number fixing the embedded copy, <unfixed>, <removed>,
14  ipe (only small parts, but with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp)          <itp> or <unknown> if the version number can not be determined
15            <unfixable> for unavoidable cases (e.g., forks that add real value)
16  silc-toolkit:  sort: static (linking statically against a lib)
17  silc-client (uses libsilc and libsilcclient)        embed (embedding a copy of the library into another source package)
18          fork (the package is not just embedding code but it is a fork and
19  dietlibc:              thus might share parts of the source code)
20  ccontrol (links statically)        old-version (the package is an older version of essentially
21                       the same code)
22  libiax:  
23  iaxmodem  The srcpkg might be some string to identify the code if there is no
24    specific source package.
25  zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)  
26  dpkg  Everything up to the next line is ignored.
27  rsync (somehow derived code base)  ---BEGIN
28  mono  xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
29  mozilla(?)          NOTE: Fixed packages link to poppler library unless otherwise noted
30  Linux kernels          - gpdf <removed>
31  pvpgn (links dynamically since 1.7.8-2)          [sarge] - gpdf <unfixed>
32  mrtg (links dynamically since 2.12.2-1)          NOTE: has been replaced by evince in etch
33  rpm          - pdftohtml <unknown>
34            [sarge] - pdftohtml <unfixed>
35  libbz2:          [etch] - pdftohtml <unfixed>
36  dpkg (statically linked)          NOTE: has been replaced by poppler-utils
37            - kdegraphics <unfixed> (embed; bug #436164)
38  libgadu/ekg:          NOTE: the kpdf replacement in KDE 4 is using poppler
39  centericq          - tetex-bin 3.0-12 (embed)
40  gaim          - texlive-bin 2007-1 (embed)
41  kopete (ships the code, but links dynamically in the Debian package)          NOTE: links to poppler
42  kadu (not packaged in Debian)          - koffice <unfixed> (embed; bug #436163)
43  GNU gadu (not yet packaged in Debian)          - libextractor 0.5.12-1 (embed)
44            NOTE: libextractor is using its own pdf decoder now
45  xmlrpc: (which package is the "origin" of this code?)          - libextractor 0.5.12-1 (embed)
46  drupal          - pdfkit.framework 0.8-4 (embed)
47  phpgroupware          - ipe <unfixed> (embed)
48  egroupware          NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
49  phpwiki          - ruby-gnome2 <unknown> (embed)
50  php4 (php-pear, IIRC this was reorganized some weeks ago?)          NOTE: copy only present in source but links to poppler
51  tikiwiki  
52    ppmd
53  shtool: (affects build-time only)          - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
54  mysql-ocaml  
55  php4  peercast
56            - gnome-peercast <unfixed> (embed)
57  mozilla:          NOTE: gnome-peercast may better be removed, see #466539
58  mozilla-firefox  
59  mozilla-thunderbird  silc-toolkit
60  firefox (to be removed)          - silc-client 1.1~beta6-1 (embed)
61  thunderbird (to be removed)  
62  iceweasel  dietlibc
63  iceape          - ccontrol 0.9.1+20071204-1 (static)
64  icedove  
65  xulrunner  libiax
66  nvu (no longer in Debian)          - iaxmodem <unfixed> (embed)
67    
68  xli:  zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
69  xloadimage          - dpkg <unfixed> (embed)
70            NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
71  lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)          - rsync <unfixed> (embed)
72  openmotif          NOTE: somehow derived code base
73  xfree86/xorg (in libxpm)          - mono <unfixed> (embed)
74            TODO: check mozilla
75  kerberized apps with BSD origin:          - Linux kernels <unfixed> (embed)
76  krb4          - pvpgn 1.7.8-2 (embed)
77  krb5          - mrtg 2.12.2-1 (embed)
78  heimdal          - rpm <unknown> (embed)
79            NOTE: pinged anibal since when rpm was fixed
80  grip: (which pkg is the origin?)  
81  libcdaudio  libbz2
82  grip          - dpkg <unfixed> (static)
83  gnome-vfs (vfs2 as well?)  
84    ekg
85  fudforum:          - centericq <unfixed> (embed)
86  phpgroupware-fudforum          - gaim <unfixed> (embed)
87  egroupware-fudforum (removed from egroupware after sarge)          - pigdin <unfixed> (embed)(links dynamically against libgadu)
88            - kopete 4:3.3.2-5 (embed)
89  cvs:          - kadu <unfixed> (embed)
90  gcvs (at least an additional script is included, check if there's more)          - gadu <unfixed> (embed)
91            NOTE: g/kadu not packaged in Debian yet
92  pcre:  
93  all pythons  xmlrpc (which package is the "origin" of this code?)
94  php4 (src included, but Debian package links dynamically)          - drupal <unfixed> (embed)
95  analog (src included, but Debian package links dynamically)          - phpgroupware <unfixed> (embed)
96  libgoffice-1          - egroupware <unfixed> (embed)
97  vfu          - phpwiki (embed)
98  tf5 (since 5.0beta7 the Debian package links dynamically)          - php4 <unfixed> (embed)
99  monotone (including this starting from 0.37)          TODO: check, php-pear, IIRC this was reorganized some weeks ago?
100    
101  tiff:  shtool (affects build-time only)
102  wxpythongtk (check, which debian pkg this is in)          - mysql-ocaml <unfixed> (embed)
103  older kdegraphics/kpdf releases < 3.3 embedded a copy          - php4 <unfixed> (embed)
104    
105  uudeview:  mozilla source code
106  libconvert-uulib-perl          - mozilla-firefox <unfixed> (embed)
107            - mozilla-thunderbird
108  sqlite: (not affected by security vulnerabilities so far)          - firefox <removed>
109  amarok          [etch] - firefox <unfixed> (embed)
110  monotone          - thunderbird <removed>
111            [etch] - thunderbird <unfixed> (embed)
112  util-linux/mount:          - iceweasel <unfixed> (embed)
113  loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb          - iceape <unfixed> (embed)
114            - icedove <unfixed> (embed)
115  webmin:          - xulrunner <unfixed> (embed)
116  usermin (only in sarge)          - nvu <removed> (embed)
117    
118  sylpheed:  xli
119  sylpheed-claws          - xloadimage <unfixed> (embed)
120    
121  phpsysinfo:  lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
122  egroupware          - openmotif <unfixed> (embed)
123  phpgroupware          - xfree86/xorg <unfixed> (embed)
124            NOTE: in libxpm
125    
126    kerberized apps with BSD origin
127            - krb4 <unfixed> (embed)
128            - krb5 <unfixed> (embed)
129            - heimdal <unfixed> (embed)
130    
131    grip (which pkg is the origin?)
132            - libcdaudio
133            - grip
134            - gnome-vfs
135            TODO: check vfs2 as well
136    
137    fudforum
138            - phpgroupware-fudforum <unfixed> (embed)
139            - egroupware-fudforum <removed>
140            [sarge] - egroupware-fudforum <unfixed> (embed)
141    
142    cvs
143            - gcvs <unfixed> (embed)
144            NOTE: see cvsunix/src in tarball
145    
146    pcre
147            - python* <unfixed> (embed)
148            - php4 <unknown> (embed)
149            - analog 2:5.23-0woody1 (embed)
150            - libgoffice-1 <unfixed> (embed)
151            - vfu 4.06-4.1 (embed; bug #450754)
152            - tf5 5.0beta7-1 (embed)
153            - monotone <unfixed> (embed)
154            NOTE: this only affects versions >= 0.37
155            - glib <unfixed> (embed)
156            NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
157            - apache2 2.0.53-4 (embed)
158            - exim4 4.10-0.srh20.12 (embed)
159            - yacas <unfixed> (embed)
160            NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
161            - gtamsanalyzer.app 0.42-5 (embed)
162    
163    tiff
164            - wxpythongtk <unfixed> (embed)
165            TODO: check, which debian pkg this is in
166    
167    uudeview
168            - libconvert-uulib-perl <unfixed> (embed)
169    
170    sqlite (not affected by security vulnerabilities so far)
171            - amarok <unfixed> (embed)
172            - monotone <unfixed> (embed)
173            - iceweasel <unfixed> (embed)
174    
175    util-linux/mount
176            - loop-aes-utils <unfixed> (embed)
177            NOTE: contains code from util-linux' mount in the mount-aes-udeb
178    
179    webmin
180            - usermin <unknown> (embed)
181            [sarge] - usermin <unfixed> (embed)
182    
183    sylpheed
184            - sylpheed-claws <unfixed> (fork)
185    
186    phpsysinfo
187            - egroupware <unfixed> (embed)
188            - phpgroupware <unfixed> (embed)
189    
190    phpldapadmin
191            [sarge] - egroupware <unfixed> (embed)
192            NOTE: removed from egroupware after sarge
193    
194    chmlib
195            - kchmviewer <unknown> (embed)
196    
197    libavcodec/libavformat (source: ffmpeg)
198            - mplayer <unfixed> (embed; bug #395252)
199            - xvidcap <unfixed> (embed)
200            - kino <unfixed> (static)
201            - vlc <unfixed> (static)
202            - smilutils <unfixed> (static)
203            - motion <unfixed> (static)
204            - gst-ffmpeg <unfixed> (embed)
205            - gstreamer0.10-ffmpeg <unfixed> (embed)
206            - xmovie <unfixed>
207            TODO: gimp-gap (potentially using ffmpeg code as well)
208    
209    mad MPEG decoding lib
210            - mad <unfixed> (embed)
211            - xine-lib <unfixed> (embed)
212    
 phpldapadmin:  
 egroupware (removed from egroupware after sarge)  
   
 chmlib:  
 kchmviewer (not packaged in Debian)  
   
 libavcodec/libavformat:  
 ffmpeg  
 xine-lib  
 xvidcap  
 kino (links statically, does not include code)  
 vlc (links statically, does not include code)  
 smilutils (links statically, does not include code)  
 motion (links statically, does not include code)  
 gst-ffmpeg  
 gstreamer0.10-ffmpeg  
 xmovie  
   
 mad MPEG decoding lib:  
 mad  
 xine-lib  
   
 libdts:  
213  libdts  libdts
214  xine-lib          - xine-lib <unfixed> (embed)
215    
 flac:  
216  flac  flac
217  xine-lib          - xine-lib <unfixed> (embed)
218    
219  liba52:  liba52
220  a52dec          - a52dec <unfixed> (embed)
221  xine-lib          - xine-lib <unfixed> (embed)
222    
223  libmpeg2:  libmpeg2
224  mpeg2dec          - mpeg2dec <unfixed> (embed)
225  xine-lib          - xine-lib <unfixed> (embed)
   
 curl:  
 wget (code for NTLM authentication)  
   
 TODO evaluate:  
 gimp-gap (potentially using ffmpeg code as well)  
   
 uw-imap:  
 pine  
 alpine  
226    
227  imagemagick:  curl
228  graphicsmagick          - wget <unfixed> (embed)
229            NOTE: code for NTLM authentication
230    
231  halibut:  uw-imap
232  nsis          - pine <unfixed> (embed)
233            - alpine <unfixed> (embed)
234    
235  libghttp:  imagemagick
236  hotway          - graphicsmagick <unfixed> (fork)
237    
238  libsndfile:  halibut
239  ardour          - nsis <unfixed> (embed)
240    
241  glibmm2.4:  libghttp
242  ardour          - hotway <unfixed> (embed)
243    
244  libgnomecanvasmm2.6:  libsndfile
245  ardour          - ardour <unfixed> (embed)
246    
247  libsigc++-2.0:  glibmm2.4
248  ardour          - ardour <unfixed> (embed)
249    
250  soundtouch:  libgnomecanvasmm2.6
251  ardour          - ardour <unfixed> (embed)
   
 libmms:  
 xine-lib  
 mimms  
   
 FCKeditor:  
 knowledgeroot  
 moin  
 karrigell  
 gforge-plugins-extra  
   
 Moodle contains lots of things:  
 AdoDB  
 AdoDB-XML Schema  
 ipatlas  
 PHPMailer  
 Smarty  
 htmlArea  
 TinyMCE  
 bennu  
252    
253  TinyMCE:  libsigc++-2.0
254  wordpress          - ardour <unfixed> (embed)
 moodle  
 knowledgeroot  
 joomla (ITP)  
255    
256  scintilla:  soundtouch
257  scite          - ardour <unfixed> (embed)
 qscintilla  
 qscintilla2  
 geany  
258    
259  libphp-adodb:  libmms
260  gallery2          - xine-lib <unfixed> (embed)
261  phppgadmin          - mimms <unfixed> (embed)
 egroupware  
 phpwiki  
 moodle  
 cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)  
262    
263  gzip:  fckeditor
264  linux-kernel (lib/inflate.c)          - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
265  klibc (based on linux-kernel gzip code)          - moin <unfixed> (embed; bug #452599)
266  busybox          - karrigell <unfixed> (embed; bug #452598)
267            - gforge-plugins-extra 4.6.99+svn6225-1 (embed)
268    
269  ffmpeg:  ipatlas (not packaged in Debian)
270  mplayer (#395252)          - moodle <unfixed> (embed)
271    
272  neon:  libphp-phpmailer
273  cadaver (all, but being worked on: #188381)          - moodle <unfixed> (embed)
 gnome-vfs2 (#395874)  
 litmus (#395875)  
 screem (sarge only)  
 sitecopy (#395876)  
 tla (etch/sid only: #395877)  
274    
275  libmodplug:  htmlArea (not packaged in Debian)
276  gst-plugins-bad0.10          - moodle <unfixed> (embed)
277    
278  libvncserver:  giflib:
279  vino          - wine <unfixed> (embed; bug #466181)
280    
281  putty:  bennu (not packaged in Debian)
282  filezilla          - moodle <unfixed> (embed)
283    
284  tinyxml (not packaged in Debian):  smarty:
285  filezilla          - moodle <unfixed> (embed)
286    
287  gv:  TinyMCE
288  evince (ps/ tree from gv 3.5.8)          - wordpress <unfixed> (embed)
289  evince-gtk (not packaged in Debian)          - moodle <unfixed> (embed)
290            - knowledgeroot <unfixed> (embed)
291  libXbae:          - joomla <itp> (bug #326398)
292  libpawlib2-lesstif package (from Cernlib)  
293    scintilla
294  libXaw:          - scite <unfixed> (embed)
295  libpawlib2-lesstif package (from Cernlib)          - qscintilla <unfixed> (embed)
296            - qscintilla2 <unfixed> (embed)
297  (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)          - geany <unfixed> (embed)
298    
299  libgd2:  libphp-adodb
300  graphviz (lib/gd seems to be 2.0.33)          - moodle <unfixed> (embed)
301            NOTE: also AdoDB-XML Schema
302  rar:          - gallery2 <unfixed> (embed)
303  unrar-nonfree          - phppgadmin <unfixed> (embed)
304            - egroupware <unfixed> (embed)
305  unrar-free: (maybe this code is derived from the original rar, too?)          - phpwiki <unfixed> (embed)
306  clamav (seems to be disabled in default config)          - ipplan <unfixed> (embed)
307            - typo3 <unfixed> (embed)
308  mplayer (DirectMedia Object loader):          - moodle <unfixed> (embed)
309  xine-lib (src/libw32dll/)          - cacti <unknown> (embed)
310  vlc (modules/codec/dmo/)          [sarge] - cacti <unfixed> (embed)
311            NOTE: dependency exists, but internal version is used
312  libwpd (WordPerfect converter):  
313  openoffice.org  gzip
314            - linux-kernel <unfixed> (embed)
315  fsplib (http://sourceforge.net/projects/fsp/):          NOTE: lib/inflate.c
316  gftp (lib/fsplib version 0.3)          - klibc <unfixed> (embed)
317            NOTE: based on linux-kernel gzip code
318  librpcsecgss:          - busybox <unfixed> (embed)
319  krb5  
320    neon
321  jasper:          - cadaver <unfixed> (embed; bug #188381)
322  ghostscript          - gnome-vfs2 <unfixed> (embed; bug #395874)
323  gs-gpl          - litmus <unfixed> (embed; #395875)
324            [sarge] - screem <unfixed> (embed)
325  libidn:          - sitecopy <unfixed> (embed; bug #395876)
326  monotone          [etch] - tla <unfixed> (embed; bug #395877)
327            [sarge] - tla <unfixed> (embed; bug #395877)
328  liblua:  
329  monotone  libmodplug
330            - gst-plugins-bad0.10 <unfixed> (embed)
331  libbotan:  
332  montone  libvncserver
333            - vino <unfixed> (embed)
334    
335    putty
336            - filezilla <unfixed> (embed)
337    
338    tinyxml (not packaged in Debian)
339            - filezilla <unfixed>
340    
341    gv
342            - evince <unfixed> (embed)
343            NOTE: ps/ tree from gv 3.5.8
344            - evince-gtk <unfixed> (embed)
345            NOTE: not packaged in Debian
346    
347    libXbae
348            [etch] - libpawlib2-lesstif <unfixed> (embed)
349            NOTE: from Cernlib
350    
351    libXaw
352            [etch] - libpawlib2-lesstif
353            NOTE: from Cernlib
354            NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
355    
356    libgd2
357            - graphviz <unfixed> (embed)
358            NOTE: lib/gd seems to be 2.0.33
359            - wml <unfixed> (embed)
360            NOTE: derived from gd 1.6.3
361    
362    rar
363            - unrar-nonfree <unfixed> (embed)
364    
365    unrar-free (maybe this code is derived from the original rar, too?)
366            - clamav <unfixed> (embed)
367            NOTE: seems to be disabled in default config
368    
369    mplayer (DirectMedia Object loader)
370            - xine-lib <unfixed> (embed)
371            NOTE: src/libw32dll/
372            - vlc <unfixed> (embed)
373            NOTE: modules/codec/dmo/
374    
375    libwpd (WordPerfect converter)
376            - openoffice.org <unfixed> (embed)
377    
378    fsplib (http://sourceforge.net/projects/fsp/)
379            - gftp <unfixed> (embed)
380            NOTE: lib/fsplib version 0.3
381    
382    librpcsecgss
383            - krb5 <unfixed> (embed)
384    
385    jasper
386            - ghostscript <unfixed> (embed)
387            - gs-gpl <unfixed> (embed)
388    
389    libidn
390            - monotone <unfixed> (embed)
391    
392    liblua
393            - monotone <unfixed> (embed)
394    
395    libbotan
396            - montone <unfixed> (embed)
397    
398    NetXX
399            - monotone <unfixed> (embed)
400    
401    libgc
402            - mono <unfixed> (embed)
403    
404    lzma
405            - p7zip <unfixed> (embed)
406    
407    lzo
408            - grub2 <unfixed> (embed)
409    
410    yassl
411            - mysql-dfsg-5.0 <unfixed> (embed)
412    
413    pax code
414            - tar <unfixed> (embed)
415            - cpio <unfixed> (embed)
416    
417    t1lib
418            - tetex-bin 2.0.2-1 (embed)
419            - texlive-bin <unknown> (embed)
420    
421    guichan
422            - boswars <unfixed> (embed)
423            NOTE: maintainer notified us, working on it
424    
425    tolua
426            - boswars <unfixed> (embed)
427            NOTE: maintainer notified us, working on it
428    
429    asio-dev
430            - luxrender <unfixed> (embed)
431            NOTE: maintainer notified us, working on it
432            NOTE: may be merged with boost "soon"
433    
434  NetXX:  xine-lib
435  monotone          - vlc <unfixed> (embed)
436            NOTE: only parts included in modules/access/rtsp
437    
438  libgc:  netpbm
439  mono          - tcl8.3 <unfixed> (embed)
440            - tcl8.4 <unfixed> (embed)
441            - tcl8.5 <unfixed> (embed)
442            NOTE: generic/tkImgGIF.c
443    
444    tk8.5
445            - tk8.0 <removed> (old-version)
446            - tk8.3 <unfixed> (old-version)
447            - tk8.4 <unfixed> (old-version)
448            - perl-tk <unfixable> (fork)
449    
450    samba
451            - mc <unfixed> (embed)
452            NOTE: maintainer is aware of this, currently searching a solution
Legend:
Removed from v.7136  
changed lines
  Added in v.8281
  ViewVC Help
Powered by ViewVC 1.1.5