| 1 |
Embedded code copies |
Embedded code copies |
| 2 |
==================== |
==================== |
| 3 |
|
|
| 4 |
This file collects cases, where a source package embeds code from |
This file collects source packages that embed code from other projects. |
| 5 |
other projects which is considered bad for fixing security flaws |
This is considered bad for fixing security flaws because the fix needs |
| 6 |
because the fix needs to be applied in multiple source packages. |
to be applied in multiple source packages. |
| 7 |
|
|
| 8 |
Format: |
Format: |
| 9 |
<srcpkg> (<optional comment about srcpkg>) |
<srcpkg> (<optional comment about srcpkg>) |
| 10 |
- <embedding srcpkg> <status> (<sort>; bug #<number>) |
- <embedding srcpkg> <status> (<sort>; bug #<number>) |
| 11 |
NOTE: optional comments about the linkage of the embedding srcpkg |
NOTE: optional comments about the linkage of the embedding srcpkg |
| 12 |
|
|
| 13 |
status: version number fixing the embedded copy, <unfixed>, <removed>, <itp> or <unknown> if the version number can not be determined |
status: version number fixing the embedded copy, <unfixed>, <removed>, |
| 14 |
|
<itp> or <unknown> if the version number can not be determined |
| 15 |
|
<unfixable> for unavoidable cases (e.g., forks that add real value) |
| 16 |
sort: static (linking statically against a lib) |
sort: static (linking statically against a lib) |
| 17 |
embed (embedding a copy of the library into another source package) |
embed (embedding a copy of the library into another source package) |
| 18 |
fork (the package is not just embedding code but it is a fork and thus might share parts of the source code) |
fork (the package is not just embedding code but it is a fork and |
| 19 |
|
thus might share parts of the source code) |
| 20 |
|
old-version (the package is an older version of essentially |
| 21 |
|
the same code) |
| 22 |
|
|
| 23 |
The srcpkg might be some string to identify the code if there is no specific source package. |
The srcpkg might be some string to identify the code if there is no |
| 24 |
|
specific source package. |
| 25 |
|
|
| 26 |
Everything up to the next line is ignored |
Everything up to the next line is ignored. |
| 27 |
---BEGIN |
---BEGIN |
| 28 |
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code) |
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code) |
| 29 |
NOTE: Fixed packages link to poppler library unless otherwise noted |
NOTE: Fixed packages link to poppler library unless otherwise noted |
| 36 |
NOTE: has been replaced by poppler-utils |
NOTE: has been replaced by poppler-utils |
| 37 |
- kdegraphics <unfixed> (embed; bug #436164) |
- kdegraphics <unfixed> (embed; bug #436164) |
| 38 |
NOTE: the kpdf replacement in KDE 4 is using poppler |
NOTE: the kpdf replacement in KDE 4 is using poppler |
| 39 |
- tetex-bin 3.0-12 (embed) |
- texlive-base 3.0-12 (embed) |
| 40 |
- texlive-bin 2007-1 (embed) |
- texlive-bin 2007-1 (embed) |
| 41 |
NOTE: links to poppler |
NOTE: links to poppler |
| 42 |
- koffice <unfixed> (embed; bug #436163) |
- koffice <unfixed> (embed; bug #436163) |
| 52 |
ppmd |
ppmd |
| 53 |
- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152) |
- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152) |
| 54 |
|
|
| 55 |
|
peercast |
| 56 |
|
- gnome-peercast <unfixed> (embed) |
| 57 |
|
NOTE: gnome-peercast may better be removed, see #466539 |
| 58 |
|
|
| 59 |
silc-toolkit |
silc-toolkit |
| 60 |
- silc-client 1.1~beta6-1 (embed) |
- silc-client 1.1~beta6-1 (embed) |
| 61 |
|
|
| 152 |
- tf5 5.0beta7-1 (embed) |
- tf5 5.0beta7-1 (embed) |
| 153 |
- monotone <unfixed> (embed) |
- monotone <unfixed> (embed) |
| 154 |
NOTE: this only affects versions >= 0.37 |
NOTE: this only affects versions >= 0.37 |
| 155 |
- glib <unfixed> (embed) |
- glib2.0 2.15.2-1 (embed) |
|
NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic |
|
| 156 |
- apache2 2.0.53-4 (embed) |
- apache2 2.0.53-4 (embed) |
| 157 |
- exim4 4.10-0.srh20.12 (embed) |
- exim4 4.10-0.srh20.12 (embed) |
| 158 |
- yacas <unfixed> (embed) |
- yacas <unfixed> (embed) |
| 159 |
NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway |
NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway |
| 160 |
- gtamsanalyzer.app 0.42-5 (embed) |
- gtamsanalyzer.app 0.42-5 (embed) |
| 161 |
|
- tin <unknown> (embed) |
| 162 |
|
- kazehakase 0.5.2-1 |
| 163 |
|
- webkit <unfixed> (embed) |
| 164 |
|
- qt4-x11 <unfixed> (embed) |
| 165 |
|
NOTE: embedded via webkit copy |
| 166 |
|
|
| 167 |
tiff |
tiff |
| 168 |
- wxpythongtk <unfixed> (embed) |
- wxwindows2.4 2.2.1 (embed) |
|
TODO: check, which debian pkg this is in |
|
| 169 |
|
|
| 170 |
uudeview |
uudeview |
| 171 |
- libconvert-uulib-perl <unfixed> (embed) |
- libconvert-uulib-perl <unfixed> (embed) |
| 172 |
|
- pan <unfixed> (embed) |
| 173 |
|
|
| 174 |
sqlite (not affected by security vulnerabilities so far) |
sqlite (not affected by security vulnerabilities so far) |
| 175 |
- amarok <unfixed> (embed) |
- amarok <unfixed> (embed) |
| 199 |
- kchmviewer <unknown> (embed) |
- kchmviewer <unknown> (embed) |
| 200 |
|
|
| 201 |
libavcodec/libavformat (source: ffmpeg) |
libavcodec/libavformat (source: ffmpeg) |
| 202 |
- mplayer <unfixed> (embed; bug #395252) |
- mplayer 1.0~rc2-14 (embed; bug #395252) |
| 203 |
- xvidcap <unfixed> (embed) |
- kino 1.0.0-1 |
| 204 |
- kino <unfixed> (static) |
- vlc <not-affected> (Links dynamically since initial release) |
| 205 |
- vlc <unfixed> (static) |
- smilutils 0.3.0-10 |
| 206 |
- smilutils <unfixed> (static) |
NOTE: smilutils likely fixed earlier, marking Etch's version as fixed |
| 207 |
- motion <unfixed> (static) |
- motion 3.1.19-1 |
| 208 |
- gst-ffmpeg <unfixed> (embed) |
- gstreamer0.10-ffmpeg 0.10.3-2 |
|
- gstreamer0.10-ffmpeg <unfixed> (embed) |
|
| 209 |
- xmovie <unfixed> |
- xmovie <unfixed> |
| 210 |
TODO: gimp-gap (potentially using ffmpeg code as well) |
TODO: gimp-gap (potentially using ffmpeg code as well) |
| 211 |
|
|
| 264 |
- mimms <unfixed> (embed) |
- mimms <unfixed> (embed) |
| 265 |
|
|
| 266 |
fckeditor |
fckeditor |
| 267 |
- knowledgeroot <unfixed> (embed) |
- knowledgeroot 0.9.8.5-3 (embed; bug #461555) |
| 268 |
- moin <unfixed> (embed; bug #452599) |
- moin <unfixed> (embed; bug #452599) |
| 269 |
- karrigell <unfixed> (embed; bug #452598) |
- karrigell <removed> (embed; bug #452598) |
| 270 |
- gforge-plugins-extra 4.6.99+svn6225-1 (embed) |
- gforge-plugins-extra 4.6.99+svn6225-1 (embed) |
| 271 |
|
|
| 272 |
ipatlas (not packaged in Debian) |
ipatlas (not packaged in Debian) |
| 278 |
htmlArea (not packaged in Debian) |
htmlArea (not packaged in Debian) |
| 279 |
- moodle <unfixed> (embed) |
- moodle <unfixed> (embed) |
| 280 |
|
|
| 281 |
|
giflib: |
| 282 |
|
- wine <unfixed> (embed; bug #466181) |
| 283 |
|
|
| 284 |
bennu (not packaged in Debian) |
bennu (not packaged in Debian) |
| 285 |
- moodle <unfixed> (embed) |
- moodle <unfixed> (embed) |
| 286 |
|
|
| 287 |
smarty: |
smarty: |
| 288 |
- moodle <unfixed> (embed) |
- moodle <unfixed> (embed; bug #471158) |
| 289 |
|
- gallery2 2.2.5-2 (embed; bug #471160) |
| 290 |
|
- mahara 0.9.2-2 (embed; bug #471201) |
| 291 |
|
- gosa 2.4beta1-1 (embed; bug #471200) |
| 292 |
|
|
| 293 |
TinyMCE |
TinyMCE |
| 294 |
- wordpress <unfixed> (embed) |
- wordpress 2.5.1-3 (embed; bug #478257) |
| 295 |
- moodle <unfixed> (embed) |
- moodle <unfixed> (embed) |
| 296 |
- knowledgeroot <unfixed> (embed) |
- knowledgeroot <unfixed> (embed) |
| 297 |
- joomla <itp> (bug #326398) |
- joomla <itp> (bug #326398) |
| 362 |
libgd2 |
libgd2 |
| 363 |
- graphviz <unfixed> (embed) |
- graphviz <unfixed> (embed) |
| 364 |
NOTE: lib/gd seems to be 2.0.33 |
NOTE: lib/gd seems to be 2.0.33 |
| 365 |
|
- wml <unfixed> (embed) |
| 366 |
|
NOTE: derived from gd 1.6.3 |
| 367 |
|
|
| 368 |
rar |
rar |
| 369 |
- unrar-nonfree <unfixed> (embed) |
- unrar-nonfree <unfixed> (embed) |
| 385 |
- gftp <unfixed> (embed) |
- gftp <unfixed> (embed) |
| 386 |
NOTE: lib/fsplib version 0.3 |
NOTE: lib/fsplib version 0.3 |
| 387 |
|
|
| 388 |
|
sprng |
| 389 |
|
- tree-puzzle <unfixed> (embed) |
| 390 |
|
|
| 391 |
librpcsecgss |
librpcsecgss |
| 392 |
- krb5 <unfixed> (embed) |
- krb5 <unfixed> (embed) |
| 393 |
|
|
| 426 |
t1lib |
t1lib |
| 427 |
- tetex-bin 2.0.2-1 (embed) |
- tetex-bin 2.0.2-1 (embed) |
| 428 |
- texlive-bin <unknown> (embed) |
- texlive-bin <unknown> (embed) |
| 429 |
|
|
| 430 |
|
guichan |
| 431 |
|
- boswars <unfixed> (embed) |
| 432 |
|
NOTE: maintainer notified us, working on it |
| 433 |
|
|
| 434 |
|
tolua |
| 435 |
|
- boswars <unfixed> (embed) |
| 436 |
|
NOTE: maintainer notified us, working on it |
| 437 |
|
|
| 438 |
|
asio-dev |
| 439 |
|
- luxrender <unfixed> (embed) |
| 440 |
|
NOTE: maintainer notified us, working on it |
| 441 |
|
NOTE: may be merged with boost "soon" |
| 442 |
|
|
| 443 |
|
xine-lib |
| 444 |
|
- vlc <unfixed> (embed) |
| 445 |
|
NOTE: only parts included in modules/access/rtsp |
| 446 |
|
|
| 447 |
|
netpbm |
| 448 |
|
- tcl8.3 <unfixed> (embed) |
| 449 |
|
- tcl8.4 <unfixed> (embed) |
| 450 |
|
- tcl8.5 <unfixed> (embed) |
| 451 |
|
NOTE: generic/tkImgGIF.c |
| 452 |
|
|
| 453 |
|
tk8.5 |
| 454 |
|
- tk8.0 <removed> (old-version) |
| 455 |
|
- tk8.3 <unfixed> (old-version) |
| 456 |
|
- tk8.4 <unfixed> (old-version) |
| 457 |
|
- perl-tk <unfixable> (fork) |
| 458 |
|
|
| 459 |
|
samba |
| 460 |
|
- mc <unfixed> (embed) |
| 461 |
|
NOTE: maintainer is aware of this, currently searching a solution |
| 462 |
|
|
| 463 |
|
plib1.8.4c2 |
| 464 |
|
- boson <unfixed> (fork) |
| 465 |
|
NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar |
| 466 |
|
|
| 467 |
|
fribidi |
| 468 |
|
- quesoglc <unfixed> (embed) |
| 469 |
|
|
| 470 |
|
glew |
| 471 |
|
- quesoglc <unfixed> (embed) |
| 472 |
|
|
| 473 |
|
minorGems |
| 474 |
|
- transcend <unfixed> (embed) |
| 475 |
|
- cultivation <unfixed> (embed) |
| 476 |
|
|
| 477 |
|
tar |
| 478 |
|
- libarchive <unfixed> (embed) |
| 479 |
|
NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable |
| 480 |
|
|
| 481 |
|
cpio |
| 482 |
|
- libarchive <unfixed> (embed) |
| 483 |
|
NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package) |
| 484 |
|
|
| 485 |
|
webkit |
| 486 |
|
- qt4-x11 <unfixed> (embed) |
| 487 |
|
|
| 488 |
|
ftgl |
| 489 |
|
- blender 2.46+dfsg-1 (embed) |
| 490 |
|
|
| 491 |
|
wv |
| 492 |
|
- abiword <unfixed> |
| 493 |
|
|
| 494 |
|
qemu |
| 495 |
|
- kvm <unfixed> (embed) |
| 496 |
|
- xen-3 <unfixed> (embed) |
| 497 |
|
- xen-unstable <unfixed> (embed) |
| 498 |
|
|
| 499 |
|
bochs |
| 500 |
|
- kvm <unfixed> (embed; bug #489442) |
| 501 |
|
|
| 502 |
|
speex |
| 503 |
|
- vorbis-tools <unfixed> (embed) |
| 504 |
|
NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c |
| 505 |
|
- gst-plugins-good0.10 <unfixed> (embed) |
| 506 |
|
- xine-lib <unfixed> (embed) |
| 507 |
|
- libfishsound <unfixed> (embed) |
| 508 |
|
- libannodex <unfixed> (embed) |
| 509 |
|
- vlc <unfixed> (embed) |
| 510 |
|
- xmms-speex <unfixed> (embed) |
| 511 |
|
- libsdl-sound1.2 <unfixed> (embed) |
| 512 |
|
- sweep <unfixed> (embed) |
| 513 |
|
|
| 514 |
|
libreadline |
| 515 |
|
- magic <unfixed> (old-version) |
| 516 |
|
NOTE: magic is currently an RFS |
| 517 |
|
|
| 518 |
|
opcode |
| 519 |
|
- ode <unfixed> (embed) |
| 520 |
|
NOTE: opcode is not a package in debian, it is just embedded |
| 521 |
|
NOTE: http://www.codercorner.com/Opcode.htm |
| 522 |
|
|
| 523 |
|
gimpact |
| 524 |
|
- ode <unfixed> (embed) |
| 525 |
|
NOTE: gimpact is not a package in debian, it is just embedded |
| 526 |
|
NOTE: http://gimpact.sf.net |
| 527 |
|
|
| 528 |
|
MochiKit.js |
| 529 |
|
- mahara <unfixed> (embed) |
| 530 |
|
- ntop <unfixed> (embed) |
| 531 |
|
- python-oherence <unfixed> (embed) |
| 532 |
|
- python-paste <unfixed> (embed) |
| 533 |
|
- python-turbogears <unfixed> (embed) |
| 534 |
|
- zope-plone3 <unfixed> (embed) |
| 535 |
|
|
| 536 |
|
prototype.js |
| 537 |
|
- netbeans-ide <unfixed> (embed) |
| 538 |
|
- auth2db-frontend <unfixed> (embed) |
| 539 |
|
- citadel-webcit <unfixed> (embed) |
| 540 |
|
- asterisk <unfixed> (embed) |
| 541 |
|
- doc-iana <unfixed> (embed) |
| 542 |
|
- libaws-doc <unfixed> (embed) |
| 543 |
|
- libgettext-ruby-data <unfixed> (embed) |
| 544 |
|
- libjson-ruby-doc <unfixed> (embed) |
| 545 |
|
- liblucene2-java-doc <unfixed> (embed) |
| 546 |
|
- libopenid-ruby <unfixed> (embed) |
| 547 |
|
- solr-common <unfixed> (embed) |
| 548 |
|
- glpi <unfixed> (embed) |
| 549 |
|
- hobbix <unfixed> (embed) |
| 550 |
|
- mnemo2 <unfixed> (embed) |
| 551 |
|
- nag2 <unfixed> (embed) |
| 552 |
|
- libjs-prototype <unfixed> (embed) |
| 553 |
|
- libjs-scriptaculous <unfixed> (embed) |
| 554 |
|
- knowledgeroot <unfixed> (embed) |
| 555 |
|
- mediatomb-common <unfixed> (embed) |
| 556 |
|
- mt-daapd <unfixed> (embed) |
| 557 |
|
- op-panel <unfixed> (embed) |
| 558 |
|
- ebug-http <unfixed> (embed) |
| 559 |
|
- phpgedview <removed> (embed) |
| 560 |
|
- poker-web <unfixed> (embed) |
| 561 |
|
- python-webhelpers <unfixed> (embed) |
| 562 |
|
- qwik <unfixed> (embed) |
| 563 |
|
- rails <unfixed> (embed) |
| 564 |
|
- typo3-src-4.1 <unfixed> (embed) |
| 565 |
|
- wordpress <unfixed> (embed) |
| 566 |
|
- zope-plone3 <unfixed> (embed) |
| 567 |
|
- smokeping <unfixed> (embed) |
| 568 |
|
|
| 569 |
|
gdb |
| 570 |
|
- insight <unfixed> (embed) |
| 571 |
|
|
| 572 |
|
e2fsprogs |
| 573 |
|
- ldiskfsprogs <unfixable> (fork) |
| 574 |
|
|
| 575 |
|
quazip (not packaged in Debian) |
| 576 |
|
- qcake <unfixed> (embed) |
| 577 |
|
NOTE: starting with upstream version 0.6.4 |
| 578 |
|
|
| 579 |
|
exo |
| 580 |
|
- pcmanfm <unfixed> (embed; bug #499677) |
Parent Directory
| 
Revision Log
| 
Patch