Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects source packages that embed code from other projects.
This is considered bad for fixing security flaws because the fix needs
to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed>,
        <itp> or <unknown> if the version number can not be determined
        <unfixable> for unavoidable cases (e.g., forks that add real value)
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and
            thus might share parts of the source code)
      old-version (the package is an older version of essentially
                   the same code)

The srcpkg might be some string to identify the code if there is no
specific source package.

Everything up to the next line is ignored.
---BEGIN
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - texlive-base 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

peercast
        - gnome-peercast <unfixed> (embed)
        NOTE: gnome-peercast may better be removed, see #466539

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged anibal since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib2.0 2.15.2-1 (embed)
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)
        - tin <unknown> (embed)
        - kazehakase 0.5.2-1
        - webkit <unfixed> (embed)
        - qt4-x11 <unfixed> (embed)
        NOTE: embedded via webkit copy

tiff
        - wxwindows2.4 2.2.1 (embed)

uudeview
        - libconvert-uulib-perl <unfixed> (embed)
        - pan <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin
        [sarge] - egroupware <unfixed> (embed)
        NOTE: removed from egroupware after sarge

chmlib
        - kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
        - mplayer 1.0~rc2-14 (embed; bug #395252)
        - kino 1.0.0-1
        - vlc <not-affected> (Links dynamically since initial release)
        - smilutils 0.3.0-10
        NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
        - motion 3.1.19-1
        - gstreamer0.10-ffmpeg 0.10.3-2
        - xmovie <unfixed>
        TODO: gimp-gap (potentially using ffmpeg code as well)

mad MPEG decoding lib
        - mad <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libdts
        - xine-lib <unfixed> (embed)

flac
        - xine-lib <unfixed> (embed)

liba52
        - a52dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libmpeg2
        - mpeg2dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

curl
        - wget <unfixed> (embed)
        NOTE: code for NTLM authentication

uw-imap
        - pine <unfixed> (embed)
        - alpine <unfixed> (embed)

imagemagick
        - graphicsmagick <unfixed> (fork)

libphp-snoopy
        - ampache <unfixed> (embed)
        - mahara <unfixed> (embed)
        - pixelpost <unfixed> (embed)

halibut
        - nsis <unfixed> (embed)

libghttp
        - hotway <unfixed> (embed)

libsndfile
        - ardour <unfixed> (embed)

glibmm2.4
        - ardour <unfixed> (embed)

libgnomecanvasmm2.6
        - ardour <unfixed> (embed)

libsigc++-2.0
        - ardour <unfixed> (embed)

soundtouch
        - ardour <unfixed> (embed)

libmms
        - xine-lib <unfixed> (embed)
        - mimms <unfixed> (embed)

fckeditor
        - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
        - moin <unfixed> (embed; bug #452599)
        - karrigell <removed> (embed; bug #452598)
        - gforge-plugins-extra 4.6.99+svn6225-1 (embed)

ipatlas (not packaged in Debian)
        - moodle <unfixed> (embed)

libphp-phpmailer
        - moodle <unfixed> (embed)
        - mahara <unfixed> (embed)
        - symfony <unfixed> (embed)
        - phpgroupware-felamimail <unfixed> (embed)
        NOTE: phpgroupware-felamimail is only in etch
        - egroupware <unfixed> (embed; bug #504283)

htmlArea (not packaged in Debian)
        - moodle <unfixed> (embed)

giflib:
        - wine <unfixed> (embed; bug #466181)

bennu (not packaged in Debian)
        - moodle <unfixed> (embed)

smarty:
        - moodle <unfixed> (embed; bug #471158)
        - gallery2 2.2.5-2 (embed; bug #471160)
        - mahara 0.9.2-2 (embed; bug #471201)
        - gosa 2.4beta1-1 (embed; bug #471200)

TinyMCE
        - wordpress 2.5.1-3 (embed; bug #478257)
        - moodle <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - joomla <itp> (bug #326398)

scintilla
        - scite <unfixed> (embed)
        - qscintilla <unfixed> (embed)
        - qscintilla2 <unfixed> (embed)
        - geany <unfixed> (embed)

libphp-adodb
        - moodle <unfixed> (embed)
        NOTE: also AdoDB-XML Schema
        - gallery2 <unfixed> (embed)
        - phppgadmin <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki <unfixed> (embed)
        - ipplan <unfixed> (embed)
        - typo3 <unfixed> (embed)
        - moodle <unfixed> (embed)
        - cacti <unknown> (embed)
        [sarge] - cacti <unfixed> (embed)
        NOTE: dependency exists, but internal version is used
        - gforge <unfixed> (embed)
        - mahara <unfixed> (embed)

gzip
        - linux-kernel <unfixed> (embed)
        NOTE: lib/inflate.c
        - klibc <unfixed> (embed)
        NOTE: based on linux-kernel gzip code
        - busybox <unfixed> (embed)

neon
        - cadaver <unfixed> (embed; bug #188381)
        - gnome-vfs2 <unfixed> (embed; bug #395874)
        - litmus <unfixed> (embed; #395875)
        [sarge] - screem <unfixed> (embed)
        - sitecopy <unfixed> (embed; bug #395876)
        [etch] - tla <unfixed> (embed; bug #395877)
        [sarge] - tla <unfixed> (embed; bug #395877)

libmodplug
        - gst-plugins-bad0.10 <unfixed> (embed)

libvncserver
        - vino <unfixed> (embed)

putty
        - filezilla <unfixed> (embed)

tinyxml (not packaged in Debian)
        - filezilla <unfixed>

gv
        - evince <unfixed> (embed)
        NOTE: ps/ tree from gv 3.5.8
        - evince-gtk <unfixed> (embed)
        NOTE: not packaged in Debian

libXbae
        [etch] - libpawlib2-lesstif <unfixed> (embed)
        NOTE: from Cernlib

libXaw
        [etch] - libpawlib2-lesstif
        NOTE: from Cernlib
        NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty

libgd2
        - graphviz <unfixed> (embed)
        NOTE: lib/gd seems to be 2.0.33
        - wml <unfixed> (embed)
        NOTE: derived from gd 1.6.3

rar
        - unrar-nonfree <unfixed> (embed)

unrar-free (maybe this code is derived from the original rar, too?)
        - clamav <unfixed> (embed)
        NOTE: seems to be disabled in default config

mplayer (DirectMedia Object loader)
        - xine-lib <unfixed> (embed)
        NOTE: src/libw32dll/
        - vlc <unfixed> (embed)
        NOTE: modules/codec/dmo/

libwpd (WordPerfect converter)
        - openoffice.org <unfixed> (embed)

fsplib (http://sourceforge.net/projects/fsp/)
        - gftp <unfixed> (embed)
        NOTE: lib/fsplib version 0.3

sprng
        - tree-puzzle <unfixed> (embed)

librpcsecgss
        - krb5 <unfixed> (embed)

jasper
        - ghostscript <unfixed> (embed)
        - gs-gpl <unfixed> (embed)

libidn
        - monotone <unfixed> (embed)

liblua
        - monotone <unfixed> (embed)

libbotan
        - montone <unfixed> (embed)

NetXX
        - monotone <unfixed> (embed)

libgc
        - mono <unfixed> (embed)

lzma
        - p7zip <unfixed> (embed)

lzo
        - grub2 <unfixed> (embed)

yassl
        - mysql-dfsg-5.0 <unfixed> (embed)

pax code
        - tar <unfixed> (embed)
        - cpio <unfixed> (embed)

t1lib
        - tetex-bin 2.0.2-1 (embed)
        - texlive-bin <unknown> (embed)

guichan
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

tolua
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

asio-dev
        - luxrender <unfixed> (embed)
        NOTE: maintainer notified us, working on it
        NOTE: may be merged with boost "soon"

xine-lib
        - vlc <unfixed> (embed)
        NOTE: only parts included in modules/access/rtsp

netpbm
        - tcl8.3 <unfixed> (embed)
        - tcl8.4 <unfixed> (embed)
        - tcl8.5 <unfixed> (embed)
        NOTE: generic/tkImgGIF.c

tk8.5
        - tk8.0 <removed> (old-version)
        - tk8.3 <unfixed> (old-version)
        - tk8.4 <unfixed> (old-version)
        - perl-tk <unfixable> (fork)

samba
        - mc <unfixed> (embed)
        NOTE: maintainer is aware of this, currently searching a solution

plib1.8.4c2
        - boson <unfixed> (fork)
        NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar

fribidi
        - quesoglc <unfixed> (embed)

glew
        - quesoglc <unfixed> (embed)

minorGems
        - transcend <unfixed> (embed)
        - cultivation <unfixed> (embed)

tar
        - libarchive <unfixed> (embed)
        NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable

cpio
        - libarchive <unfixed> (embed)
        NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)

webkit
        - qt4-x11 <unfixed> (embed)

ftgl
        - blender 2.46+dfsg-1 (embed)

wv
        - abiword <unfixed>

qemu
        - kvm <unfixed> (embed)
        - xen-3 <unfixed> (embed)
        - xen-unstable <unfixed> (embed)

bochs
        - kvm <unfixed> (embed; bug #489442)

speex
        - vorbis-tools <unfixed> (embed)
        NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
        - gst-plugins-good0.10 <unfixed> (embed)
        - xine-lib <unfixed> (embed)
        - libfishsound <unfixed> (embed)
        - libannodex <unfixed> (embed)
        - vlc <unfixed> (embed)
        - xmms-speex <unfixed> (embed)
        - libsdl-sound1.2 <unfixed> (embed)
        - sweep <unfixed> (embed)

libreadline
        - magic <unfixed> (old-version)
        NOTE: magic is currently an RFS

opcode
        - ode <unfixed> (embed)
        NOTE: opcode is not a package in debian, it is just embedded
        NOTE: http://www.codercorner.com/Opcode.htm

gimpact 
        - ode <unfixed> (embed)
        NOTE: gimpact is not a package in debian, it is just embedded
        NOTE: http://gimpact.sf.net

mochikit
        - mahara <unfixed> (embed)
        NOTE: they require extra patches, still unmerged upstream
        - ntop <unfixed> (embed)
        - python-oherence <unfixed> (embed)
        - python-paste <unfixed> (embed)
        - python-turbogears <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)

prototype
        - netbeans-ide <unfixed> (embed)
        - auth2db-frontend <unfixed> (embed)
        - citadel-webcit <unfixed> (embed)
        - asterisk <unfixed> (embed)
        - doc-iana <unfixed> (embed)
        - libaws-doc <unfixed> (embed)
        - libgettext-ruby-data <unfixed> (embed)
        - libjson-ruby-doc <unfixed> (embed)
        - liblucene2-java-doc <unfixed> (embed)
        - libopenid-ruby <unfixed> (embed)
        - solr-common <unfixed> (embed)
        - glpi <unfixed> (embed)
        - hobbix <unfixed> (embed)
        - mnemo2 <unfixed> (embed)
        - nag2 <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - mediatomb-common <unfixed> (embed)
        - mt-daapd <unfixed> (embed)
        - op-panel <unfixed> (embed)
        - ebug-http <unfixed> (embed)
        - phpgedview <removed> (embed)
        - poker-web <unfixed> (embed)
        - python-webhelpers <unfixed> (embed)
        - qwik <unfixed> (embed)
        - rails <unfixed> (embed)
        - typo3-src-4.1 <unfixed> (embed)
        - wordpress <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)
        - smokeping <unfixed> (embed)
        - ampache 3.4.1-2 (embed)
        - exaile <unfixed> (embed)
        - hobix <unfixed> (embed)
        - pixelpost <unfixed> (embed)
        - symfony <unfixed> (embed)
        NOTE: it's been said that there are custom changes
        - zabbix-frontend-php <unfixed> (embed)
        - turba2 <unfixed> (embed)

gdb
        - insight <unfixed> (embed)

e2fsprogs
        - ldiskfsprogs <unfixable> (fork)

quazip (not packaged in Debian)
        - qcake <unfixed> (embed)
        NOTE: starting with upstream version 0.6.4

exo
        - pcmanfm <unfixed> (embed; bug #499677)
        NOTE: slightly modified source code

java
        - openjdk-6 <unfixed>
        - sun-java5 <unfixed>
        - sun-java6 <unfixed>

libphp-snoopy
        - ampache 3.4.1-2 (embed; bug #504169)
        - mahara <unfixed> (embed; bug #504170)
        - pixelpost <unfixed> (embed; bug #504171)
        - mediamate 0.9.3.6-5 (embed; bug #504172)
        - opendb <unfixed> (embed; bug #504173)
        - wordpress <unfixed> (embed; bug #443948)
        - moodle <unfixed> (embed)
        - phpgroupware-felamimail <unfixed> (embed)
        NOTE: phpgroupware-felamimail is only in etch
        - magpierss 0.72-3 (embed; bug #431089)

jquery
        - zekr <unfixed> (embed)
        - wordpress <unfixed> (embed)
        - yocto-reader <unfixed> (embed)
        - textpattern <unfixed> (embed)
        - genshi <unfixed> (embed)
        NOTE: compressed file under examples/ dir
        - prewikka <unfixed> (embed)
        - libramaze-ruby <unfixed> (embed)
        - drupal5 <unfixed> (embed)
        - b2evolution <unfixed> (embed)

kses
        - wordpress <unfixed> (embed; bug #504242)
        NOTE: their copy has all methods renamed to wp_<foo>
        - moodle <unfixed> (embed)
        - egroupware-core <unfixed> (embed)

magpierss
        - wordpress <unfixed> (embed; bug #504242)

php-gettext
        - wordpress <unfixed> (embed; bug #504242)

libphp-ixr (name may change, it is the Incutio XML-RPC)
        - wordpress <unfixed> (embed; bug #504242)
        - dokuwiki <unfixed> (embed)
        - textpattern <unfixed> (embed)

domxml-php4-to-php5.php
        - glpi <unfixed> (embed)
        - moodle <unfixed> (embed; bug #496069)

scriptaculous
        - glpi <unfixed> (embed)
        - libaws-doc <unfixed> (embed)
        - op-panel <unfixed> (embed)
        - symfony <unfixed> (embed)
        NOTE: maintainer says there are extra incompatible changes required
        - pixelpost <unfixed> (embed)
        - python-webhelpers <unfixed> (embed)
        - qwik <unfixed> (embed)
        - smokeping <unfixed> (embed)
        - turba2 <unfixed> (embed)
        - typo3-src <unfixed> (embed)

libmarkdown-php
        - moodle <unfixed> (embed)
        - pixelpost <unfixed> (embed)

php-openid
        - wordpress-openid <itp> (embed)
1	Embedded code copies
2	====================
3
4	This file collects source packages that embed code from other projects.
5	This is considered bad for fixing security flaws because the fix needs
6	to be applied in multiple source packages.
7
8	Format:
9	<srcpkg> (<optional comment about srcpkg>)
10	- <embedding srcpkg> <status> (<sort>; bug #<number>)
11	NOTE: optional comments about the linkage of the embedding srcpkg
12
13	status: version number fixing the embedded copy, <unfixed>, <removed>,
14	<itp> or <unknown> if the version number can not be determined
15	<unfixable> for unavoidable cases (e.g., forks that add real value)
16	sort: static (linking statically against a lib)
17	embed (embedding a copy of the library into another source package)
18	fork (the package is not just embedding code but it is a fork and
19	thus might share parts of the source code)
20	old-version (the package is an older version of essentially
21	the same code)
22
23	The srcpkg might be some string to identify the code if there is no
24	specific source package.
25
26	Everything up to the next line is ignored.
27	---BEGIN
28	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
29	NOTE: Fixed packages link to poppler library unless otherwise noted
30	- gpdf <removed>
31	[sarge] - gpdf <unfixed>
32	NOTE: has been replaced by evince in etch
33	- pdftohtml <unknown>
34	[sarge] - pdftohtml <unfixed>
35	[etch] - pdftohtml <unfixed>
36	NOTE: has been replaced by poppler-utils
37	- kdegraphics <unfixed> (embed; bug #436164)
38	NOTE: the kpdf replacement in KDE 4 is using poppler
39	- texlive-base 3.0-12 (embed)
40	- texlive-bin 2007-1 (embed)
41	NOTE: links to poppler
42	- koffice <unfixed> (embed; bug #436163)
43	- libextractor 0.5.12-1 (embed)
44	NOTE: libextractor is using its own pdf decoder now
45	- libextractor 0.5.12-1 (embed)
46	- pdfkit.framework 0.8-4 (embed)
47	- ipe <unfixed> (embed)
48	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
49	- ruby-gnome2 <unknown> (embed)
50	NOTE: copy only present in source but links to poppler
51
52	ppmd
53	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
54
55	peercast
56	- gnome-peercast <unfixed> (embed)
57	NOTE: gnome-peercast may better be removed, see #466539
58
59	silc-toolkit
60	- silc-client 1.1~beta6-1 (embed)
61
62	dietlibc
63	- ccontrol 0.9.1+20071204-1 (static)
64
65	libiax
66	- iaxmodem <unfixed> (embed)
67
68	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
69	- dpkg <unfixed> (embed)
70	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
71	- rsync <unfixed> (embed)
72	NOTE: somehow derived code base
73	- mono <unfixed> (embed)
74	TODO: check mozilla
75	- Linux kernels <unfixed> (embed)
76	- pvpgn 1.7.8-2 (embed)
77	- mrtg 2.12.2-1 (embed)
78	- rpm <unknown> (embed)
79	NOTE: pinged anibal since when rpm was fixed
80
81	libbz2
82	- dpkg <unfixed> (static)
83
84	ekg
85	- centericq <unfixed> (embed)
86	- gaim <unfixed> (embed)
87	- pigdin <unfixed> (embed)(links dynamically against libgadu)
88	- kopete 4:3.3.2-5 (embed)
89	- kadu <unfixed> (embed)
90	- gadu <unfixed> (embed)
91	NOTE: g/kadu not packaged in Debian yet
92
93	xmlrpc (which package is the "origin" of this code?)
94	- drupal <unfixed> (embed)
95	- phpgroupware <unfixed> (embed)
96	- egroupware <unfixed> (embed)
97	- phpwiki (embed)
98	- php4 <unfixed> (embed)
99	TODO: check, php-pear, IIRC this was reorganized some weeks ago?
100
101	shtool (affects build-time only)
102	- mysql-ocaml <unfixed> (embed)
103	- php4 <unfixed> (embed)
104
105	mozilla source code
106	- mozilla-firefox <unfixed> (embed)
107	- mozilla-thunderbird
108	- firefox <removed>
109	[etch] - firefox <unfixed> (embed)
110	- thunderbird <removed>
111	[etch] - thunderbird <unfixed> (embed)
112	- iceweasel <unfixed> (embed)
113	- iceape <unfixed> (embed)
114	- icedove <unfixed> (embed)
115	- xulrunner <unfixed> (embed)
116	- nvu <removed> (embed)
117
118	xli
119	- xloadimage <unfixed> (embed)
120
121	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
122	- openmotif <unfixed> (embed)
123	- xfree86/xorg <unfixed> (embed)
124	NOTE: in libxpm
125
126	kerberized apps with BSD origin
127	- krb4 <unfixed> (embed)
128	- krb5 <unfixed> (embed)
129	- heimdal <unfixed> (embed)
130
131	grip (which pkg is the origin?)
132	- libcdaudio
133	- grip
134	- gnome-vfs
135	TODO: check vfs2 as well
136
137	fudforum
138	- phpgroupware-fudforum <unfixed> (embed)
139	- egroupware-fudforum <removed>
140	[sarge] - egroupware-fudforum <unfixed> (embed)
141
142	cvs
143	- gcvs <unfixed> (embed)
144	NOTE: see cvsunix/src in tarball
145
146	pcre
147	- python* <unfixed> (embed)
148	- php4 <unknown> (embed)
149	- analog 2:5.23-0woody1 (embed)
150	- libgoffice-1 <unfixed> (embed)
151	- vfu 4.06-4.1 (embed; bug #450754)
152	- tf5 5.0beta7-1 (embed)
153	- monotone <unfixed> (embed)
154	NOTE: this only affects versions >= 0.37
155	- glib2.0 2.15.2-1 (embed)
156	- apache2 2.0.53-4 (embed)
157	- exim4 4.10-0.srh20.12 (embed)
158	- yacas <unfixed> (embed)
159	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
160	- gtamsanalyzer.app 0.42-5 (embed)
161	- tin <unknown> (embed)
162	- kazehakase 0.5.2-1
163	- webkit <unfixed> (embed)
164	- qt4-x11 <unfixed> (embed)
165	NOTE: embedded via webkit copy
166
167	tiff
168	- wxwindows2.4 2.2.1 (embed)
169
170	uudeview
171	- libconvert-uulib-perl <unfixed> (embed)
172	- pan <unfixed> (embed)
173
174	sqlite (not affected by security vulnerabilities so far)
175	- amarok <unfixed> (embed)
176	- monotone <unfixed> (embed)
177	- iceweasel <unfixed> (embed)
178
179	util-linux/mount
180	- loop-aes-utils <unfixed> (embed)
181	NOTE: contains code from util-linux' mount in the mount-aes-udeb
182
183	webmin
184	- usermin <unknown> (embed)
185	[sarge] - usermin <unfixed> (embed)
186
187	sylpheed
188	- sylpheed-claws <unfixed> (fork)
189
190	phpsysinfo
191	- egroupware <unfixed> (embed)
192	- phpgroupware <unfixed> (embed)
193
194	phpldapadmin
195	[sarge] - egroupware <unfixed> (embed)
196	NOTE: removed from egroupware after sarge
197
198	chmlib
199	- kchmviewer <unknown> (embed)
200
201	libavcodec/libavformat (source: ffmpeg)
202	- mplayer 1.0~rc2-14 (embed; bug #395252)
203	- kino 1.0.0-1
204	- vlc <not-affected> (Links dynamically since initial release)
205	- smilutils 0.3.0-10
206	NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
207	- motion 3.1.19-1
208	- gstreamer0.10-ffmpeg 0.10.3-2
209	- xmovie <unfixed>
210	TODO: gimp-gap (potentially using ffmpeg code as well)
211
212	mad MPEG decoding lib
213	- mad <unfixed> (embed)
214	- xine-lib <unfixed> (embed)
215
216	libdts
217	- xine-lib <unfixed> (embed)
218
219	flac
220	- xine-lib <unfixed> (embed)
221
222	liba52
223	- a52dec <unfixed> (embed)
224	- xine-lib <unfixed> (embed)
225
226	libmpeg2
227	- mpeg2dec <unfixed> (embed)
228	- xine-lib <unfixed> (embed)
229
230	curl
231	- wget <unfixed> (embed)
232	NOTE: code for NTLM authentication
233
234	uw-imap
235	- pine <unfixed> (embed)
236	- alpine <unfixed> (embed)
237
238	imagemagick
239	- graphicsmagick <unfixed> (fork)
240
241	libphp-snoopy
242	- ampache <unfixed> (embed)
243	- mahara <unfixed> (embed)
244	- pixelpost <unfixed> (embed)
245
246	halibut
247	- nsis <unfixed> (embed)
248
249	libghttp
250	- hotway <unfixed> (embed)
251
252	libsndfile
253	- ardour <unfixed> (embed)
254
255	glibmm2.4
256	- ardour <unfixed> (embed)
257
258	libgnomecanvasmm2.6
259	- ardour <unfixed> (embed)
260
261	libsigc++-2.0
262	- ardour <unfixed> (embed)
263
264	soundtouch
265	- ardour <unfixed> (embed)
266
267	libmms
268	- xine-lib <unfixed> (embed)
269	- mimms <unfixed> (embed)
270
271	fckeditor
272	- knowledgeroot 0.9.8.5-3 (embed; bug #461555)
273	- moin <unfixed> (embed; bug #452599)
274	- karrigell <removed> (embed; bug #452598)
275	- gforge-plugins-extra 4.6.99+svn6225-1 (embed)
276
277	ipatlas (not packaged in Debian)
278	- moodle <unfixed> (embed)
279
280	libphp-phpmailer
281	- moodle <unfixed> (embed)
282	- mahara <unfixed> (embed)
283	- symfony <unfixed> (embed)
284	- phpgroupware-felamimail <unfixed> (embed)
285	NOTE: phpgroupware-felamimail is only in etch
286	- egroupware <unfixed> (embed; bug #504283)
287
288	htmlArea (not packaged in Debian)
289	- moodle <unfixed> (embed)
290
291	giflib:
292	- wine <unfixed> (embed; bug #466181)
293
294	bennu (not packaged in Debian)
295	- moodle <unfixed> (embed)
296
297	smarty:
298	- moodle <unfixed> (embed; bug #471158)
299	- gallery2 2.2.5-2 (embed; bug #471160)
300	- mahara 0.9.2-2 (embed; bug #471201)
301	- gosa 2.4beta1-1 (embed; bug #471200)
302
303	TinyMCE
304	- wordpress 2.5.1-3 (embed; bug #478257)
305	- moodle <unfixed> (embed)
306	- knowledgeroot <unfixed> (embed)
307	- joomla <itp> (bug #326398)
308
309	scintilla
310	- scite <unfixed> (embed)
311	- qscintilla <unfixed> (embed)
312	- qscintilla2 <unfixed> (embed)
313	- geany <unfixed> (embed)
314
315	libphp-adodb
316	- moodle <unfixed> (embed)
317	NOTE: also AdoDB-XML Schema
318	- gallery2 <unfixed> (embed)
319	- phppgadmin <unfixed> (embed)
320	- egroupware <unfixed> (embed)
321	- phpwiki <unfixed> (embed)
322	- ipplan <unfixed> (embed)
323	- typo3 <unfixed> (embed)
324	- moodle <unfixed> (embed)
325	- cacti <unknown> (embed)
326	[sarge] - cacti <unfixed> (embed)
327	NOTE: dependency exists, but internal version is used
328	- gforge <unfixed> (embed)
329	- mahara <unfixed> (embed)
330
331	gzip
332	- linux-kernel <unfixed> (embed)
333	NOTE: lib/inflate.c
334	- klibc <unfixed> (embed)
335	NOTE: based on linux-kernel gzip code
336	- busybox <unfixed> (embed)
337
338	neon
339	- cadaver <unfixed> (embed; bug #188381)
340	- gnome-vfs2 <unfixed> (embed; bug #395874)
341	- litmus <unfixed> (embed; #395875)
342	[sarge] - screem <unfixed> (embed)
343	- sitecopy <unfixed> (embed; bug #395876)
344	[etch] - tla <unfixed> (embed; bug #395877)
345	[sarge] - tla <unfixed> (embed; bug #395877)
346
347	libmodplug
348	- gst-plugins-bad0.10 <unfixed> (embed)
349
350	libvncserver
351	- vino <unfixed> (embed)
352
353	putty
354	- filezilla <unfixed> (embed)
355
356	tinyxml (not packaged in Debian)
357	- filezilla <unfixed>
358
359	gv
360	- evince <unfixed> (embed)
361	NOTE: ps/ tree from gv 3.5.8
362	- evince-gtk <unfixed> (embed)
363	NOTE: not packaged in Debian
364
365	libXbae
366	[etch] - libpawlib2-lesstif <unfixed> (embed)
367	NOTE: from Cernlib
368
369	libXaw
370	[etch] - libpawlib2-lesstif
371	NOTE: from Cernlib
372	NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
373
374	libgd2
375	- graphviz <unfixed> (embed)
376	NOTE: lib/gd seems to be 2.0.33
377	- wml <unfixed> (embed)
378	NOTE: derived from gd 1.6.3
379
380	rar
381	- unrar-nonfree <unfixed> (embed)
382
383	unrar-free (maybe this code is derived from the original rar, too?)
384	- clamav <unfixed> (embed)
385	NOTE: seems to be disabled in default config
386
387	mplayer (DirectMedia Object loader)
388	- xine-lib <unfixed> (embed)
389	NOTE: src/libw32dll/
390	- vlc <unfixed> (embed)
391	NOTE: modules/codec/dmo/
392
393	libwpd (WordPerfect converter)
394	- openoffice.org <unfixed> (embed)
395
396	fsplib (http://sourceforge.net/projects/fsp/)
397	- gftp <unfixed> (embed)
398	NOTE: lib/fsplib version 0.3
399
400	sprng
401	- tree-puzzle <unfixed> (embed)
402
403	librpcsecgss
404	- krb5 <unfixed> (embed)
405
406	jasper
407	- ghostscript <unfixed> (embed)
408	- gs-gpl <unfixed> (embed)
409
410	libidn
411	- monotone <unfixed> (embed)
412
413	liblua
414	- monotone <unfixed> (embed)
415
416	libbotan
417	- montone <unfixed> (embed)
418
419	NetXX
420	- monotone <unfixed> (embed)
421
422	libgc
423	- mono <unfixed> (embed)
424
425	lzma
426	- p7zip <unfixed> (embed)
427
428	lzo
429	- grub2 <unfixed> (embed)
430
431	yassl
432	- mysql-dfsg-5.0 <unfixed> (embed)
433
434	pax code
435	- tar <unfixed> (embed)
436	- cpio <unfixed> (embed)
437
438	t1lib
439	- tetex-bin 2.0.2-1 (embed)
440	- texlive-bin <unknown> (embed)
441
442	guichan
443	- boswars <unfixed> (embed)
444	NOTE: maintainer notified us, working on it
445
446	tolua
447	- boswars <unfixed> (embed)
448	NOTE: maintainer notified us, working on it
449
450	asio-dev
451	- luxrender <unfixed> (embed)
452	NOTE: maintainer notified us, working on it
453	NOTE: may be merged with boost "soon"
454
455	xine-lib
456	- vlc <unfixed> (embed)
457	NOTE: only parts included in modules/access/rtsp
458
459	netpbm
460	- tcl8.3 <unfixed> (embed)
461	- tcl8.4 <unfixed> (embed)
462	- tcl8.5 <unfixed> (embed)
463	NOTE: generic/tkImgGIF.c
464
465	tk8.5
466	- tk8.0 <removed> (old-version)
467	- tk8.3 <unfixed> (old-version)
468	- tk8.4 <unfixed> (old-version)
469	- perl-tk <unfixable> (fork)
470
471	samba
472	- mc <unfixed> (embed)
473	NOTE: maintainer is aware of this, currently searching a solution
474
475	plib1.8.4c2
476	- boson <unfixed> (fork)
477	NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
478
479	fribidi
480	- quesoglc <unfixed> (embed)
481
482	glew
483	- quesoglc <unfixed> (embed)
484
485	minorGems
486	- transcend <unfixed> (embed)
487	- cultivation <unfixed> (embed)
488
489	tar
490	- libarchive <unfixed> (embed)
491	NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
492
493	cpio
494	- libarchive <unfixed> (embed)
495	NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
496
497	webkit
498	- qt4-x11 <unfixed> (embed)
499
500	ftgl
501	- blender 2.46+dfsg-1 (embed)
502
503	wv
504	- abiword <unfixed>
505
506	qemu
507	- kvm <unfixed> (embed)
508	- xen-3 <unfixed> (embed)
509	- xen-unstable <unfixed> (embed)
510
511	bochs
512	- kvm <unfixed> (embed; bug #489442)
513
514	speex
515	- vorbis-tools <unfixed> (embed)
516	NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
517	- gst-plugins-good0.10 <unfixed> (embed)
518	- xine-lib <unfixed> (embed)
519	- libfishsound <unfixed> (embed)
520	- libannodex <unfixed> (embed)
521	- vlc <unfixed> (embed)
522	- xmms-speex <unfixed> (embed)
523	- libsdl-sound1.2 <unfixed> (embed)
524	- sweep <unfixed> (embed)
525
526	libreadline
527	- magic <unfixed> (old-version)
528	NOTE: magic is currently an RFS
529
530	opcode
531	- ode <unfixed> (embed)
532	NOTE: opcode is not a package in debian, it is just embedded
533	NOTE: http://www.codercorner.com/Opcode.htm
534
535	gimpact
536	- ode <unfixed> (embed)
537	NOTE: gimpact is not a package in debian, it is just embedded
538	NOTE: http://gimpact.sf.net
539
540	mochikit
541	- mahara <unfixed> (embed)
542	NOTE: they require extra patches, still unmerged upstream
543	- ntop <unfixed> (embed)
544	- python-oherence <unfixed> (embed)
545	- python-paste <unfixed> (embed)
546	- python-turbogears <unfixed> (embed)
547	- zope-plone3 <unfixed> (embed)
548
549	prototype
550	- netbeans-ide <unfixed> (embed)
551	- auth2db-frontend <unfixed> (embed)
552	- citadel-webcit <unfixed> (embed)
553	- asterisk <unfixed> (embed)
554	- doc-iana <unfixed> (embed)
555	- libaws-doc <unfixed> (embed)
556	- libgettext-ruby-data <unfixed> (embed)
557	- libjson-ruby-doc <unfixed> (embed)
558	- liblucene2-java-doc <unfixed> (embed)
559	- libopenid-ruby <unfixed> (embed)
560	- solr-common <unfixed> (embed)
561	- glpi <unfixed> (embed)
562	- hobbix <unfixed> (embed)
563	- mnemo2 <unfixed> (embed)
564	- nag2 <unfixed> (embed)
565	- knowledgeroot <unfixed> (embed)
566	- mediatomb-common <unfixed> (embed)
567	- mt-daapd <unfixed> (embed)
568	- op-panel <unfixed> (embed)
569	- ebug-http <unfixed> (embed)
570	- phpgedview <removed> (embed)
571	- poker-web <unfixed> (embed)
572	- python-webhelpers <unfixed> (embed)
573	- qwik <unfixed> (embed)
574	- rails <unfixed> (embed)
575	- typo3-src-4.1 <unfixed> (embed)
576	- wordpress <unfixed> (embed)
577	- zope-plone3 <unfixed> (embed)
578	- smokeping <unfixed> (embed)
579	- ampache 3.4.1-2 (embed)
580	- exaile <unfixed> (embed)
581	- hobix <unfixed> (embed)
582	- pixelpost <unfixed> (embed)
583	- symfony <unfixed> (embed)
584	NOTE: it's been said that there are custom changes
585	- zabbix-frontend-php <unfixed> (embed)
586	- turba2 <unfixed> (embed)
587
588	gdb
589	- insight <unfixed> (embed)
590
591	e2fsprogs
592	- ldiskfsprogs <unfixable> (fork)
593
594	quazip (not packaged in Debian)
595	- qcake <unfixed> (embed)
596	NOTE: starting with upstream version 0.6.4
597
598	exo
599	- pcmanfm <unfixed> (embed; bug #499677)
600	NOTE: slightly modified source code
601
602	java
603	- openjdk-6 <unfixed>
604	- sun-java5 <unfixed>
605	- sun-java6 <unfixed>
606
607	libphp-snoopy
608	- ampache 3.4.1-2 (embed; bug #504169)
609	- mahara <unfixed> (embed; bug #504170)
610	- pixelpost <unfixed> (embed; bug #504171)
611	- mediamate 0.9.3.6-5 (embed; bug #504172)
612	- opendb <unfixed> (embed; bug #504173)
613	- wordpress <unfixed> (embed; bug #443948)
614	- moodle <unfixed> (embed)
615	- phpgroupware-felamimail <unfixed> (embed)
616	NOTE: phpgroupware-felamimail is only in etch
617	- magpierss 0.72-3 (embed; bug #431089)
618
619	jquery
620	- zekr <unfixed> (embed)
621	- wordpress <unfixed> (embed)
622	- yocto-reader <unfixed> (embed)
623	- textpattern <unfixed> (embed)
624	- genshi <unfixed> (embed)
625	NOTE: compressed file under examples/ dir
626	- prewikka <unfixed> (embed)
627	- libramaze-ruby <unfixed> (embed)
628	- drupal5 <unfixed> (embed)
629	- b2evolution <unfixed> (embed)
630
631	kses
632	- wordpress <unfixed> (embed; bug #504242)
633	NOTE: their copy has all methods renamed to wp_<foo>
634	- moodle <unfixed> (embed)
635	- egroupware-core <unfixed> (embed)
636
637	magpierss
638	- wordpress <unfixed> (embed; bug #504242)
639
640	php-gettext
641	- wordpress <unfixed> (embed; bug #504242)
642
643	libphp-ixr (name may change, it is the Incutio XML-RPC)
644	- wordpress <unfixed> (embed; bug #504242)
645	- dokuwiki <unfixed> (embed)
646	- textpattern <unfixed> (embed)
647
648	domxml-php4-to-php5.php
649	- glpi <unfixed> (embed)
650	- moodle <unfixed> (embed; bug #496069)
651
652	scriptaculous
653	- glpi <unfixed> (embed)
654	- libaws-doc <unfixed> (embed)
655	- op-panel <unfixed> (embed)
656	- symfony <unfixed> (embed)
657	NOTE: maintainer says there are extra incompatible changes required
658	- pixelpost <unfixed> (embed)
659	- python-webhelpers <unfixed> (embed)
660	- qwik <unfixed> (embed)
661	- smokeping <unfixed> (embed)
662	- turba2 <unfixed> (embed)
663	- typo3-src <unfixed> (embed)
664
665	libmarkdown-php
666	- moodle <unfixed> (embed)
667	- pixelpost <unfixed> (embed)
668
669	php-openid
670	- wordpress-openid <itp> (embed)