Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects source packages that embed code from other projects.
This is considered bad for fixing security flaws because the fix needs
to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed>,
        <itp> or <unknown> if the version number can not be determined
        <unfixable> for unavoidable cases (e.g., forks that add real value)
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and
            thus might share parts of the source code)
      old-version (the package is an older version of essentially
                   the same code)

The srcpkg might be some string to identify the code if there is no
specific source package.

Everything up to the next line is ignored.
---BEGIN
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - texlive-base 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

peercast
        - gnome-peercast <unfixed> (embed)
        NOTE: gnome-peercast may better be removed, see #466539

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged anibal since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib2.0 2.15.2-1 (embed)
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)
        - tin <unknown> (embed)
        - kazehakase 0.5.2-1
        - webkit <unfixed> (embed)
        - qt4-x11 <unfixed> (embed)
        NOTE: embedded via webkit copy

tiff
        - wxwindows2.4 2.2.1 (embed)

uudeview
        - libconvert-uulib-perl <unfixed> (embed)
        - pan <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin
        [sarge] - egroupware <unfixed> (embed)
        NOTE: removed from egroupware after sarge

chmlib
        - kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
        - mplayer 1.0~rc2-14 (embed; bug #395252)
        - kino 1.0.0-1
        - vlc <not-affected> (Links dynamically since initial release)
        - smilutils 0.3.0-10
        NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
        - motion 3.1.19-1
        - gstreamer0.10-ffmpeg 0.10.3-2
        - xmovie <unfixed>
        TODO: gimp-gap (potentially using ffmpeg code as well)

mad MPEG decoding lib
        - mad <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libdts
        - xine-lib <unfixed> (embed)

flac
        - xine-lib <unfixed> (embed)

liba52
        - a52dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libmpeg2
        - mpeg2dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

curl
        - wget <unfixed> (embed)
        NOTE: code for NTLM authentication

uw-imap
        - pine <unfixed> (embed)
        - alpine <unfixed> (embed)

imagemagick
        - graphicsmagick <unfixed> (fork)


halibut
        - nsis <unfixed> (embed)

libghttp
        - hotway <unfixed> (embed)

libsndfile
        - ardour <unfixed> (embed)

glibmm2.4
        - ardour <unfixed> (embed)

libgnomecanvasmm2.6
        - ardour <unfixed> (embed)

libsigc++-2.0
        - ardour <unfixed> (embed)

soundtouch
        - ardour <unfixed> (embed)

libmms
        - xine-lib <unfixed> (embed)
        - mimms <unfixed> (embed)

fckeditor
        - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
        - moin <unfixed> (embed; bug #452599)
        - karrigell <removed> (embed; bug #452598)
        - gforge-plugins-extra 4.6.99+svn6225-1 (embed)

ipatlas (not packaged in Debian)
        - moodle <unfixed> (embed)

libphp-phpmailer
        - moodle <unfixed> (embed)
        - mahara <unfixed> (embed)
        - symfony <unfixed> (embed)
        - phpgroupware-felamimail <unfixed> (embed)
        NOTE: phpgroupware-felamimail is only in etch
        - egroupware <unfixed> (embed; bug #504283)

htmlArea (not packaged in Debian)
        - moodle <unfixed> (embed)

giflib:
        - wine <unfixed> (embed; bug #466181)

bennu (not packaged in Debian)
        - moodle <unfixed> (embed)

smarty:
        - moodle <unfixed> (embed; bug #471158)
        - gallery2 2.2.5-2 (embed; bug #471160)
        - mahara 0.9.2-2 (embed; bug #471201)
        - gosa 2.4beta1-1 (embed; bug #471200)

TinyMCE
        - wordpress 2.5.1-3 (embed; bug #478257)
        - moodle <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - joomla <itp> (bug #326398)

scintilla
        - scite <unfixed> (embed)
        - qscintilla <unfixed> (embed)
        - qscintilla2 <unfixed> (embed)
        - geany <unfixed> (embed)

libphp-adodb
        - moodle <unfixed> (embed)
        NOTE: also AdoDB-XML Schema
        - gallery2 <unfixed> (embed)
        - phppgadmin <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki <unfixed> (embed)
        - ipplan <unfixed> (embed)
        - typo3 <unfixed> (embed)
        - moodle <unfixed> (embed)
        - cacti <unknown> (embed)
        [sarge] - cacti <unfixed> (embed)
        NOTE: dependency exists, but internal version is used
        - gforge <unfixed> (embed)
        - mahara <unfixed> (embed)

gzip
        - linux-kernel <unfixed> (embed)
        NOTE: lib/inflate.c
        - klibc <unfixed> (embed)
        NOTE: based on linux-kernel gzip code
        - busybox <unfixed> (embed)

neon
        - cadaver <unfixed> (embed; bug #188381)
        - gnome-vfs2 <unfixed> (embed; bug #395874)
        - litmus <unfixed> (embed; #395875)
        [sarge] - screem <unfixed> (embed)
        - sitecopy <unfixed> (embed; bug #395876)
        [etch] - tla <unfixed> (embed; bug #395877)
        [sarge] - tla <unfixed> (embed; bug #395877)

libmodplug
        - gst-plugins-bad0.10 <unfixed> (embed)

libvncserver
        - vino <unfixed> (embed)

putty
        - filezilla <unfixed> (embed)

tinyxml (not packaged in Debian)
        - filezilla <unfixed>

gv
        - evince <unfixed> (embed)
        NOTE: ps/ tree from gv 3.5.8
        - evince-gtk <unfixed> (embed)
        NOTE: not packaged in Debian

libXbae
        [etch] - libpawlib2-lesstif <unfixed> (embed)
        NOTE: from Cernlib

libXaw
        [etch] - libpawlib2-lesstif
        NOTE: from Cernlib
        NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty

libgd2
        - graphviz <unfixed> (embed)
        NOTE: lib/gd seems to be 2.0.33
        - wml <unfixed> (embed)
        NOTE: derived from gd 1.6.3

rar
        - unrar-nonfree <unfixed> (embed)

unrar-free (maybe this code is derived from the original rar, too?)
        - clamav <unfixed> (embed)
        NOTE: seems to be disabled in default config

mplayer (DirectMedia Object loader)
        - xine-lib <unfixed> (embed)
        NOTE: src/libw32dll/
        - vlc <unfixed> (embed)
        NOTE: modules/codec/dmo/

libwpd (WordPerfect converter)
        - openoffice.org <unfixed> (embed)

fsplib (http://sourceforge.net/projects/fsp/)
        - gftp <unfixed> (embed)
        NOTE: lib/fsplib version 0.3

sprng
        - tree-puzzle <unfixed> (embed)

librpcsecgss
        - krb5 <unfixed> (embed)

jasper
        - ghostscript <unfixed> (embed)
        - gs-gpl <unfixed> (embed)

libidn
        - monotone <unfixed> (embed)

liblua
        - monotone <unfixed> (embed)

libbotan
        - montone <unfixed> (embed)

NetXX
        - monotone <unfixed> (embed)

libgc
        - mono <unfixed> (embed)

lzma
        - p7zip <unfixed> (embed)

lzo
        - grub2 <unfixed> (embed)

yassl
        - mysql-dfsg-5.0 <unfixed> (embed)

pax code
        - tar <unfixed> (embed)
        - cpio <unfixed> (embed)

t1lib
        - tetex-bin 2.0.2-1 (embed)
        - texlive-bin <unknown> (embed)

guichan
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

tolua
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

asio-dev
        - luxrender <unfixed> (embed)
        NOTE: maintainer notified us, working on it
        NOTE: may be merged with boost "soon"

xine-lib
        - vlc <unfixed> (embed)
        NOTE: only parts included in modules/access/rtsp

netpbm
        - tcl8.3 <unfixed> (embed)
        - tcl8.4 <unfixed> (embed)
        - tcl8.5 <unfixed> (embed)
        NOTE: generic/tkImgGIF.c

tk8.5
        - tk8.0 <removed> (old-version)
        - tk8.3 <unfixed> (old-version)
        - tk8.4 <unfixed> (old-version)
        - perl-tk <unfixable> (fork)

samba
        - mc <unfixed> (embed)
        NOTE: maintainer is aware of this, currently searching a solution

plib1.8.4c2
        - boson <unfixed> (fork)
        NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar

fribidi
        - quesoglc <unfixed> (embed)

glew
        - quesoglc <unfixed> (embed)

minorGems
        - transcend <unfixed> (embed)
        - cultivation <unfixed> (embed)

tar
        - libarchive <unfixed> (embed)
        NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable

cpio
        - libarchive <unfixed> (embed)
        NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)

webkit
        - qt4-x11 <unfixed> (embed)

ftgl
        - blender 2.46+dfsg-1 (embed)

wv
        - abiword <unfixed>

qemu
        - kvm <unfixed> (embed)
        - xen-3 <unfixed> (embed)
        - xen-unstable <unfixed> (embed)

bochs
        - kvm <unfixed> (embed; bug #489442)

speex
        - vorbis-tools <unfixed> (embed)
        NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
        - gst-plugins-good0.10 <unfixed> (embed)
        - xine-lib <unfixed> (embed)
        - libfishsound <unfixed> (embed)
        - libannodex <unfixed> (embed)
        - vlc <unfixed> (embed)
        - xmms-speex <unfixed> (embed)
        - libsdl-sound1.2 <unfixed> (embed)
        - sweep <unfixed> (embed)

libreadline
        - magic <unfixed> (old-version)
        NOTE: magic is currently an RFS

opcode
        - ode <unfixed> (embed)
        NOTE: opcode is not a package in debian, it is just embedded
        NOTE: http://www.codercorner.com/Opcode.htm

gimpact 
        - ode <unfixed> (embed)
        NOTE: gimpact is not a package in debian, it is just embedded
        NOTE: http://gimpact.sf.net

mochikit
        - mahara <unfixed> (embed)
        NOTE: they require extra patches, still unmerged upstream
        - ntop <unfixed> (embed)
        - python-oherence <unfixed> (embed)
        - python-paste <unfixed> (embed)
        - python-turbogears <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)

prototype
        - netbeans-ide <unfixed> (embed)
        - auth2db-frontend <unfixed> (embed)
        - citadel-webcit <unfixed> (embed)
        - asterisk <unfixed> (embed)
        - doc-iana <unfixed> (embed)
        - libaws-doc <unfixed> (embed)
        - libgettext-ruby-data <unfixed> (embed)
        - libjson-ruby-doc <unfixed> (embed)
        - liblucene2-java-doc <unfixed> (embed)
        - libopenid-ruby <unfixed> (embed)
        - solr-common <unfixed> (embed)
        - glpi <unfixed> (embed)
        - hobbix <unfixed> (embed)
        - mnemo2 <unfixed> (embed)
        - nag2 <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - mediatomb-common <unfixed> (embed)
        - mt-daapd <unfixed> (embed)
        - op-panel <unfixed> (embed)
        - ebug-http <unfixed> (embed)
        - phpgedview <removed> (embed)
        - poker-web <unfixed> (embed)
        - python-webhelpers <unfixed> (embed)
        - qwik <unfixed> (embed)
        - rails <unfixed> (embed)
        - typo3-src-4.1 <unfixed> (embed)
        - wordpress <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)
        - smokeping <unfixed> (embed)
        - ampache 3.4.1-2 (embed)
        - exaile <unfixed> (embed)
        - hobix <unfixed> (embed)
        - pixelpost <unfixed> (embed)
        - symfony <unfixed> (embed)
        NOTE: it's been said that there are custom changes
        - zabbix-frontend-php <unfixed> (embed)
        - turba2 <unfixed> (embed)

gdb
        - insight <unfixed> (embed)

e2fsprogs
        - ldiskfsprogs <unfixable> (fork)

quazip (not packaged in Debian)
        - qcake <unfixed> (embed)
        NOTE: starting with upstream version 0.6.4

exo
        - pcmanfm <unfixed> (embed; bug #499677)
        NOTE: slightly modified source code

java
        - openjdk-6 <unfixed>
        - sun-java5 <unfixed>
        - sun-java6 <unfixed>

libphp-snoopy
        - ampache 3.4.1-2 (embed; bug #504169)
        - mahara 1.0.5-2 (embed; bug #504170)
        - pixelpost <unfixed> (embed; bug #504171)
        - mediamate 0.9.3.6-5 (embed; bug #504172)
        - opendb <unfixed> (embed; bug #504173)
        - wordpress <unfixed> (embed; bug #443948)
        - moodle <unfixed> (embed)
        - phpgroupware-felamimail <unfixed> (embed)
        NOTE: phpgroupware-felamimail is only in etch
        - magpierss 0.72-3 (embed; bug #431089)

jquery
        - zekr <unfixed> (embed)
        - wordpress <unfixed> (embed)
        - yocto-reader <unfixed> (embed)
        - textpattern <unfixed> (embed)
        - genshi <unfixed> (embed)
        NOTE: compressed file under examples/ dir
        - prewikka <unfixed> (embed)
        - libramaze-ruby <unfixed> (embed)
        - drupal5 <unfixed> (embed)
        - b2evolution <unfixed> (embed)

kses
        - wordpress <unfixed> (embed; bug #504242)
        NOTE: their copy has all methods renamed to wp_<foo>
        - moodle <unfixed> (embed)
        - egroupware-core <unfixed> (embed)

magpierss
        - wordpress <unfixed> (embed; bug #504242)

php-gettext
        - wordpress <unfixed> (embed; bug #504242)

libphp-ixr (name may change, it is the Incutio XML-RPC)
        - wordpress <unfixed> (embed; bug #504242)
        - dokuwiki <unfixed> (embed)
        - textpattern <unfixed> (embed)

domxml-php4-to-php5.php
        - glpi <unfixed> (embed)
        - moodle <unfixed> (embed; bug #496069)

scriptaculous
        - glpi <unfixed> (embed)
        - libaws-doc <unfixed> (embed)
        - op-panel <unfixed> (embed)
        - symfony <unfixed> (embed)
        NOTE: maintainer says there are extra incompatible changes required
        - pixelpost <unfixed> (embed)
        - python-webhelpers <unfixed> (embed)
        - qwik <unfixed> (embed)
        - smokeping <unfixed> (embed)
        - turba2 <unfixed> (embed)
        - typo3-src <unfixed> (embed)

libmarkdown-php
        - moodle <unfixed> (embed)
        - pixelpost <unfixed> (embed)

php-openid
        - wordpress-openid <itp> (embed)
1	Embedded code copies
2	====================
3
4	This file collects source packages that embed code from other projects.
5	This is considered bad for fixing security flaws because the fix needs
6	to be applied in multiple source packages.
7
8	Format:
9	<srcpkg> (<optional comment about srcpkg>)
10	- <embedding srcpkg> <status> (<sort>; bug #<number>)
11	NOTE: optional comments about the linkage of the embedding srcpkg
12
13	status: version number fixing the embedded copy, <unfixed>, <removed>,
14	<itp> or <unknown> if the version number can not be determined
15	<unfixable> for unavoidable cases (e.g., forks that add real value)
16	sort: static (linking statically against a lib)
17	embed (embedding a copy of the library into another source package)
18	fork (the package is not just embedding code but it is a fork and
19	thus might share parts of the source code)
20	old-version (the package is an older version of essentially
21	the same code)
22
23	The srcpkg might be some string to identify the code if there is no
24	specific source package.
25
26	Everything up to the next line is ignored.
27	---BEGIN
28	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
29	NOTE: Fixed packages link to poppler library unless otherwise noted
30	- gpdf <removed>
31	[sarge] - gpdf <unfixed>
32	NOTE: has been replaced by evince in etch
33	- pdftohtml <unknown>
34	[sarge] - pdftohtml <unfixed>
35	[etch] - pdftohtml <unfixed>
36	NOTE: has been replaced by poppler-utils
37	- kdegraphics <unfixed> (embed; bug #436164)
38	NOTE: the kpdf replacement in KDE 4 is using poppler
39	- texlive-base 3.0-12 (embed)
40	- texlive-bin 2007-1 (embed)
41	NOTE: links to poppler
42	- koffice <unfixed> (embed; bug #436163)
43	- libextractor 0.5.12-1 (embed)
44	NOTE: libextractor is using its own pdf decoder now
45	- libextractor 0.5.12-1 (embed)
46	- pdfkit.framework 0.8-4 (embed)
47	- ipe <unfixed> (embed)
48	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
49	- ruby-gnome2 <unknown> (embed)
50	NOTE: copy only present in source but links to poppler
51
52	ppmd
53	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
54
55	peercast
56	- gnome-peercast <unfixed> (embed)
57	NOTE: gnome-peercast may better be removed, see #466539
58
59	silc-toolkit
60	- silc-client 1.1~beta6-1 (embed)
61
62	dietlibc
63	- ccontrol 0.9.1+20071204-1 (static)
64
65	libiax
66	- iaxmodem <unfixed> (embed)
67
68	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
69	- dpkg <unfixed> (embed)
70	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
71	- rsync <unfixed> (embed)
72	NOTE: somehow derived code base
73	- mono <unfixed> (embed)
74	TODO: check mozilla
75	- Linux kernels <unfixed> (embed)
76	- pvpgn 1.7.8-2 (embed)
77	- mrtg 2.12.2-1 (embed)
78	- rpm <unknown> (embed)
79	NOTE: pinged anibal since when rpm was fixed
80
81	libbz2
82	- dpkg <unfixed> (static)
83
84	ekg
85	- centericq <unfixed> (embed)
86	- gaim <unfixed> (embed)
87	- pigdin <unfixed> (embed)(links dynamically against libgadu)
88	- kopete 4:3.3.2-5 (embed)
89	- kadu <unfixed> (embed)
90	- gadu <unfixed> (embed)
91	NOTE: g/kadu not packaged in Debian yet
92
93	xmlrpc (which package is the "origin" of this code?)
94	- drupal <unfixed> (embed)
95	- phpgroupware <unfixed> (embed)
96	- egroupware <unfixed> (embed)
97	- phpwiki (embed)
98	- php4 <unfixed> (embed)
99	TODO: check, php-pear, IIRC this was reorganized some weeks ago?
100
101	shtool (affects build-time only)
102	- mysql-ocaml <unfixed> (embed)
103	- php4 <unfixed> (embed)
104
105	mozilla source code
106	- mozilla-firefox <unfixed> (embed)
107	- mozilla-thunderbird
108	- firefox <removed>
109	[etch] - firefox <unfixed> (embed)
110	- thunderbird <removed>
111	[etch] - thunderbird <unfixed> (embed)
112	- iceweasel <unfixed> (embed)
113	- iceape <unfixed> (embed)
114	- icedove <unfixed> (embed)
115	- xulrunner <unfixed> (embed)
116	- nvu <removed> (embed)
117
118	xli
119	- xloadimage <unfixed> (embed)
120
121	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
122	- openmotif <unfixed> (embed)
123	- xfree86/xorg <unfixed> (embed)
124	NOTE: in libxpm
125
126	kerberized apps with BSD origin
127	- krb4 <unfixed> (embed)
128	- krb5 <unfixed> (embed)
129	- heimdal <unfixed> (embed)
130
131	grip (which pkg is the origin?)
132	- libcdaudio
133	- grip
134	- gnome-vfs
135	TODO: check vfs2 as well
136
137	fudforum
138	- phpgroupware-fudforum <unfixed> (embed)
139	- egroupware-fudforum <removed>
140	[sarge] - egroupware-fudforum <unfixed> (embed)
141
142	cvs
143	- gcvs <unfixed> (embed)
144	NOTE: see cvsunix/src in tarball
145
146	pcre
147	- python* <unfixed> (embed)
148	- php4 <unknown> (embed)
149	- analog 2:5.23-0woody1 (embed)
150	- libgoffice-1 <unfixed> (embed)
151	- vfu 4.06-4.1 (embed; bug #450754)
152	- tf5 5.0beta7-1 (embed)
153	- monotone <unfixed> (embed)
154	NOTE: this only affects versions >= 0.37
155	- glib2.0 2.15.2-1 (embed)
156	- apache2 2.0.53-4 (embed)
157	- exim4 4.10-0.srh20.12 (embed)
158	- yacas <unfixed> (embed)
159	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
160	- gtamsanalyzer.app 0.42-5 (embed)
161	- tin <unknown> (embed)
162	- kazehakase 0.5.2-1
163	- webkit <unfixed> (embed)
164	- qt4-x11 <unfixed> (embed)
165	NOTE: embedded via webkit copy
166
167	tiff
168	- wxwindows2.4 2.2.1 (embed)
169
170	uudeview
171	- libconvert-uulib-perl <unfixed> (embed)
172	- pan <unfixed> (embed)
173
174	sqlite (not affected by security vulnerabilities so far)
175	- amarok <unfixed> (embed)
176	- monotone <unfixed> (embed)
177	- iceweasel <unfixed> (embed)
178
179	util-linux/mount
180	- loop-aes-utils <unfixed> (embed)
181	NOTE: contains code from util-linux' mount in the mount-aes-udeb
182
183	webmin
184	- usermin <unknown> (embed)
185	[sarge] - usermin <unfixed> (embed)
186
187	sylpheed
188	- sylpheed-claws <unfixed> (fork)
189
190	phpsysinfo
191	- egroupware <unfixed> (embed)
192	- phpgroupware <unfixed> (embed)
193
194	phpldapadmin
195	[sarge] - egroupware <unfixed> (embed)
196	NOTE: removed from egroupware after sarge
197
198	chmlib
199	- kchmviewer <unknown> (embed)
200
201	libavcodec/libavformat (source: ffmpeg)
202	- mplayer 1.0~rc2-14 (embed; bug #395252)
203	- kino 1.0.0-1
204	- vlc <not-affected> (Links dynamically since initial release)
205	- smilutils 0.3.0-10
206	NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
207	- motion 3.1.19-1
208	- gstreamer0.10-ffmpeg 0.10.3-2
209	- xmovie <unfixed>
210	TODO: gimp-gap (potentially using ffmpeg code as well)
211
212	mad MPEG decoding lib
213	- mad <unfixed> (embed)
214	- xine-lib <unfixed> (embed)
215
216	libdts
217	- xine-lib <unfixed> (embed)
218
219	flac
220	- xine-lib <unfixed> (embed)
221
222	liba52
223	- a52dec <unfixed> (embed)
224	- xine-lib <unfixed> (embed)
225
226	libmpeg2
227	- mpeg2dec <unfixed> (embed)
228	- xine-lib <unfixed> (embed)
229
230	curl
231	- wget <unfixed> (embed)
232	NOTE: code for NTLM authentication
233
234	uw-imap
235	- pine <unfixed> (embed)
236	- alpine <unfixed> (embed)
237
238	imagemagick
239	- graphicsmagick <unfixed> (fork)
240
241
242	halibut
243	- nsis <unfixed> (embed)
244
245	libghttp
246	- hotway <unfixed> (embed)
247
248	libsndfile
249	- ardour <unfixed> (embed)
250
251	glibmm2.4
252	- ardour <unfixed> (embed)
253
254	libgnomecanvasmm2.6
255	- ardour <unfixed> (embed)
256
257	libsigc++-2.0
258	- ardour <unfixed> (embed)
259
260	soundtouch
261	- ardour <unfixed> (embed)
262
263	libmms
264	- xine-lib <unfixed> (embed)
265	- mimms <unfixed> (embed)
266
267	fckeditor
268	- knowledgeroot 0.9.8.5-3 (embed; bug #461555)
269	- moin <unfixed> (embed; bug #452599)
270	- karrigell <removed> (embed; bug #452598)
271	- gforge-plugins-extra 4.6.99+svn6225-1 (embed)
272
273	ipatlas (not packaged in Debian)
274	- moodle <unfixed> (embed)
275
276	libphp-phpmailer
277	- moodle <unfixed> (embed)
278	- mahara <unfixed> (embed)
279	- symfony <unfixed> (embed)
280	- phpgroupware-felamimail <unfixed> (embed)
281	NOTE: phpgroupware-felamimail is only in etch
282	- egroupware <unfixed> (embed; bug #504283)
283
284	htmlArea (not packaged in Debian)
285	- moodle <unfixed> (embed)
286
287	giflib:
288	- wine <unfixed> (embed; bug #466181)
289
290	bennu (not packaged in Debian)
291	- moodle <unfixed> (embed)
292
293	smarty:
294	- moodle <unfixed> (embed; bug #471158)
295	- gallery2 2.2.5-2 (embed; bug #471160)
296	- mahara 0.9.2-2 (embed; bug #471201)
297	- gosa 2.4beta1-1 (embed; bug #471200)
298
299	TinyMCE
300	- wordpress 2.5.1-3 (embed; bug #478257)
301	- moodle <unfixed> (embed)
302	- knowledgeroot <unfixed> (embed)
303	- joomla <itp> (bug #326398)
304
305	scintilla
306	- scite <unfixed> (embed)
307	- qscintilla <unfixed> (embed)
308	- qscintilla2 <unfixed> (embed)
309	- geany <unfixed> (embed)
310
311	libphp-adodb
312	- moodle <unfixed> (embed)
313	NOTE: also AdoDB-XML Schema
314	- gallery2 <unfixed> (embed)
315	- phppgadmin <unfixed> (embed)
316	- egroupware <unfixed> (embed)
317	- phpwiki <unfixed> (embed)
318	- ipplan <unfixed> (embed)
319	- typo3 <unfixed> (embed)
320	- moodle <unfixed> (embed)
321	- cacti <unknown> (embed)
322	[sarge] - cacti <unfixed> (embed)
323	NOTE: dependency exists, but internal version is used
324	- gforge <unfixed> (embed)
325	- mahara <unfixed> (embed)
326
327	gzip
328	- linux-kernel <unfixed> (embed)
329	NOTE: lib/inflate.c
330	- klibc <unfixed> (embed)
331	NOTE: based on linux-kernel gzip code
332	- busybox <unfixed> (embed)
333
334	neon
335	- cadaver <unfixed> (embed; bug #188381)
336	- gnome-vfs2 <unfixed> (embed; bug #395874)
337	- litmus <unfixed> (embed; #395875)
338	[sarge] - screem <unfixed> (embed)
339	- sitecopy <unfixed> (embed; bug #395876)
340	[etch] - tla <unfixed> (embed; bug #395877)
341	[sarge] - tla <unfixed> (embed; bug #395877)
342
343	libmodplug
344	- gst-plugins-bad0.10 <unfixed> (embed)
345
346	libvncserver
347	- vino <unfixed> (embed)
348
349	putty
350	- filezilla <unfixed> (embed)
351
352	tinyxml (not packaged in Debian)
353	- filezilla <unfixed>
354
355	gv
356	- evince <unfixed> (embed)
357	NOTE: ps/ tree from gv 3.5.8
358	- evince-gtk <unfixed> (embed)
359	NOTE: not packaged in Debian
360
361	libXbae
362	[etch] - libpawlib2-lesstif <unfixed> (embed)
363	NOTE: from Cernlib
364
365	libXaw
366	[etch] - libpawlib2-lesstif
367	NOTE: from Cernlib
368	NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
369
370	libgd2
371	- graphviz <unfixed> (embed)
372	NOTE: lib/gd seems to be 2.0.33
373	- wml <unfixed> (embed)
374	NOTE: derived from gd 1.6.3
375
376	rar
377	- unrar-nonfree <unfixed> (embed)
378
379	unrar-free (maybe this code is derived from the original rar, too?)
380	- clamav <unfixed> (embed)
381	NOTE: seems to be disabled in default config
382
383	mplayer (DirectMedia Object loader)
384	- xine-lib <unfixed> (embed)
385	NOTE: src/libw32dll/
386	- vlc <unfixed> (embed)
387	NOTE: modules/codec/dmo/
388
389	libwpd (WordPerfect converter)
390	- openoffice.org <unfixed> (embed)
391
392	fsplib (http://sourceforge.net/projects/fsp/)
393	- gftp <unfixed> (embed)
394	NOTE: lib/fsplib version 0.3
395
396	sprng
397	- tree-puzzle <unfixed> (embed)
398
399	librpcsecgss
400	- krb5 <unfixed> (embed)
401
402	jasper
403	- ghostscript <unfixed> (embed)
404	- gs-gpl <unfixed> (embed)
405
406	libidn
407	- monotone <unfixed> (embed)
408
409	liblua
410	- monotone <unfixed> (embed)
411
412	libbotan
413	- montone <unfixed> (embed)
414
415	NetXX
416	- monotone <unfixed> (embed)
417
418	libgc
419	- mono <unfixed> (embed)
420
421	lzma
422	- p7zip <unfixed> (embed)
423
424	lzo
425	- grub2 <unfixed> (embed)
426
427	yassl
428	- mysql-dfsg-5.0 <unfixed> (embed)
429
430	pax code
431	- tar <unfixed> (embed)
432	- cpio <unfixed> (embed)
433
434	t1lib
435	- tetex-bin 2.0.2-1 (embed)
436	- texlive-bin <unknown> (embed)
437
438	guichan
439	- boswars <unfixed> (embed)
440	NOTE: maintainer notified us, working on it
441
442	tolua
443	- boswars <unfixed> (embed)
444	NOTE: maintainer notified us, working on it
445
446	asio-dev
447	- luxrender <unfixed> (embed)
448	NOTE: maintainer notified us, working on it
449	NOTE: may be merged with boost "soon"
450
451	xine-lib
452	- vlc <unfixed> (embed)
453	NOTE: only parts included in modules/access/rtsp
454
455	netpbm
456	- tcl8.3 <unfixed> (embed)
457	- tcl8.4 <unfixed> (embed)
458	- tcl8.5 <unfixed> (embed)
459	NOTE: generic/tkImgGIF.c
460
461	tk8.5
462	- tk8.0 <removed> (old-version)
463	- tk8.3 <unfixed> (old-version)
464	- tk8.4 <unfixed> (old-version)
465	- perl-tk <unfixable> (fork)
466
467	samba
468	- mc <unfixed> (embed)
469	NOTE: maintainer is aware of this, currently searching a solution
470
471	plib1.8.4c2
472	- boson <unfixed> (fork)
473	NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
474
475	fribidi
476	- quesoglc <unfixed> (embed)
477
478	glew
479	- quesoglc <unfixed> (embed)
480
481	minorGems
482	- transcend <unfixed> (embed)
483	- cultivation <unfixed> (embed)
484
485	tar
486	- libarchive <unfixed> (embed)
487	NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
488
489	cpio
490	- libarchive <unfixed> (embed)
491	NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
492
493	webkit
494	- qt4-x11 <unfixed> (embed)
495
496	ftgl
497	- blender 2.46+dfsg-1 (embed)
498
499	wv
500	- abiword <unfixed>
501
502	qemu
503	- kvm <unfixed> (embed)
504	- xen-3 <unfixed> (embed)
505	- xen-unstable <unfixed> (embed)
506
507	bochs
508	- kvm <unfixed> (embed; bug #489442)
509
510	speex
511	- vorbis-tools <unfixed> (embed)
512	NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
513	- gst-plugins-good0.10 <unfixed> (embed)
514	- xine-lib <unfixed> (embed)
515	- libfishsound <unfixed> (embed)
516	- libannodex <unfixed> (embed)
517	- vlc <unfixed> (embed)
518	- xmms-speex <unfixed> (embed)
519	- libsdl-sound1.2 <unfixed> (embed)
520	- sweep <unfixed> (embed)
521
522	libreadline
523	- magic <unfixed> (old-version)
524	NOTE: magic is currently an RFS
525
526	opcode
527	- ode <unfixed> (embed)
528	NOTE: opcode is not a package in debian, it is just embedded
529	NOTE: http://www.codercorner.com/Opcode.htm
530
531	gimpact
532	- ode <unfixed> (embed)
533	NOTE: gimpact is not a package in debian, it is just embedded
534	NOTE: http://gimpact.sf.net
535
536	mochikit
537	- mahara <unfixed> (embed)
538	NOTE: they require extra patches, still unmerged upstream
539	- ntop <unfixed> (embed)
540	- python-oherence <unfixed> (embed)
541	- python-paste <unfixed> (embed)
542	- python-turbogears <unfixed> (embed)
543	- zope-plone3 <unfixed> (embed)
544
545	prototype
546	- netbeans-ide <unfixed> (embed)
547	- auth2db-frontend <unfixed> (embed)
548	- citadel-webcit <unfixed> (embed)
549	- asterisk <unfixed> (embed)
550	- doc-iana <unfixed> (embed)
551	- libaws-doc <unfixed> (embed)
552	- libgettext-ruby-data <unfixed> (embed)
553	- libjson-ruby-doc <unfixed> (embed)
554	- liblucene2-java-doc <unfixed> (embed)
555	- libopenid-ruby <unfixed> (embed)
556	- solr-common <unfixed> (embed)
557	- glpi <unfixed> (embed)
558	- hobbix <unfixed> (embed)
559	- mnemo2 <unfixed> (embed)
560	- nag2 <unfixed> (embed)
561	- knowledgeroot <unfixed> (embed)
562	- mediatomb-common <unfixed> (embed)
563	- mt-daapd <unfixed> (embed)
564	- op-panel <unfixed> (embed)
565	- ebug-http <unfixed> (embed)
566	- phpgedview <removed> (embed)
567	- poker-web <unfixed> (embed)
568	- python-webhelpers <unfixed> (embed)
569	- qwik <unfixed> (embed)
570	- rails <unfixed> (embed)
571	- typo3-src-4.1 <unfixed> (embed)
572	- wordpress <unfixed> (embed)
573	- zope-plone3 <unfixed> (embed)
574	- smokeping <unfixed> (embed)
575	- ampache 3.4.1-2 (embed)
576	- exaile <unfixed> (embed)
577	- hobix <unfixed> (embed)
578	- pixelpost <unfixed> (embed)
579	- symfony <unfixed> (embed)
580	NOTE: it's been said that there are custom changes
581	- zabbix-frontend-php <unfixed> (embed)
582	- turba2 <unfixed> (embed)
583
584	gdb
585	- insight <unfixed> (embed)
586
587	e2fsprogs
588	- ldiskfsprogs <unfixable> (fork)
589
590	quazip (not packaged in Debian)
591	- qcake <unfixed> (embed)
592	NOTE: starting with upstream version 0.6.4
593
594	exo
595	- pcmanfm <unfixed> (embed; bug #499677)
596	NOTE: slightly modified source code
597
598	java
599	- openjdk-6 <unfixed>
600	- sun-java5 <unfixed>
601	- sun-java6 <unfixed>
602
603	libphp-snoopy
604	- ampache 3.4.1-2 (embed; bug #504169)
605	- mahara 1.0.5-2 (embed; bug #504170)
606	- pixelpost <unfixed> (embed; bug #504171)
607	- mediamate 0.9.3.6-5 (embed; bug #504172)
608	- opendb <unfixed> (embed; bug #504173)
609	- wordpress <unfixed> (embed; bug #443948)
610	- moodle <unfixed> (embed)
611	- phpgroupware-felamimail <unfixed> (embed)
612	NOTE: phpgroupware-felamimail is only in etch
613	- magpierss 0.72-3 (embed; bug #431089)
614
615	jquery
616	- zekr <unfixed> (embed)
617	- wordpress <unfixed> (embed)
618	- yocto-reader <unfixed> (embed)
619	- textpattern <unfixed> (embed)
620	- genshi <unfixed> (embed)
621	NOTE: compressed file under examples/ dir
622	- prewikka <unfixed> (embed)
623	- libramaze-ruby <unfixed> (embed)
624	- drupal5 <unfixed> (embed)
625	- b2evolution <unfixed> (embed)
626
627	kses
628	- wordpress <unfixed> (embed; bug #504242)
629	NOTE: their copy has all methods renamed to wp_<foo>
630	- moodle <unfixed> (embed)
631	- egroupware-core <unfixed> (embed)
632
633	magpierss
634	- wordpress <unfixed> (embed; bug #504242)
635
636	php-gettext
637	- wordpress <unfixed> (embed; bug #504242)
638
639	libphp-ixr (name may change, it is the Incutio XML-RPC)
640	- wordpress <unfixed> (embed; bug #504242)
641	- dokuwiki <unfixed> (embed)
642	- textpattern <unfixed> (embed)
643
644	domxml-php4-to-php5.php
645	- glpi <unfixed> (embed)
646	- moodle <unfixed> (embed; bug #496069)
647
648	scriptaculous
649	- glpi <unfixed> (embed)
650	- libaws-doc <unfixed> (embed)
651	- op-panel <unfixed> (embed)
652	- symfony <unfixed> (embed)
653	NOTE: maintainer says there are extra incompatible changes required
654	- pixelpost <unfixed> (embed)
655	- python-webhelpers <unfixed> (embed)
656	- qwik <unfixed> (embed)
657	- smokeping <unfixed> (embed)
658	- turba2 <unfixed> (embed)
659	- typo3-src <unfixed> (embed)
660
661	libmarkdown-php
662	- moodle <unfixed> (embed)
663	- pixelpost <unfixed> (embed)
664
665	php-openid
666	- wordpress-openid <itp> (embed)