Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects source packages that embed code from other projects.
This is considered bad for fixing security flaws because the fix needs
to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed>,
        <itp> or <unknown> if the version number can not be determined
        <unfixable> for unavoidable cases (e.g., forks that add real value)
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and
            thus might share parts of the source code)
      old-version (the package is an older version of essentially
                   the same code)

The srcpkg might be some string to identify the code if there is no
specific source package.

Everything up to the next line is ignored.
---BEGIN
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - texlive-base 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

peercast
        - gnome-peercast <unfixed> (embed)
        NOTE: gnome-peercast may better be removed, see #466539

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged anibal since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

libgadu:
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu 0.6.0.2-3 (embed)
        - gadu <unfixed> (embed)
        - ekg 1:1.8~rc0-1 (embed)
        - kadu <unfixed> (embed; bug #504430)
        NOTE: gadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib2.0 2.15.2-1 (embed)
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)
        - tin <unknown> (embed)
        - kazehakase 0.5.2-1
        - webkit <unfixed> (embed)
        - qt4-x11 <unfixed> (embed)
        NOTE: embedded via webkit copy

tiff
        - wxwindows2.4 2.2.1 (embed)

uudeview
        - libconvert-uulib-perl <unfixed> (embed)
        - pan <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin
        [sarge] - egroupware <unfixed> (embed)
        NOTE: removed from egroupware after sarge

chmlib
        - kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
        - mplayer 1.0~rc2-14 (embed; bug #395252)
        - kino 1.0.0-1
        - vlc <not-affected> (Links dynamically since initial release)
        - smilutils 0.3.0-10
        NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
        - motion 3.1.19-1
        - gstreamer0.10-ffmpeg 0.10.3-2
        - xmovie <unfixed>
        TODO: gimp-gap (potentially using ffmpeg code as well)

mad MPEG decoding lib
        - mad <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libdts
        - xine-lib <unfixed> (embed)

flac
        - xine-lib <unfixed> (embed)

liba52
        - a52dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libmpeg2
        - mpeg2dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

curl
        - wget <unfixed> (embed)
        NOTE: code for NTLM authentication

uw-imap
        - pine <unfixed> (embed)
        - alpine <unfixed> (embed)

imagemagick
        - graphicsmagick <unfixed> (fork)


halibut
        - nsis <unfixed> (embed)

libghttp
        - hotway <unfixed> (embed)

libsndfile
        - ardour <unfixed> (embed)

glibmm2.4
        - ardour <unfixed> (embed)

libgnomecanvasmm2.6
        - ardour <unfixed> (embed)

libsigc++-2.0
        - ardour <unfixed> (embed)

soundtouch
        - ardour <unfixed> (embed)

libmms
        - xine-lib <unfixed> (embed)
        - mimms <unfixed> (embed)

fckeditor
        - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
        - moin <unfixed> (embed; bug #452599)
        - karrigell <removed> (embed; bug #452598)
        - gforge-plugins-extra 4.6.99+svn6225-1 (embed)

ipatlas (not packaged in Debian)
        - moodle <unfixed> (embed)

libphp-phpmailer
        - moodle <unfixed> (embed)
        - mahara <unfixed> (embed)
        - symfony <unfixed> (embed)
        - phpgroupware-felamimail <unfixed> (embed)
        NOTE: phpgroupware-felamimail is only in etch
        - egroupware <unfixed> (embed; bug #504283)

htmlArea (not packaged in Debian)
        - moodle <unfixed> (embed)

giflib:
        - wine <unfixed> (embed; bug #466181)

bennu (not packaged in Debian)
        - moodle <unfixed> (embed)

smarty:
        - moodle <unfixed> (embed; bug #471158)
        - gallery2 2.2.5-2 (embed; bug #471160)
        - mahara 0.9.2-2 (embed; bug #471201)
        - gosa 2.4beta1-1 (embed; bug #471200)

TinyMCE
        - wordpress 2.5.1-3 (embed; bug #478257)
        - moodle <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - joomla <itp> (bug #326398)

scintilla
        - scite <unfixed> (embed)
        - qscintilla <unfixed> (embed)
        - qscintilla2 <unfixed> (embed)
        - geany <unfixed> (embed)

libphp-adodb
        - moodle <unfixed> (embed)
        NOTE: also AdoDB-XML Schema
        - gallery2 <unfixed> (embed)
        - phppgadmin <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki <unfixed> (embed)
        - ipplan <unfixed> (embed)
        - typo3 <unfixed> (embed)
        - moodle <unfixed> (embed)
        - cacti <unknown> (embed)
        [sarge] - cacti <unfixed> (embed)
        NOTE: dependency exists, but internal version is used
        - gforge <unfixed> (embed)
        - mahara <unfixed> (embed)

gzip
        - linux-kernel <unfixed> (embed)
        NOTE: lib/inflate.c
        - klibc <unfixed> (embed)
        NOTE: based on linux-kernel gzip code
        - busybox <unfixed> (embed)

neon
        - cadaver <unfixed> (embed; bug #188381)
        - gnome-vfs2 <unfixed> (embed; bug #395874)
        - litmus <unfixed> (embed; #395875)
        [sarge] - screem <unfixed> (embed)
        - sitecopy <unfixed> (embed; bug #395876)
        [etch] - tla <unfixed> (embed; bug #395877)
        [sarge] - tla <unfixed> (embed; bug #395877)

libmodplug
        - gst-plugins-bad0.10 <unfixed> (embed)

libvncserver
        - vino <unfixed> (embed)

putty
        - filezilla <unfixed> (embed)

tinyxml (not packaged in Debian)
        - filezilla <unfixed>

gv
        - evince <unfixed> (embed)
        NOTE: ps/ tree from gv 3.5.8
        - evince-gtk <unfixed> (embed)
        NOTE: not packaged in Debian

libXbae
        [etch] - libpawlib2-lesstif <unfixed> (embed)
        NOTE: from Cernlib

libXaw
        [etch] - libpawlib2-lesstif
        NOTE: from Cernlib
        NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty

libgd2
        - graphviz <unfixed> (embed)
        NOTE: lib/gd seems to be 2.0.33
        - wml <unfixed> (embed)
        NOTE: derived from gd 1.6.3

rar
        - unrar-nonfree <unfixed> (embed)

unrar-free (maybe this code is derived from the original rar, too?)
        - clamav <unfixed> (embed)
        NOTE: seems to be disabled in default config

mplayer (DirectMedia Object loader)
        - xine-lib <unfixed> (embed)
        NOTE: src/libw32dll/
        - vlc <unfixed> (embed)
        NOTE: modules/codec/dmo/

libwpd (WordPerfect converter)
        - openoffice.org <unfixed> (embed)

fsplib (http://sourceforge.net/projects/fsp/)
        - gftp <unfixed> (embed)
        NOTE: lib/fsplib version 0.3

sprng
        - tree-puzzle <unfixed> (embed)

librpcsecgss
        - krb5 <unfixed> (embed)

jasper
        - ghostscript <unfixed> (embed)
        - gs-gpl <unfixed> (embed)

libidn
        - monotone <unfixed> (embed)

liblua
        - monotone <unfixed> (embed)

libbotan
        - montone <unfixed> (embed)

NetXX
        - monotone <unfixed> (embed)

libgc
        - mono <unfixed> (embed)

lzma
        - p7zip <unfixed> (embed)

lzo
        - grub2 <unfixed> (embed)

yassl
        - mysql-dfsg-5.0 <unfixed> (embed)

pax code
        - tar <unfixed> (embed)
        - cpio <unfixed> (embed)

t1lib
        - tetex-bin 2.0.2-1 (embed)
        - texlive-bin <unknown> (embed)

guichan
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

tolua
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

asio-dev
        - luxrender <unfixed> (embed)
        NOTE: maintainer notified us, working on it
        NOTE: may be merged with boost "soon"

xine-lib
        - vlc <unfixed> (embed)
        NOTE: only parts included in modules/access/rtsp

netpbm
        - tcl8.3 <unfixed> (embed)
        - tcl8.4 <unfixed> (embed)
        - tcl8.5 <unfixed> (embed)
        NOTE: generic/tkImgGIF.c

tk8.5
        - tk8.0 <removed> (old-version)
        - tk8.3 <unfixed> (old-version)
        - tk8.4 <unfixed> (old-version)
        - perl-tk <unfixable> (fork)

samba
        - mc <unfixed> (embed)
        NOTE: maintainer is aware of this, currently searching a solution

plib1.8.4c2
        - boson <unfixed> (fork)
        NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar

fribidi
        - quesoglc <unfixed> (embed)

glew
        - quesoglc <unfixed> (embed)

minorGems
        - transcend <unfixed> (embed)
        - cultivation <unfixed> (embed)

tar
        - libarchive <unfixed> (embed)
        NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable

cpio
        - libarchive <unfixed> (embed)
        NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)

webkit
        - qt4-x11 <unfixed> (embed)

ftgl
        - blender 2.46+dfsg-1 (embed)

wv
        - abiword <unfixed>

qemu
        - kvm <unfixed> (embed)
        - xen-3 <unfixed> (embed)
        - xen-unstable <unfixed> (embed)

bochs
        - kvm <unfixed> (embed; bug #489442)

speex
        - vorbis-tools <unfixed> (embed)
        NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
        - gst-plugins-good0.10 <unfixed> (embed)
        - xine-lib <unfixed> (embed)
        - libfishsound <unfixed> (embed)
        - libannodex <unfixed> (embed)
        - vlc <unfixed> (embed)
        - xmms-speex <unfixed> (embed)
        - libsdl-sound1.2 <unfixed> (embed)
        - sweep <unfixed> (embed)

libreadline
        - magic <unfixed> (old-version)
        NOTE: magic is currently an RFS

opcode
        - ode <unfixed> (embed)
        NOTE: opcode is not a package in debian, it is just embedded
        NOTE: http://www.codercorner.com/Opcode.htm

gimpact 
        - ode <unfixed> (embed)
        NOTE: gimpact is not a package in debian, it is just embedded
        NOTE: http://gimpact.sf.net

mochikit
        - mahara <unfixed> (embed)
        NOTE: they require extra patches, still unmerged upstream
        - ntop <unfixed> (embed)
        - python-oherence <unfixed> (embed)
        - python-paste <unfixed> (embed)
        - python-turbogears <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)

prototype
        - netbeans-ide <unfixed> (embed)
        - auth2db-frontend <unfixed> (embed)
        - citadel-webcit <unfixed> (embed)
        - asterisk <unfixed> (embed)
        - doc-iana <unfixed> (embed)
        - libaws-doc <unfixed> (embed)
        - libgettext-ruby-data <unfixed> (embed)
        - libjson-ruby-doc <unfixed> (embed)
        - liblucene2-java-doc <unfixed> (embed)
        - libopenid-ruby <unfixed> (embed)
        - solr-common <unfixed> (embed)
        - glpi <unfixed> (embed)
        - hobbix <unfixed> (embed)
        - mnemo2 <unfixed> (embed)
        - nag2 <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - mediatomb-common <unfixed> (embed)
        - mt-daapd <unfixed> (embed)
        - op-panel <unfixed> (embed)
        - ebug-http <unfixed> (embed)
        - phpgedview <removed> (embed)
        - poker-web <unfixed> (embed)
        - python-webhelpers <unfixed> (embed)
        - qwik <unfixed> (embed)
        - rails <unfixed> (embed)
        - typo3-src-4.1 <unfixed> (embed)
        - wordpress <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)
        - smokeping <unfixed> (embed)
        - ampache 3.4.1-2 (embed)
        - exaile <unfixed> (embed)
        - hobix <unfixed> (embed)
        - pixelpost <unfixed> (embed)
        - symfony <unfixed> (embed)
        NOTE: it's been said that there are custom changes
        - zabbix-frontend-php <unfixed> (embed)
        - turba2 <unfixed> (embed)

gdb
        - insight <unfixed> (embed)

e2fsprogs
        - ldiskfsprogs <unfixable> (fork)

quazip (not packaged in Debian)
        - qcake <unfixed> (embed)
        NOTE: starting with upstream version 0.6.4

exo
        - pcmanfm <unfixed> (embed; bug #499677)
        NOTE: slightly modified source code

java
        - openjdk-6 <unfixed>
        - sun-java5 <unfixed>
        - sun-java6 <unfixed>

libphp-snoopy
        - ampache 3.4.1-2 (embed; bug #504169)
        - mahara 1.0.5-2 (embed; bug #504170)
        - pixelpost <unfixed> (embed; bug #504171)
        - mediamate 0.9.3.6-5 (embed; bug #504172)
        - opendb <unfixed> (embed; bug #504173)
        - wordpress 2.5.1-9 (embed; bug #443948)
        - moodle <unfixed> (embed)
        - phpgroupware-felamimail <unfixed> (embed)
        NOTE: phpgroupware-felamimail is only in etch
        - magpierss 0.72-3 (embed; bug #431089)

jquery
        - zekr <unfixed> (embed)
        - wordpress <unfixed> (embed)
        - yocto-reader <unfixed> (embed)
        - textpattern <unfixed> (embed)
        - genshi <unfixed> (embed)
        NOTE: compressed file under examples/ dir
        - prewikka <unfixed> (embed)
        - libramaze-ruby <unfixed> (embed)
        - drupal5 <unfixed> (embed)
        - b2evolution <unfixed> (embed)

kses
        - wordpress <unfixed> (embed; bug #504242)
        NOTE: their copy has all methods renamed to wp_<foo>
        - moodle <unfixed> (embed)
        - egroupware-core <unfixed> (embed)

magpierss
        - wordpress <unfixed> (embed; bug #504242)

php-gettext
        - wordpress <unfixed> (embed; bug #504242)

libphp-ixr (name may change, it is the Incutio XML-RPC)
        - wordpress <unfixed> (embed; bug #504242)
        - dokuwiki <unfixed> (embed)
        - textpattern <unfixed> (embed)

domxml-php4-to-php5.php
        - glpi <unfixed> (embed)
        - moodle <unfixed> (embed; bug #496069)

scriptaculous
        - glpi <unfixed> (embed)
        - libaws-doc <unfixed> (embed)
        - op-panel <unfixed> (embed)
        - symfony <unfixed> (embed)
        NOTE: maintainer says there are extra incompatible changes required
        - pixelpost <unfixed> (embed)
        - python-webhelpers <unfixed> (embed)
        - qwik <unfixed> (embed)
        - smokeping <unfixed> (embed)
        - turba2 <unfixed> (embed)
        - typo3-src <unfixed> (embed)

libmarkdown-php
        - moodle <unfixed> (embed)
        - pixelpost <unfixed> (embed)

php-openid
        - wordpress-openid <itp> (embed)
1	Embedded code copies
2	====================
3
4	This file collects source packages that embed code from other projects.
5	This is considered bad for fixing security flaws because the fix needs
6	to be applied in multiple source packages.
7
8	Format:
9	<srcpkg> (<optional comment about srcpkg>)
10	- <embedding srcpkg> <status> (<sort>; bug #<number>)
11	NOTE: optional comments about the linkage of the embedding srcpkg
12
13	status: version number fixing the embedded copy, <unfixed>, <removed>,
14	<itp> or <unknown> if the version number can not be determined
15	<unfixable> for unavoidable cases (e.g., forks that add real value)
16	sort: static (linking statically against a lib)
17	embed (embedding a copy of the library into another source package)
18	fork (the package is not just embedding code but it is a fork and
19	thus might share parts of the source code)
20	old-version (the package is an older version of essentially
21	the same code)
22
23	The srcpkg might be some string to identify the code if there is no
24	specific source package.
25
26	Everything up to the next line is ignored.
27	---BEGIN
28	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
29	NOTE: Fixed packages link to poppler library unless otherwise noted
30	- gpdf <removed>
31	[sarge] - gpdf <unfixed>
32	NOTE: has been replaced by evince in etch
33	- pdftohtml <unknown>
34	[sarge] - pdftohtml <unfixed>
35	[etch] - pdftohtml <unfixed>
36	NOTE: has been replaced by poppler-utils
37	- kdegraphics <unfixed> (embed; bug #436164)
38	NOTE: the kpdf replacement in KDE 4 is using poppler
39	- texlive-base 3.0-12 (embed)
40	- texlive-bin 2007-1 (embed)
41	NOTE: links to poppler
42	- koffice <unfixed> (embed; bug #436163)
43	- libextractor 0.5.12-1 (embed)
44	NOTE: libextractor is using its own pdf decoder now
45	- libextractor 0.5.12-1 (embed)
46	- pdfkit.framework 0.8-4 (embed)
47	- ipe <unfixed> (embed)
48	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
49	- ruby-gnome2 <unknown> (embed)
50	NOTE: copy only present in source but links to poppler
51
52	ppmd
53	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
54
55	peercast
56	- gnome-peercast <unfixed> (embed)
57	NOTE: gnome-peercast may better be removed, see #466539
58
59	silc-toolkit
60	- silc-client 1.1~beta6-1 (embed)
61
62	dietlibc
63	- ccontrol 0.9.1+20071204-1 (static)
64
65	libiax
66	- iaxmodem <unfixed> (embed)
67
68	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
69	- dpkg <unfixed> (embed)
70	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
71	- rsync <unfixed> (embed)
72	NOTE: somehow derived code base
73	- mono <unfixed> (embed)
74	TODO: check mozilla
75	- Linux kernels <unfixed> (embed)
76	- pvpgn 1.7.8-2 (embed)
77	- mrtg 2.12.2-1 (embed)
78	- rpm <unknown> (embed)
79	NOTE: pinged anibal since when rpm was fixed
80
81	libbz2
82	- dpkg <unfixed> (static)
83
84	libgadu:
85	- centericq <unfixed> (embed)
86	- gaim <unfixed> (embed)
87	- pigdin <unfixed> (embed)(links dynamically against libgadu)
88	- kopete 4:3.3.2-5 (embed)
89	- kadu 0.6.0.2-3 (embed)
90	- gadu <unfixed> (embed)
91	- ekg 1:1.8~rc0-1 (embed)
92	- kadu <unfixed> (embed; bug #504430)
93	NOTE: gadu not packaged in Debian yet
94
95	xmlrpc (which package is the "origin" of this code?)
96	- drupal <unfixed> (embed)
97	- phpgroupware <unfixed> (embed)
98	- egroupware <unfixed> (embed)
99	- phpwiki (embed)
100	- php4 <unfixed> (embed)
101	TODO: check, php-pear, IIRC this was reorganized some weeks ago?
102
103	shtool (affects build-time only)
104	- mysql-ocaml <unfixed> (embed)
105	- php4 <unfixed> (embed)
106
107	mozilla source code
108	- mozilla-firefox <unfixed> (embed)
109	- mozilla-thunderbird
110	- firefox <removed>
111	[etch] - firefox <unfixed> (embed)
112	- thunderbird <removed>
113	[etch] - thunderbird <unfixed> (embed)
114	- iceweasel <unfixed> (embed)
115	- iceape <unfixed> (embed)
116	- icedove <unfixed> (embed)
117	- xulrunner <unfixed> (embed)
118	- nvu <removed> (embed)
119
120	xli
121	- xloadimage <unfixed> (embed)
122
123	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
124	- openmotif <unfixed> (embed)
125	- xfree86/xorg <unfixed> (embed)
126	NOTE: in libxpm
127
128	kerberized apps with BSD origin
129	- krb4 <unfixed> (embed)
130	- krb5 <unfixed> (embed)
131	- heimdal <unfixed> (embed)
132
133	grip (which pkg is the origin?)
134	- libcdaudio
135	- grip
136	- gnome-vfs
137	TODO: check vfs2 as well
138
139	fudforum
140	- phpgroupware-fudforum <unfixed> (embed)
141	- egroupware-fudforum <removed>
142	[sarge] - egroupware-fudforum <unfixed> (embed)
143
144	cvs
145	- gcvs <unfixed> (embed)
146	NOTE: see cvsunix/src in tarball
147
148	pcre
149	- python* <unfixed> (embed)
150	- php4 <unknown> (embed)
151	- analog 2:5.23-0woody1 (embed)
152	- libgoffice-1 <unfixed> (embed)
153	- vfu 4.06-4.1 (embed; bug #450754)
154	- tf5 5.0beta7-1 (embed)
155	- monotone <unfixed> (embed)
156	NOTE: this only affects versions >= 0.37
157	- glib2.0 2.15.2-1 (embed)
158	- apache2 2.0.53-4 (embed)
159	- exim4 4.10-0.srh20.12 (embed)
160	- yacas <unfixed> (embed)
161	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
162	- gtamsanalyzer.app 0.42-5 (embed)
163	- tin <unknown> (embed)
164	- kazehakase 0.5.2-1
165	- webkit <unfixed> (embed)
166	- qt4-x11 <unfixed> (embed)
167	NOTE: embedded via webkit copy
168
169	tiff
170	- wxwindows2.4 2.2.1 (embed)
171
172	uudeview
173	- libconvert-uulib-perl <unfixed> (embed)
174	- pan <unfixed> (embed)
175
176	sqlite (not affected by security vulnerabilities so far)
177	- amarok <unfixed> (embed)
178	- monotone <unfixed> (embed)
179	- iceweasel <unfixed> (embed)
180
181	util-linux/mount
182	- loop-aes-utils <unfixed> (embed)
183	NOTE: contains code from util-linux' mount in the mount-aes-udeb
184
185	webmin
186	- usermin <unknown> (embed)
187	[sarge] - usermin <unfixed> (embed)
188
189	sylpheed
190	- sylpheed-claws <unfixed> (fork)
191
192	phpsysinfo
193	- egroupware <unfixed> (embed)
194	- phpgroupware <unfixed> (embed)
195
196	phpldapadmin
197	[sarge] - egroupware <unfixed> (embed)
198	NOTE: removed from egroupware after sarge
199
200	chmlib
201	- kchmviewer <unknown> (embed)
202
203	libavcodec/libavformat (source: ffmpeg)
204	- mplayer 1.0~rc2-14 (embed; bug #395252)
205	- kino 1.0.0-1
206	- vlc <not-affected> (Links dynamically since initial release)
207	- smilutils 0.3.0-10
208	NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
209	- motion 3.1.19-1
210	- gstreamer0.10-ffmpeg 0.10.3-2
211	- xmovie <unfixed>
212	TODO: gimp-gap (potentially using ffmpeg code as well)
213
214	mad MPEG decoding lib
215	- mad <unfixed> (embed)
216	- xine-lib <unfixed> (embed)
217
218	libdts
219	- xine-lib <unfixed> (embed)
220
221	flac
222	- xine-lib <unfixed> (embed)
223
224	liba52
225	- a52dec <unfixed> (embed)
226	- xine-lib <unfixed> (embed)
227
228	libmpeg2
229	- mpeg2dec <unfixed> (embed)
230	- xine-lib <unfixed> (embed)
231
232	curl
233	- wget <unfixed> (embed)
234	NOTE: code for NTLM authentication
235
236	uw-imap
237	- pine <unfixed> (embed)
238	- alpine <unfixed> (embed)
239
240	imagemagick
241	- graphicsmagick <unfixed> (fork)
242
243
244	halibut
245	- nsis <unfixed> (embed)
246
247	libghttp
248	- hotway <unfixed> (embed)
249
250	libsndfile
251	- ardour <unfixed> (embed)
252
253	glibmm2.4
254	- ardour <unfixed> (embed)
255
256	libgnomecanvasmm2.6
257	- ardour <unfixed> (embed)
258
259	libsigc++-2.0
260	- ardour <unfixed> (embed)
261
262	soundtouch
263	- ardour <unfixed> (embed)
264
265	libmms
266	- xine-lib <unfixed> (embed)
267	- mimms <unfixed> (embed)
268
269	fckeditor
270	- knowledgeroot 0.9.8.5-3 (embed; bug #461555)
271	- moin <unfixed> (embed; bug #452599)
272	- karrigell <removed> (embed; bug #452598)
273	- gforge-plugins-extra 4.6.99+svn6225-1 (embed)
274
275	ipatlas (not packaged in Debian)
276	- moodle <unfixed> (embed)
277
278	libphp-phpmailer
279	- moodle <unfixed> (embed)
280	- mahara <unfixed> (embed)
281	- symfony <unfixed> (embed)
282	- phpgroupware-felamimail <unfixed> (embed)
283	NOTE: phpgroupware-felamimail is only in etch
284	- egroupware <unfixed> (embed; bug #504283)
285
286	htmlArea (not packaged in Debian)
287	- moodle <unfixed> (embed)
288
289	giflib:
290	- wine <unfixed> (embed; bug #466181)
291
292	bennu (not packaged in Debian)
293	- moodle <unfixed> (embed)
294
295	smarty:
296	- moodle <unfixed> (embed; bug #471158)
297	- gallery2 2.2.5-2 (embed; bug #471160)
298	- mahara 0.9.2-2 (embed; bug #471201)
299	- gosa 2.4beta1-1 (embed; bug #471200)
300
301	TinyMCE
302	- wordpress 2.5.1-3 (embed; bug #478257)
303	- moodle <unfixed> (embed)
304	- knowledgeroot <unfixed> (embed)
305	- joomla <itp> (bug #326398)
306
307	scintilla
308	- scite <unfixed> (embed)
309	- qscintilla <unfixed> (embed)
310	- qscintilla2 <unfixed> (embed)
311	- geany <unfixed> (embed)
312
313	libphp-adodb
314	- moodle <unfixed> (embed)
315	NOTE: also AdoDB-XML Schema
316	- gallery2 <unfixed> (embed)
317	- phppgadmin <unfixed> (embed)
318	- egroupware <unfixed> (embed)
319	- phpwiki <unfixed> (embed)
320	- ipplan <unfixed> (embed)
321	- typo3 <unfixed> (embed)
322	- moodle <unfixed> (embed)
323	- cacti <unknown> (embed)
324	[sarge] - cacti <unfixed> (embed)
325	NOTE: dependency exists, but internal version is used
326	- gforge <unfixed> (embed)
327	- mahara <unfixed> (embed)
328
329	gzip
330	- linux-kernel <unfixed> (embed)
331	NOTE: lib/inflate.c
332	- klibc <unfixed> (embed)
333	NOTE: based on linux-kernel gzip code
334	- busybox <unfixed> (embed)
335
336	neon
337	- cadaver <unfixed> (embed; bug #188381)
338	- gnome-vfs2 <unfixed> (embed; bug #395874)
339	- litmus <unfixed> (embed; #395875)
340	[sarge] - screem <unfixed> (embed)
341	- sitecopy <unfixed> (embed; bug #395876)
342	[etch] - tla <unfixed> (embed; bug #395877)
343	[sarge] - tla <unfixed> (embed; bug #395877)
344
345	libmodplug
346	- gst-plugins-bad0.10 <unfixed> (embed)
347
348	libvncserver
349	- vino <unfixed> (embed)
350
351	putty
352	- filezilla <unfixed> (embed)
353
354	tinyxml (not packaged in Debian)
355	- filezilla <unfixed>
356
357	gv
358	- evince <unfixed> (embed)
359	NOTE: ps/ tree from gv 3.5.8
360	- evince-gtk <unfixed> (embed)
361	NOTE: not packaged in Debian
362
363	libXbae
364	[etch] - libpawlib2-lesstif <unfixed> (embed)
365	NOTE: from Cernlib
366
367	libXaw
368	[etch] - libpawlib2-lesstif
369	NOTE: from Cernlib
370	NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
371
372	libgd2
373	- graphviz <unfixed> (embed)
374	NOTE: lib/gd seems to be 2.0.33
375	- wml <unfixed> (embed)
376	NOTE: derived from gd 1.6.3
377
378	rar
379	- unrar-nonfree <unfixed> (embed)
380
381	unrar-free (maybe this code is derived from the original rar, too?)
382	- clamav <unfixed> (embed)
383	NOTE: seems to be disabled in default config
384
385	mplayer (DirectMedia Object loader)
386	- xine-lib <unfixed> (embed)
387	NOTE: src/libw32dll/
388	- vlc <unfixed> (embed)
389	NOTE: modules/codec/dmo/
390
391	libwpd (WordPerfect converter)
392	- openoffice.org <unfixed> (embed)
393
394	fsplib (http://sourceforge.net/projects/fsp/)
395	- gftp <unfixed> (embed)
396	NOTE: lib/fsplib version 0.3
397
398	sprng
399	- tree-puzzle <unfixed> (embed)
400
401	librpcsecgss
402	- krb5 <unfixed> (embed)
403
404	jasper
405	- ghostscript <unfixed> (embed)
406	- gs-gpl <unfixed> (embed)
407
408	libidn
409	- monotone <unfixed> (embed)
410
411	liblua
412	- monotone <unfixed> (embed)
413
414	libbotan
415	- montone <unfixed> (embed)
416
417	NetXX
418	- monotone <unfixed> (embed)
419
420	libgc
421	- mono <unfixed> (embed)
422
423	lzma
424	- p7zip <unfixed> (embed)
425
426	lzo
427	- grub2 <unfixed> (embed)
428
429	yassl
430	- mysql-dfsg-5.0 <unfixed> (embed)
431
432	pax code
433	- tar <unfixed> (embed)
434	- cpio <unfixed> (embed)
435
436	t1lib
437	- tetex-bin 2.0.2-1 (embed)
438	- texlive-bin <unknown> (embed)
439
440	guichan
441	- boswars <unfixed> (embed)
442	NOTE: maintainer notified us, working on it
443
444	tolua
445	- boswars <unfixed> (embed)
446	NOTE: maintainer notified us, working on it
447
448	asio-dev
449	- luxrender <unfixed> (embed)
450	NOTE: maintainer notified us, working on it
451	NOTE: may be merged with boost "soon"
452
453	xine-lib
454	- vlc <unfixed> (embed)
455	NOTE: only parts included in modules/access/rtsp
456
457	netpbm
458	- tcl8.3 <unfixed> (embed)
459	- tcl8.4 <unfixed> (embed)
460	- tcl8.5 <unfixed> (embed)
461	NOTE: generic/tkImgGIF.c
462
463	tk8.5
464	- tk8.0 <removed> (old-version)
465	- tk8.3 <unfixed> (old-version)
466	- tk8.4 <unfixed> (old-version)
467	- perl-tk <unfixable> (fork)
468
469	samba
470	- mc <unfixed> (embed)
471	NOTE: maintainer is aware of this, currently searching a solution
472
473	plib1.8.4c2
474	- boson <unfixed> (fork)
475	NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
476
477	fribidi
478	- quesoglc <unfixed> (embed)
479
480	glew
481	- quesoglc <unfixed> (embed)
482
483	minorGems
484	- transcend <unfixed> (embed)
485	- cultivation <unfixed> (embed)
486
487	tar
488	- libarchive <unfixed> (embed)
489	NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
490
491	cpio
492	- libarchive <unfixed> (embed)
493	NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
494
495	webkit
496	- qt4-x11 <unfixed> (embed)
497
498	ftgl
499	- blender 2.46+dfsg-1 (embed)
500
501	wv
502	- abiword <unfixed>
503
504	qemu
505	- kvm <unfixed> (embed)
506	- xen-3 <unfixed> (embed)
507	- xen-unstable <unfixed> (embed)
508
509	bochs
510	- kvm <unfixed> (embed; bug #489442)
511
512	speex
513	- vorbis-tools <unfixed> (embed)
514	NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
515	- gst-plugins-good0.10 <unfixed> (embed)
516	- xine-lib <unfixed> (embed)
517	- libfishsound <unfixed> (embed)
518	- libannodex <unfixed> (embed)
519	- vlc <unfixed> (embed)
520	- xmms-speex <unfixed> (embed)
521	- libsdl-sound1.2 <unfixed> (embed)
522	- sweep <unfixed> (embed)
523
524	libreadline
525	- magic <unfixed> (old-version)
526	NOTE: magic is currently an RFS
527
528	opcode
529	- ode <unfixed> (embed)
530	NOTE: opcode is not a package in debian, it is just embedded
531	NOTE: http://www.codercorner.com/Opcode.htm
532
533	gimpact
534	- ode <unfixed> (embed)
535	NOTE: gimpact is not a package in debian, it is just embedded
536	NOTE: http://gimpact.sf.net
537
538	mochikit
539	- mahara <unfixed> (embed)
540	NOTE: they require extra patches, still unmerged upstream
541	- ntop <unfixed> (embed)
542	- python-oherence <unfixed> (embed)
543	- python-paste <unfixed> (embed)
544	- python-turbogears <unfixed> (embed)
545	- zope-plone3 <unfixed> (embed)
546
547	prototype
548	- netbeans-ide <unfixed> (embed)
549	- auth2db-frontend <unfixed> (embed)
550	- citadel-webcit <unfixed> (embed)
551	- asterisk <unfixed> (embed)
552	- doc-iana <unfixed> (embed)
553	- libaws-doc <unfixed> (embed)
554	- libgettext-ruby-data <unfixed> (embed)
555	- libjson-ruby-doc <unfixed> (embed)
556	- liblucene2-java-doc <unfixed> (embed)
557	- libopenid-ruby <unfixed> (embed)
558	- solr-common <unfixed> (embed)
559	- glpi <unfixed> (embed)
560	- hobbix <unfixed> (embed)
561	- mnemo2 <unfixed> (embed)
562	- nag2 <unfixed> (embed)
563	- knowledgeroot <unfixed> (embed)
564	- mediatomb-common <unfixed> (embed)
565	- mt-daapd <unfixed> (embed)
566	- op-panel <unfixed> (embed)
567	- ebug-http <unfixed> (embed)
568	- phpgedview <removed> (embed)
569	- poker-web <unfixed> (embed)
570	- python-webhelpers <unfixed> (embed)
571	- qwik <unfixed> (embed)
572	- rails <unfixed> (embed)
573	- typo3-src-4.1 <unfixed> (embed)
574	- wordpress <unfixed> (embed)
575	- zope-plone3 <unfixed> (embed)
576	- smokeping <unfixed> (embed)
577	- ampache 3.4.1-2 (embed)
578	- exaile <unfixed> (embed)
579	- hobix <unfixed> (embed)
580	- pixelpost <unfixed> (embed)
581	- symfony <unfixed> (embed)
582	NOTE: it's been said that there are custom changes
583	- zabbix-frontend-php <unfixed> (embed)
584	- turba2 <unfixed> (embed)
585
586	gdb
587	- insight <unfixed> (embed)
588
589	e2fsprogs
590	- ldiskfsprogs <unfixable> (fork)
591
592	quazip (not packaged in Debian)
593	- qcake <unfixed> (embed)
594	NOTE: starting with upstream version 0.6.4
595
596	exo
597	- pcmanfm <unfixed> (embed; bug #499677)
598	NOTE: slightly modified source code
599
600	java
601	- openjdk-6 <unfixed>
602	- sun-java5 <unfixed>
603	- sun-java6 <unfixed>
604
605	libphp-snoopy
606	- ampache 3.4.1-2 (embed; bug #504169)
607	- mahara 1.0.5-2 (embed; bug #504170)
608	- pixelpost <unfixed> (embed; bug #504171)
609	- mediamate 0.9.3.6-5 (embed; bug #504172)
610	- opendb <unfixed> (embed; bug #504173)
611	- wordpress 2.5.1-9 (embed; bug #443948)
612	- moodle <unfixed> (embed)
613	- phpgroupware-felamimail <unfixed> (embed)
614	NOTE: phpgroupware-felamimail is only in etch
615	- magpierss 0.72-3 (embed; bug #431089)
616
617	jquery
618	- zekr <unfixed> (embed)
619	- wordpress <unfixed> (embed)
620	- yocto-reader <unfixed> (embed)
621	- textpattern <unfixed> (embed)
622	- genshi <unfixed> (embed)
623	NOTE: compressed file under examples/ dir
624	- prewikka <unfixed> (embed)
625	- libramaze-ruby <unfixed> (embed)
626	- drupal5 <unfixed> (embed)
627	- b2evolution <unfixed> (embed)
628
629	kses
630	- wordpress <unfixed> (embed; bug #504242)
631	NOTE: their copy has all methods renamed to wp_<foo>
632	- moodle <unfixed> (embed)
633	- egroupware-core <unfixed> (embed)
634
635	magpierss
636	- wordpress <unfixed> (embed; bug #504242)
637
638	php-gettext
639	- wordpress <unfixed> (embed; bug #504242)
640
641	libphp-ixr (name may change, it is the Incutio XML-RPC)
642	- wordpress <unfixed> (embed; bug #504242)
643	- dokuwiki <unfixed> (embed)
644	- textpattern <unfixed> (embed)
645
646	domxml-php4-to-php5.php
647	- glpi <unfixed> (embed)
648	- moodle <unfixed> (embed; bug #496069)
649
650	scriptaculous
651	- glpi <unfixed> (embed)
652	- libaws-doc <unfixed> (embed)
653	- op-panel <unfixed> (embed)
654	- symfony <unfixed> (embed)
655	NOTE: maintainer says there are extra incompatible changes required
656	- pixelpost <unfixed> (embed)
657	- python-webhelpers <unfixed> (embed)
658	- qwik <unfixed> (embed)
659	- smokeping <unfixed> (embed)
660	- turba2 <unfixed> (embed)
661	- typo3-src <unfixed> (embed)
662
663	libmarkdown-php
664	- moodle <unfixed> (embed)
665	- pixelpost <unfixed> (embed)
666
667	php-openid
668	- wordpress-openid <itp> (embed)