Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)
The srcpkg might be some string to identify the code if there is no specific source package.

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd:
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit:
        - silc-client 1.1~beta6-1 (embed)

dietlibc:
        - ccontrol 0.9.1+20071204-1 (static)

libiax:
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged joeyh since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc: (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool: (affects build-time only)
mysql-ocaml
php4 

mozilla:
mozilla-firefox
mozilla-thunderbird
firefox (to be removed)
thunderbird (to be removed)
iceweasel
iceape
icedove
xulrunner
nvu (no longer in Debian)

xli:
xloadimage

lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
openmotif
xfree86/xorg (in libxpm)

kerberized apps with BSD origin:
krb4
krb5
heimdal

grip: (which pkg is the origin?)
libcdaudio
grip
gnome-vfs (vfs2 as well?)

fudforum:
phpgroupware-fudforum
egroupware-fudforum (removed from egroupware after sarge)

cvs:
gcvs (at least an additional script is included, check if there's more)

pcre:
all pythons
php4 (src included, but Debian package links dynamically)
analog (src included, but Debian package links dynamically)
libgoffice-1
vfu (removed linking against embedded copy in 4.06-4.1; #450754)
tf5 (since 5.0beta7 the Debian package links dynamically)
monotone (including this starting from 0.37)
glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
gtamsanalyzer.app (links dynamically since 0.42-5)

tiff:
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy

uudeview:
libconvert-uulib-perl

sqlite: (not affected by security vulnerabilities so far)
amarok
monotone
iceweasel

util-linux/mount:
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb

webmin:
usermin (only in sarge)

sylpheed:
sylpheed-claws

phpsysinfo:
egroupware
phpgroupware

phpldapadmin:
egroupware (removed from egroupware after sarge)

chmlib:
kchmviewer (ships the code but links dynamically)

libavcodec/libavformat (source: ffmpeg):
mplayer (#395252)
xvidcap
kino (links statically, does not include code)
vlc (links statically, does not include code)
smilutils (links statically, does not include code)
motion (links statically, does not include code)
gst-ffmpeg
gstreamer0.10-ffmpeg
xmovie

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	Embedded code copies
2	====================
3
4	This file collects cases, where a source package embeds code from
5	other projects which is considered bad for fixing security flaws
6	because the fix needs to be applied in multiple source packages.
7
8	Format:
9	<srcpkg> (<optional comment about srcpkg>)
10	- <embedding srcpkg> <status> (<sort>; bug #<number>)
11	NOTE: optional comments about the linkage of the embedding srcpkg
12
13	status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14	sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package)
15	The srcpkg might be some string to identify the code if there is no specific source package.
16
17	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
18	NOTE: Fixed packages link to poppler library unless otherwise noted
19	- gpdf <removed>
20	[sarge] - gpdf <unfixed>
21	NOTE: has been replaced by evince in etch
22	- pdftohtml <unknown>
23	[sarge] - pdftohtml <unfixed>
24	[etch] - pdftohtml <unfixed>
25	NOTE: has been replaced by poppler-utils
26	- kdegraphics <unfixed> (embed; bug #436164)
27	NOTE: the kpdf replacement in KDE 4 is using poppler
28	- tetex-bin 3.0-12 (embed)
29	- texlive-bin 2007-1 (embed)
30	NOTE: links to poppler
31	- koffice <unfixed> (embed; bug #436163)
32	- libextractor 0.5.12-1 (embed)
33	NOTE: libextractor is using its own pdf decoder now
34	- libextractor 0.5.12-1 (embed)
35	- pdfkit.framework 0.8-4 (embed)
36	- ipe <unfixed> (embed)
37	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
38	- ruby-gnome2 <unknown> (embed)
39	NOTE: copy only present in source but links to poppler
40
41	ppmd:
42	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
43
44	silc-toolkit:
45	- silc-client 1.1~beta6-1 (embed)
46
47	dietlibc:
48	- ccontrol 0.9.1+20071204-1 (static)
49
50	libiax:
51	- iaxmodem <unfixed> (embed)
52
53	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
54	- dpkg <unfixed> (embed)
55	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
56	- rsync <unfixed> (embed)
57	NOTE: somehow derived code base
58	- mono <unfixed> (embed)
59	TODO: check mozilla
60	- Linux kernels <unfixed> (embed)
61	- pvpgn 1.7.8-2 (embed)
62	- mrtg 2.12.2-1 (embed)
63	- rpm <unknown> (embed)
64	NOTE: pinged joeyh since when rpm was fixed
65
66	libbz2
67	- dpkg <unfixed> (static)
68
69	ekg
70	- centericq <unfixed> (embed)
71	- gaim <unfixed> (embed)
72	- pigdin <unfixed> (embed)(links dynamically against libgadu)
73	- kopete 4:3.3.2-5 (embed)
74	- kadu <unfixed> (embed)
75	- gadu <unfixed> (embed)
76	NOTE: g/kadu not packaged in Debian yet
77
78	xmlrpc: (which package is the "origin" of this code?)
79	- drupal <unfixed> (embed)
80	- phpgroupware <unfixed> (embed)
81	- egroupware <unfixed> (embed)
82	- phpwiki (embed)
83	- php4 <unfixed> (embed)
84	TODO: check, php-pear, IIRC this was reorganized some weeks ago?
85
86	shtool: (affects build-time only)
87	mysql-ocaml
88	php4
89
90	mozilla:
91	mozilla-firefox
92	mozilla-thunderbird
93	firefox (to be removed)
94	thunderbird (to be removed)
95	iceweasel
96	iceape
97	icedove
98	xulrunner
99	nvu (no longer in Debian)
100
101	xli:
102	xloadimage
103
104	lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
105	openmotif
106	xfree86/xorg (in libxpm)
107
108	kerberized apps with BSD origin:
109	krb4
110	krb5
111	heimdal
112
113	grip: (which pkg is the origin?)
114	libcdaudio
115	grip
116	gnome-vfs (vfs2 as well?)
117
118	fudforum:
119	phpgroupware-fudforum
120	egroupware-fudforum (removed from egroupware after sarge)
121
122	cvs:
123	gcvs (at least an additional script is included, check if there's more)
124
125	pcre:
126	all pythons
127	php4 (src included, but Debian package links dynamically)
128	analog (src included, but Debian package links dynamically)
129	libgoffice-1
130	vfu (removed linking against embedded copy in 4.06-4.1; #450754)
131	tf5 (since 5.0beta7 the Debian package links dynamically)
132	monotone (including this starting from 0.37)
133	glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
134	apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
135	exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
136	yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
137	gtamsanalyzer.app (links dynamically since 0.42-5)
138
139	tiff:
140	wxpythongtk (check, which debian pkg this is in)
141	older kdegraphics/kpdf releases < 3.3 embedded a copy
142
143	uudeview:
144	libconvert-uulib-perl
145
146	sqlite: (not affected by security vulnerabilities so far)
147	amarok
148	monotone
149	iceweasel
150
151	util-linux/mount:
152	loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
153
154	webmin:
155	usermin (only in sarge)
156
157	sylpheed:
158	sylpheed-claws
159
160	phpsysinfo:
161	egroupware
162	phpgroupware
163
164	phpldapadmin:
165	egroupware (removed from egroupware after sarge)
166
167	chmlib:
168	kchmviewer (ships the code but links dynamically)
169
170	libavcodec/libavformat (source: ffmpeg):
171	mplayer (#395252)
172	xvidcap
173	kino (links statically, does not include code)
174	vlc (links statically, does not include code)
175	smilutils (links statically, does not include code)
176	motion (links statically, does not include code)
177	gst-ffmpeg
178	gstreamer0.10-ffmpeg
179	xmovie
180
181	mad MPEG decoding lib:
182	mad
183	xine-lib
184
185	libdts:
186	libdts
187	xine-lib
188
189	flac:
190	flac
191	xine-lib
192
193	liba52:
194	a52dec
195	xine-lib
196
197	libmpeg2:
198	mpeg2dec
199	xine-lib
200
201	curl:
202	wget (code for NTLM authentication)
203
204	TODO evaluate:
205	gimp-gap (potentially using ffmpeg code as well)
206
207	uw-imap:
208	pine
209	alpine
210
211	imagemagick:
212	graphicsmagick
213
214	halibut:
215	nsis
216
217	libghttp:
218	hotway
219
220	libsndfile:
221	ardour
222
223	glibmm2.4:
224	ardour
225
226	libgnomecanvasmm2.6:
227	ardour
228
229	libsigc++-2.0:
230	ardour
231
232	soundtouch:
233	ardour
234
235	libmms:
236	xine-lib
237	mimms
238
239	FCKeditor: (packaged as fckeditor)
240	knowledgeroot
241	moin (452599)
242	karrigell (452598)
243	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
244
245
246
247	Moodle contains lots of things:
248	AdoDB
249	AdoDB-XML Schema
250	ipatlas
251	PHPMailer
252	Smarty
253	htmlArea
254	TinyMCE
255	bennu
256
257	TinyMCE:
258	wordpress
259	moodle
260	knowledgeroot
261	joomla (ITP)
262
263	scintilla:
264	scite
265	qscintilla
266	qscintilla2
267	geany
268
269	libphp-adodb:
270	gallery2
271	phppgadmin
272	egroupware
273	phpwiki
274	ipplan
275	typo3
276	moodle
277	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
278
279	gzip:
280	linux-kernel (lib/inflate.c)
281	klibc (based on linux-kernel gzip code)
282	busybox
283
284	neon:
285	cadaver (all, but being worked on: #188381)
286	gnome-vfs2 (#395874)
287	litmus (#395875)
288	screem (sarge only)
289	sitecopy (#395876)
290	tla (etch/sid only: #395877)
291
292	libmodplug:
293	gst-plugins-bad0.10
294
295	libvncserver:
296	vino
297
298	putty:
299	filezilla
300
301	tinyxml (not packaged in Debian):
302	filezilla
303
304	gv:
305	evince (ps/ tree from gv 3.5.8)
306	evince-gtk (not packaged in Debian)
307
308	libXbae:
309	libpawlib2-lesstif package (from Cernlib)
310
311	libXaw:
312	libpawlib2-lesstif package (from Cernlib)
313
314	(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
315
316	libgd2:
317	graphviz (lib/gd seems to be 2.0.33)
318
319	rar:
320	unrar-nonfree
321
322	unrar-free: (maybe this code is derived from the original rar, too?)
323	clamav (seems to be disabled in default config)
324
325	mplayer (DirectMedia Object loader):
326	xine-lib (src/libw32dll/)
327	vlc (modules/codec/dmo/)
328
329	libwpd (WordPerfect converter):
330	openoffice.org
331
332	fsplib (http://sourceforge.net/projects/fsp/):
333	gftp (lib/fsplib version 0.3)
334
335	librpcsecgss:
336	krb5
337
338	jasper:
339	ghostscript
340	gs-gpl
341
342	libidn:
343	monotone
344
345	liblua:
346	monotone
347
348	libbotan:
349	montone
350
351	NetXX:
352	monotone
353
354	libgc:
355	mono
356
357	lzma:
358	p7zip
359
360	lzo:
361	grub2
362
363	pax code:
364	tar
365	cpio
366
367	t1lib:
368	tetex-bin (links to system t1lib since 2.0.2)
369	texlive-bin (links to system t1lib)
370