Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)

The srcpkg might be some string to identify the code if there is no specific source package.

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged joeyh since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib <unfixed> (embed)
        NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)

tiff
        - wxpythongtk <unfixed> (embed)
        TODO: check, which debian pkg this is in

uudeview
        - libconvert-uulib-perl <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin:
egroupware (removed from egroupware after sarge)

chmlib:
kchmviewer (ships the code but links dynamically)

libavcodec/libavformat (source: ffmpeg):
mplayer (#395252)
xvidcap
kino (links statically, does not include code)
vlc (links statically, does not include code)
smilutils (links statically, does not include code)
motion (links statically, does not include code)
gst-ffmpeg
gstreamer0.10-ffmpeg
xmovie

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	Embedded code copies
2	====================
3
4	This file collects cases, where a source package embeds code from
5	other projects which is considered bad for fixing security flaws
6	because the fix needs to be applied in multiple source packages.
7
8	Format:
9	<srcpkg> (<optional comment about srcpkg>)
10	- <embedding srcpkg> <status> (<sort>; bug #<number>)
11	NOTE: optional comments about the linkage of the embedding srcpkg
12
13	status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14	sort: static (linking statically against a lib)
15	embed (embedding a copy of the library into another source package)
16	fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)
17
18	The srcpkg might be some string to identify the code if there is no specific source package.
19
20	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
21	NOTE: Fixed packages link to poppler library unless otherwise noted
22	- gpdf <removed>
23	[sarge] - gpdf <unfixed>
24	NOTE: has been replaced by evince in etch
25	- pdftohtml <unknown>
26	[sarge] - pdftohtml <unfixed>
27	[etch] - pdftohtml <unfixed>
28	NOTE: has been replaced by poppler-utils
29	- kdegraphics <unfixed> (embed; bug #436164)
30	NOTE: the kpdf replacement in KDE 4 is using poppler
31	- tetex-bin 3.0-12 (embed)
32	- texlive-bin 2007-1 (embed)
33	NOTE: links to poppler
34	- koffice <unfixed> (embed; bug #436163)
35	- libextractor 0.5.12-1 (embed)
36	NOTE: libextractor is using its own pdf decoder now
37	- libextractor 0.5.12-1 (embed)
38	- pdfkit.framework 0.8-4 (embed)
39	- ipe <unfixed> (embed)
40	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
41	- ruby-gnome2 <unknown> (embed)
42	NOTE: copy only present in source but links to poppler
43
44	ppmd
45	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
46
47	silc-toolkit
48	- silc-client 1.1~beta6-1 (embed)
49
50	dietlibc
51	- ccontrol 0.9.1+20071204-1 (static)
52
53	libiax
54	- iaxmodem <unfixed> (embed)
55
56	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
57	- dpkg <unfixed> (embed)
58	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
59	- rsync <unfixed> (embed)
60	NOTE: somehow derived code base
61	- mono <unfixed> (embed)
62	TODO: check mozilla
63	- Linux kernels <unfixed> (embed)
64	- pvpgn 1.7.8-2 (embed)
65	- mrtg 2.12.2-1 (embed)
66	- rpm <unknown> (embed)
67	NOTE: pinged joeyh since when rpm was fixed
68
69	libbz2
70	- dpkg <unfixed> (static)
71
72	ekg
73	- centericq <unfixed> (embed)
74	- gaim <unfixed> (embed)
75	- pigdin <unfixed> (embed)(links dynamically against libgadu)
76	- kopete 4:3.3.2-5 (embed)
77	- kadu <unfixed> (embed)
78	- gadu <unfixed> (embed)
79	NOTE: g/kadu not packaged in Debian yet
80
81	xmlrpc (which package is the "origin" of this code?)
82	- drupal <unfixed> (embed)
83	- phpgroupware <unfixed> (embed)
84	- egroupware <unfixed> (embed)
85	- phpwiki (embed)
86	- php4 <unfixed> (embed)
87	TODO: check, php-pear, IIRC this was reorganized some weeks ago?
88
89	shtool (affects build-time only)
90	- mysql-ocaml <unfixed> (embed)
91	- php4 <unfixed> (embed)
92
93	mozilla source code
94	- mozilla-firefox <unfixed> (embed)
95	- mozilla-thunderbird
96	- firefox <removed>
97	[etch] - firefox <unfixed> (embed)
98	- thunderbird <removed>
99	[etch] - thunderbird <unfixed> (embed)
100	- iceweasel <unfixed> (embed)
101	- iceape <unfixed> (embed)
102	- icedove <unfixed> (embed)
103	- xulrunner <unfixed> (embed)
104	- nvu <removed> (embed)
105
106	xli
107	- xloadimage <unfixed> (embed)
108
109	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
110	- openmotif <unfixed> (embed)
111	- xfree86/xorg <unfixed> (embed)
112	NOTE: in libxpm
113
114	kerberized apps with BSD origin
115	- krb4 <unfixed> (embed)
116	- krb5 <unfixed> (embed)
117	- heimdal <unfixed> (embed)
118
119	grip (which pkg is the origin?)
120	- libcdaudio
121	- grip
122	- gnome-vfs
123	TODO: check vfs2 as well
124
125	fudforum
126	- phpgroupware-fudforum <unfixed> (embed)
127	- egroupware-fudforum <removed>
128	[sarge] - egroupware-fudforum <unfixed> (embed)
129
130	cvs
131	- gcvs <unfixed> (embed)
132	NOTE: see cvsunix/src in tarball
133
134	pcre
135	- python* <unfixed> (embed)
136	- php4 <unknown> (embed)
137	- analog 2:5.23-0woody1 (embed)
138	- libgoffice-1 <unfixed> (embed)
139	- vfu 4.06-4.1 (embed; bug #450754)
140	- tf5 5.0beta7-1 (embed)
141	- monotone <unfixed> (embed)
142	NOTE: this only affects versions >= 0.37
143	- glib <unfixed> (embed)
144	NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
145	- apache2 2.0.53-4 (embed)
146	- exim4 4.10-0.srh20.12 (embed)
147	- yacas <unfixed> (embed)
148	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
149	- gtamsanalyzer.app 0.42-5 (embed)
150
151	tiff
152	- wxpythongtk <unfixed> (embed)
153	TODO: check, which debian pkg this is in
154
155	uudeview
156	- libconvert-uulib-perl <unfixed> (embed)
157
158	sqlite (not affected by security vulnerabilities so far)
159	- amarok <unfixed> (embed)
160	- monotone <unfixed> (embed)
161	- iceweasel <unfixed> (embed)
162
163	util-linux/mount
164	- loop-aes-utils <unfixed> (embed)
165	NOTE: contains code from util-linux' mount in the mount-aes-udeb
166
167	webmin
168	- usermin <unknown> (embed)
169	[sarge] - usermin <unfixed> (embed)
170
171	sylpheed
172	- sylpheed-claws <unfixed> (fork)
173
174	phpsysinfo
175	- egroupware <unfixed> (embed)
176	- phpgroupware <unfixed> (embed)
177
178	phpldapadmin:
179	egroupware (removed from egroupware after sarge)
180
181	chmlib:
182	kchmviewer (ships the code but links dynamically)
183
184	libavcodec/libavformat (source: ffmpeg):
185	mplayer (#395252)
186	xvidcap
187	kino (links statically, does not include code)
188	vlc (links statically, does not include code)
189	smilutils (links statically, does not include code)
190	motion (links statically, does not include code)
191	gst-ffmpeg
192	gstreamer0.10-ffmpeg
193	xmovie
194
195	mad MPEG decoding lib:
196	mad
197	xine-lib
198
199	libdts:
200	libdts
201	xine-lib
202
203	flac:
204	flac
205	xine-lib
206
207	liba52:
208	a52dec
209	xine-lib
210
211	libmpeg2:
212	mpeg2dec
213	xine-lib
214
215	curl:
216	wget (code for NTLM authentication)
217
218	TODO evaluate:
219	gimp-gap (potentially using ffmpeg code as well)
220
221	uw-imap:
222	pine
223	alpine
224
225	imagemagick:
226	graphicsmagick
227
228	halibut:
229	nsis
230
231	libghttp:
232	hotway
233
234	libsndfile:
235	ardour
236
237	glibmm2.4:
238	ardour
239
240	libgnomecanvasmm2.6:
241	ardour
242
243	libsigc++-2.0:
244	ardour
245
246	soundtouch:
247	ardour
248
249	libmms:
250	xine-lib
251	mimms
252
253	FCKeditor: (packaged as fckeditor)
254	knowledgeroot
255	moin (452599)
256	karrigell (452598)
257	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
258
259
260
261	Moodle contains lots of things:
262	AdoDB
263	AdoDB-XML Schema
264	ipatlas
265	PHPMailer
266	Smarty
267	htmlArea
268	TinyMCE
269	bennu
270
271	TinyMCE:
272	wordpress
273	moodle
274	knowledgeroot
275	joomla (ITP)
276
277	scintilla:
278	scite
279	qscintilla
280	qscintilla2
281	geany
282
283	libphp-adodb:
284	gallery2
285	phppgadmin
286	egroupware
287	phpwiki
288	ipplan
289	typo3
290	moodle
291	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
292
293	gzip:
294	linux-kernel (lib/inflate.c)
295	klibc (based on linux-kernel gzip code)
296	busybox
297
298	neon:
299	cadaver (all, but being worked on: #188381)
300	gnome-vfs2 (#395874)
301	litmus (#395875)
302	screem (sarge only)
303	sitecopy (#395876)
304	tla (etch/sid only: #395877)
305
306	libmodplug:
307	gst-plugins-bad0.10
308
309	libvncserver:
310	vino
311
312	putty:
313	filezilla
314
315	tinyxml (not packaged in Debian):
316	filezilla
317
318	gv:
319	evince (ps/ tree from gv 3.5.8)
320	evince-gtk (not packaged in Debian)
321
322	libXbae:
323	libpawlib2-lesstif package (from Cernlib)
324
325	libXaw:
326	libpawlib2-lesstif package (from Cernlib)
327
328	(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
329
330	libgd2:
331	graphviz (lib/gd seems to be 2.0.33)
332
333	rar:
334	unrar-nonfree
335
336	unrar-free: (maybe this code is derived from the original rar, too?)
337	clamav (seems to be disabled in default config)
338
339	mplayer (DirectMedia Object loader):
340	xine-lib (src/libw32dll/)
341	vlc (modules/codec/dmo/)
342
343	libwpd (WordPerfect converter):
344	openoffice.org
345
346	fsplib (http://sourceforge.net/projects/fsp/):
347	gftp (lib/fsplib version 0.3)
348
349	librpcsecgss:
350	krb5
351
352	jasper:
353	ghostscript
354	gs-gpl
355
356	libidn:
357	monotone
358
359	liblua:
360	monotone
361
362	libbotan:
363	montone
364
365	NetXX:
366	monotone
367
368	libgc:
369	mono
370
371	lzma:
372	p7zip
373
374	lzo:
375	grub2
376
377	pax code:
378	tar
379	cpio
380
381	t1lib:
382	tetex-bin (links to system t1lib since 2.0.2)
383	texlive-bin (links to system t1lib)
384