Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
	- <embedding srcpkg> <status> (<sort>; bug #<number>)
	NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)

The srcpkg might be some string to identify the code if there is no specific source package.

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
	NOTE: Fixed packages link to poppler library unless otherwise noted
	- gpdf <removed>
	[sarge] - gpdf <unfixed>
	NOTE: has been replaced by evince in etch
	- pdftohtml <unknown>
	[sarge] - pdftohtml <unfixed>
	[etch] - pdftohtml <unfixed>
	NOTE: has been replaced by poppler-utils
	- kdegraphics <unfixed> (embed; bug #436164)
	NOTE: the kpdf replacement in KDE 4 is using poppler
	- tetex-bin 3.0-12 (embed)
	- texlive-bin 2007-1 (embed)
	NOTE: links to poppler
	- koffice <unfixed> (embed; bug #436163)
	- libextractor 0.5.12-1 (embed)
	NOTE: libextractor is using its own pdf decoder now
	- libextractor 0.5.12-1 (embed)
	- pdfkit.framework 0.8-4 (embed)
	- ipe <unfixed> (embed)
	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
	- ruby-gnome2 <unknown> (embed)
	NOTE: copy only present in source but links to poppler

ppmd
	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit
	- silc-client 1.1~beta6-1 (embed)

dietlibc
	- ccontrol 0.9.1+20071204-1 (static)

libiax
	- iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
	- dpkg <unfixed> (embed)
	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
	- rsync <unfixed> (embed)
	NOTE: somehow derived code base
	- mono <unfixed> (embed)
	TODO: check mozilla
	- Linux kernels <unfixed> (embed)
	- pvpgn 1.7.8-2 (embed)
	- mrtg 2.12.2-1 (embed)
	- rpm <unknown> (embed)
	NOTE: pinged joeyh since when rpm was fixed

libbz2
	- dpkg <unfixed> (static)

ekg
	- centericq <unfixed> (embed)
	- gaim <unfixed> (embed)
	- pigdin <unfixed> (embed)(links dynamically against libgadu)
	- kopete 4:3.3.2-5 (embed)
	- kadu <unfixed> (embed)
	- gadu <unfixed> (embed)
	NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
	- drupal <unfixed> (embed)
	- phpgroupware <unfixed> (embed)
	- egroupware <unfixed> (embed)
	- phpwiki (embed)
	- php4 <unfixed> (embed)
	TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
	- mysql-ocaml <unfixed> (embed)
	- php4 <unfixed> (embed)

mozilla source code
	- mozilla-firefox <unfixed> (embed)
	- mozilla-thunderbird
	- firefox <removed>
	[etch] - firefox <unfixed> (embed)
	- thunderbird <removed>
	[etch] - thunderbird <unfixed> (embed)
	- iceweasel <unfixed> (embed)
	- iceape <unfixed> (embed)
	- icedove <unfixed> (embed)
	- xulrunner <unfixed> (embed)
	- nvu <removed> (embed)

xli
	- xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
	- openmotif <unfixed> (embed)
	- xfree86/xorg <unfixed> (embed)
	NOTE: in libxpm

kerberized apps with BSD origin
	- krb4 <unfixed> (embed)
	- krb5 <unfixed> (embed)
	- heimdal <unfixed> (embed)

grip (which pkg is the origin?)
	- libcdaudio
	- grip
	- gnome-vfs
	TODO: check vfs2 as well

fudforum
	- phpgroupware-fudforum <unfixed> (embed)
	- egroupware-fudforum <removed>
	[sarge] - egroupware-fudforum <unfixed> (embed)

cvs
	- gcvs <unfixed> (embed)
	NOTE: see cvsunix/src in tarball

pcre
	- python* <unfixed> (embed)
	- php4 <unknown> (embed)
	- analog 2:5.23-0woody1 (embed)
	- libgoffice-1 <unfixed> (embed)
	- vfu 4.06-4.1 (embed; bug #450754)
	- tf5 5.0beta7-1 (embed)
	- monotone <unfixed> (embed)
	NOTE: this only affects versions >= 0.37
	- glib <unfixed> (embed)
	NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
	- apache2 2.0.53-4 (embed)
	- exim4 4.10-0.srh20.12 (embed)
	- yacas <unfixed> (embed)
	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
	- gtamsanalyzer.app 0.42-5 (embed)

tiff
	- wxpythongtk <unfixed> (embed)
	TODO: check, which debian pkg this is in

uudeview
	- libconvert-uulib-perl <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
	- amarok <unfixed> (embed)
	- monotone <unfixed> (embed)
	- iceweasel <unfixed> (embed)

util-linux/mount
	- loop-aes-utils <unfixed> (embed)
	NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
	- usermin <unknown> (embed)
	[sarge] - usermin <unfixed> (embed)

sylpheed
	- sylpheed-claws <unfixed> (fork)

phpsysinfo
	- egroupware <unfixed> (embed)
	- phpgroupware <unfixed> (embed)

phpldapadmin
	- [sarge] egroupware <unfixed> (embed)
	NOTE: removed from egroupware after sarge

chmlib
	- kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
	- mplayer <unfixed> (embed; bug #395252)
	- xvidcap <unfixed> (embed)
	- kino <unfixed> (static)
	- vlc <unfixed> (static)
	- smilutils <unfixed> (static)
	- motion <unfixed> (static)
	- gst-ffmpeg <unfixed> (embed)
	- gstreamer0.10-ffmpeg <unfixed> (embed)
	- xmovie <unfixed>

mad MPEG decoding lib
	- mad <unfixed> (embed)
	- xine-lib <unfixed> (embed)

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)



Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)