Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)

The srcpkg might be some string to identify the code if there is no specific source package.

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged joeyh since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib <unfixed> (embed)
        NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)

tiff
        - wxpythongtk <unfixed> (embed)
        TODO: check, which debian pkg this is in

uudeview
        - libconvert-uulib-perl <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin
        - [sarge] egroupware <unfixed> (embed)
        NOTE: removed from egroupware after sarge

chmlib
        - kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
        - mplayer <unfixed> (embed; bug #395252)
        - xvidcap <unfixed> (embed)
        - kino <unfixed> (static)
        - vlc <unfixed> (static)
        - smilutils <unfixed> (static)
        - motion <unfixed> (static)
        - gst-ffmpeg <unfixed> (embed)
        - gstreamer0.10-ffmpeg <unfixed> (embed)
        - xmovie <unfixed>

mad MPEG decoding lib
        - mad <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)

TODO evaluate:
gimp-gap (potentially using ffmpeg code as well)

uw-imap:
pine
alpine

imagemagick:
graphicsmagick

halibut:
nsis

libghttp:
hotway

libsndfile:
ardour

glibmm2.4:
ardour

libgnomecanvasmm2.6:
ardour

libsigc++-2.0:
ardour

soundtouch:
ardour

libmms:
xine-lib
mimms

FCKeditor: (packaged as fckeditor)
knowledgeroot
moin (452599)
karrigell (452598)
gforge-plugins-extra (fixed since 4.6.99+svn6225-1)


Moodle contains lots of things:
AdoDB
AdoDB-XML Schema
ipatlas
PHPMailer
Smarty
htmlArea
TinyMCE
bennu

TinyMCE:
wordpress
moodle
knowledgeroot
joomla (ITP)

scintilla:
scite
qscintilla 
qscintilla2 
geany

libphp-adodb:
gallery2
phppgadmin
egroupware
phpwiki
ipplan
typo3
moodle
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)

gzip:
linux-kernel (lib/inflate.c)
klibc (based on linux-kernel gzip code)
busybox

neon:
cadaver (all, but being worked on: #188381)
gnome-vfs2 (#395874)
litmus (#395875)
screem (sarge only)
sitecopy (#395876)
tla (etch/sid only: #395877)

libmodplug:
gst-plugins-bad0.10

libvncserver:
vino

putty:
filezilla

tinyxml (not packaged in Debian):
filezilla

gv:
evince (ps/ tree from gv 3.5.8)
evince-gtk (not packaged in Debian)

libXbae:
libpawlib2-lesstif package (from Cernlib)

libXaw:
libpawlib2-lesstif package (from Cernlib)

(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)

libgd2:
graphviz (lib/gd seems to be 2.0.33)

rar:
unrar-nonfree

unrar-free: (maybe this code is derived from the original rar, too?)
clamav (seems to be disabled in default config)

mplayer (DirectMedia Object loader):
xine-lib (src/libw32dll/)
vlc (modules/codec/dmo/)

libwpd (WordPerfect converter):
openoffice.org

fsplib (http://sourceforge.net/projects/fsp/):
gftp (lib/fsplib version 0.3)

librpcsecgss:
krb5

jasper:
ghostscript
gs-gpl

libidn:
monotone

liblua:
monotone

libbotan:
montone

NetXX:
monotone

libgc:
mono

lzma:
p7zip

lzo:
grub2

pax code:
tar
cpio

t1lib:
tetex-bin (links to system t1lib since 2.0.2)
texlive-bin (links to system t1lib)

1	Embedded code copies
2	====================
3
4	This file collects cases, where a source package embeds code from
5	other projects which is considered bad for fixing security flaws
6	because the fix needs to be applied in multiple source packages.
7
8	Format:
9	<srcpkg> (<optional comment about srcpkg>)
10	- <embedding srcpkg> <status> (<sort>; bug #<number>)
11	NOTE: optional comments about the linkage of the embedding srcpkg
12
13	status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
14	sort: static (linking statically against a lib)
15	embed (embedding a copy of the library into another source package)
16	fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)
17
18	The srcpkg might be some string to identify the code if there is no specific source package.
19
20	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
21	NOTE: Fixed packages link to poppler library unless otherwise noted
22	- gpdf <removed>
23	[sarge] - gpdf <unfixed>
24	NOTE: has been replaced by evince in etch
25	- pdftohtml <unknown>
26	[sarge] - pdftohtml <unfixed>
27	[etch] - pdftohtml <unfixed>
28	NOTE: has been replaced by poppler-utils
29	- kdegraphics <unfixed> (embed; bug #436164)
30	NOTE: the kpdf replacement in KDE 4 is using poppler
31	- tetex-bin 3.0-12 (embed)
32	- texlive-bin 2007-1 (embed)
33	NOTE: links to poppler
34	- koffice <unfixed> (embed; bug #436163)
35	- libextractor 0.5.12-1 (embed)
36	NOTE: libextractor is using its own pdf decoder now
37	- libextractor 0.5.12-1 (embed)
38	- pdfkit.framework 0.8-4 (embed)
39	- ipe <unfixed> (embed)
40	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
41	- ruby-gnome2 <unknown> (embed)
42	NOTE: copy only present in source but links to poppler
43
44	ppmd
45	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
46
47	silc-toolkit
48	- silc-client 1.1~beta6-1 (embed)
49
50	dietlibc
51	- ccontrol 0.9.1+20071204-1 (static)
52
53	libiax
54	- iaxmodem <unfixed> (embed)
55
56	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
57	- dpkg <unfixed> (embed)
58	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
59	- rsync <unfixed> (embed)
60	NOTE: somehow derived code base
61	- mono <unfixed> (embed)
62	TODO: check mozilla
63	- Linux kernels <unfixed> (embed)
64	- pvpgn 1.7.8-2 (embed)
65	- mrtg 2.12.2-1 (embed)
66	- rpm <unknown> (embed)
67	NOTE: pinged joeyh since when rpm was fixed
68
69	libbz2
70	- dpkg <unfixed> (static)
71
72	ekg
73	- centericq <unfixed> (embed)
74	- gaim <unfixed> (embed)
75	- pigdin <unfixed> (embed)(links dynamically against libgadu)
76	- kopete 4:3.3.2-5 (embed)
77	- kadu <unfixed> (embed)
78	- gadu <unfixed> (embed)
79	NOTE: g/kadu not packaged in Debian yet
80
81	xmlrpc (which package is the "origin" of this code?)
82	- drupal <unfixed> (embed)
83	- phpgroupware <unfixed> (embed)
84	- egroupware <unfixed> (embed)
85	- phpwiki (embed)
86	- php4 <unfixed> (embed)
87	TODO: check, php-pear, IIRC this was reorganized some weeks ago?
88
89	shtool (affects build-time only)
90	- mysql-ocaml <unfixed> (embed)
91	- php4 <unfixed> (embed)
92
93	mozilla source code
94	- mozilla-firefox <unfixed> (embed)
95	- mozilla-thunderbird
96	- firefox <removed>
97	[etch] - firefox <unfixed> (embed)
98	- thunderbird <removed>
99	[etch] - thunderbird <unfixed> (embed)
100	- iceweasel <unfixed> (embed)
101	- iceape <unfixed> (embed)
102	- icedove <unfixed> (embed)
103	- xulrunner <unfixed> (embed)
104	- nvu <removed> (embed)
105
106	xli
107	- xloadimage <unfixed> (embed)
108
109	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
110	- openmotif <unfixed> (embed)
111	- xfree86/xorg <unfixed> (embed)
112	NOTE: in libxpm
113
114	kerberized apps with BSD origin
115	- krb4 <unfixed> (embed)
116	- krb5 <unfixed> (embed)
117	- heimdal <unfixed> (embed)
118
119	grip (which pkg is the origin?)
120	- libcdaudio
121	- grip
122	- gnome-vfs
123	TODO: check vfs2 as well
124
125	fudforum
126	- phpgroupware-fudforum <unfixed> (embed)
127	- egroupware-fudforum <removed>
128	[sarge] - egroupware-fudforum <unfixed> (embed)
129
130	cvs
131	- gcvs <unfixed> (embed)
132	NOTE: see cvsunix/src in tarball
133
134	pcre
135	- python* <unfixed> (embed)
136	- php4 <unknown> (embed)
137	- analog 2:5.23-0woody1 (embed)
138	- libgoffice-1 <unfixed> (embed)
139	- vfu 4.06-4.1 (embed; bug #450754)
140	- tf5 5.0beta7-1 (embed)
141	- monotone <unfixed> (embed)
142	NOTE: this only affects versions >= 0.37
143	- glib <unfixed> (embed)
144	NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
145	- apache2 2.0.53-4 (embed)
146	- exim4 4.10-0.srh20.12 (embed)
147	- yacas <unfixed> (embed)
148	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
149	- gtamsanalyzer.app 0.42-5 (embed)
150
151	tiff
152	- wxpythongtk <unfixed> (embed)
153	TODO: check, which debian pkg this is in
154
155	uudeview
156	- libconvert-uulib-perl <unfixed> (embed)
157
158	sqlite (not affected by security vulnerabilities so far)
159	- amarok <unfixed> (embed)
160	- monotone <unfixed> (embed)
161	- iceweasel <unfixed> (embed)
162
163	util-linux/mount
164	- loop-aes-utils <unfixed> (embed)
165	NOTE: contains code from util-linux' mount in the mount-aes-udeb
166
167	webmin
168	- usermin <unknown> (embed)
169	[sarge] - usermin <unfixed> (embed)
170
171	sylpheed
172	- sylpheed-claws <unfixed> (fork)
173
174	phpsysinfo
175	- egroupware <unfixed> (embed)
176	- phpgroupware <unfixed> (embed)
177
178	phpldapadmin
179	- [sarge] egroupware <unfixed> (embed)
180	NOTE: removed from egroupware after sarge
181
182	chmlib
183	- kchmviewer <unknown> (embed)
184
185	libavcodec/libavformat (source: ffmpeg)
186	- mplayer <unfixed> (embed; bug #395252)
187	- xvidcap <unfixed> (embed)
188	- kino <unfixed> (static)
189	- vlc <unfixed> (static)
190	- smilutils <unfixed> (static)
191	- motion <unfixed> (static)
192	- gst-ffmpeg <unfixed> (embed)
193	- gstreamer0.10-ffmpeg <unfixed> (embed)
194	- xmovie <unfixed>
195
196	mad MPEG decoding lib
197	- mad <unfixed> (embed)
198	- xine-lib <unfixed> (embed)
199
200	libdts:
201	libdts
202	xine-lib
203
204	flac:
205	flac
206	xine-lib
207
208	liba52:
209	a52dec
210	xine-lib
211
212	libmpeg2:
213	mpeg2dec
214	xine-lib
215
216	curl:
217	wget (code for NTLM authentication)
218
219	TODO evaluate:
220	gimp-gap (potentially using ffmpeg code as well)
221
222	uw-imap:
223	pine
224	alpine
225
226	imagemagick:
227	graphicsmagick
228
229	halibut:
230	nsis
231
232	libghttp:
233	hotway
234
235	libsndfile:
236	ardour
237
238	glibmm2.4:
239	ardour
240
241	libgnomecanvasmm2.6:
242	ardour
243
244	libsigc++-2.0:
245	ardour
246
247	soundtouch:
248	ardour
249
250	libmms:
251	xine-lib
252	mimms
253
254	FCKeditor: (packaged as fckeditor)
255	knowledgeroot
256	moin (452599)
257	karrigell (452598)
258	gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
259
260
261
262	Moodle contains lots of things:
263	AdoDB
264	AdoDB-XML Schema
265	ipatlas
266	PHPMailer
267	Smarty
268	htmlArea
269	TinyMCE
270	bennu
271
272	TinyMCE:
273	wordpress
274	moodle
275	knowledgeroot
276	joomla (ITP)
277
278	scintilla:
279	scite
280	qscintilla
281	qscintilla2
282	geany
283
284	libphp-adodb:
285	gallery2
286	phppgadmin
287	egroupware
288	phpwiki
289	ipplan
290	typo3
291	moodle
292	cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
293
294	gzip:
295	linux-kernel (lib/inflate.c)
296	klibc (based on linux-kernel gzip code)
297	busybox
298
299	neon:
300	cadaver (all, but being worked on: #188381)
301	gnome-vfs2 (#395874)
302	litmus (#395875)
303	screem (sarge only)
304	sitecopy (#395876)
305	tla (etch/sid only: #395877)
306
307	libmodplug:
308	gst-plugins-bad0.10
309
310	libvncserver:
311	vino
312
313	putty:
314	filezilla
315
316	tinyxml (not packaged in Debian):
317	filezilla
318
319	gv:
320	evince (ps/ tree from gv 3.5.8)
321	evince-gtk (not packaged in Debian)
322
323	libXbae:
324	libpawlib2-lesstif package (from Cernlib)
325
326	libXaw:
327	libpawlib2-lesstif package (from Cernlib)
328
329	(I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
330
331	libgd2:
332	graphviz (lib/gd seems to be 2.0.33)
333
334	rar:
335	unrar-nonfree
336
337	unrar-free: (maybe this code is derived from the original rar, too?)
338	clamav (seems to be disabled in default config)
339
340	mplayer (DirectMedia Object loader):
341	xine-lib (src/libw32dll/)
342	vlc (modules/codec/dmo/)
343
344	libwpd (WordPerfect converter):
345	openoffice.org
346
347	fsplib (http://sourceforge.net/projects/fsp/):
348	gftp (lib/fsplib version 0.3)
349
350	librpcsecgss:
351	krb5
352
353	jasper:
354	ghostscript
355	gs-gpl
356
357	libidn:
358	monotone
359
360	liblua:
361	monotone
362
363	libbotan:
364	montone
365
366	NetXX:
367	monotone
368
369	libgc:
370	mono
371
372	lzma:
373	p7zip
374
375	lzo:
376	grub2
377
378	pax code:
379	tar
380	cpio
381
382	t1lib:
383	tetex-bin (links to system t1lib since 2.0.2)
384	texlive-bin (links to system t1lib)
385