Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed>, <itp> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)

The srcpkg might be some string to identify the code if there is no specific source package.

xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - tetex-bin 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged anibal since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib <unfixed> (embed)
        NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)

tiff
        - wxpythongtk <unfixed> (embed)
        TODO: check, which debian pkg this is in

uudeview
        - libconvert-uulib-perl <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin
        - [sarge] egroupware <unfixed> (embed)
        NOTE: removed from egroupware after sarge

chmlib
        - kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
        - mplayer <unfixed> (embed; bug #395252)
        - xvidcap <unfixed> (embed)
        - kino <unfixed> (static)
        - vlc <unfixed> (static)
        - smilutils <unfixed> (static)
        - motion <unfixed> (static)
        - gst-ffmpeg <unfixed> (embed)
        - gstreamer0.10-ffmpeg <unfixed> (embed)
        - xmovie <unfixed>
        TODO: gimp-gap (potentially using ffmpeg code as well)

mad MPEG decoding lib
        - mad <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libdts
        - xine-lib <unfixed> (embed)

flac
        - xine-lib <unfixed> (embed)

liba52
        - a52dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libmpeg2
        - mpeg2dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

curl
        - wget <unfixed> (embed)
        NOTE: code for NTLM authentication

uw-imap
        - pine <unfixed> (embed)
        - alpine <unfixed> (embed)

imagemagick
        - graphicsmagick <unfixed> (fork)

halibut
        - nsis <unfixed> (embed)

libghttp
        - hotway <unfixed> (embed)

libsndfile
        - ardour <unfixed> (embed)

glibmm2.4
        - ardour <unfixed> (embed)

libgnomecanvasmm2.6
        - ardour <unfixed> (embed)

libsigc++-2.0
        - ardour <unfixed> (embed)

soundtouch
        - ardour <unfixed> (embed)

libmms
        - xine-lib <unfixed> (embed)
        - mimms <unfixed> (embed)

fckeditor
        - knowledgeroot <unfixed> (embed)
        - moin <unfixed> (embed; bug #452599)
        - karrigell <unfixed> (embed; bug #452598)
        - gforge-plugins-extra 4.6.99+svn6225-1 (embed)

libphp-adodb
        - moodle <unfixed> (embed)
        NOTE: also AdoDB-XML Schema

ipatlas (not packaged in Debian)
        - moodle <unfixed> (embed)

libphp-phpmailer
        - moodle <unfixed> (embed)

htmlArea (not packaged in Debian)
        - moodle <unfixed> (embed)

bennu (not packaged in Debian)
        - moodle <unfixed> (embed)

smarty:
        - moodle <unfixed> (embed)

TinyMCE
        - wordpress <unfixed> (embed)
        - moodle <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - joomla <itp> (bug #326398)

scintilla
        - scite <unfixed> (embed)
        - qscintilla <unfixed> (embed)
        - qscintilla2 <unfixed> (embed)
        - geany <unfixed> (embed)

libphp-adodb
        - gallery2 <unfixed> (embed)
        - phppgadmin <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki <unfixed> (embed)
        - ipplan <unfixed> (embed)
        - typo3 <unfixed> (embed)
        - moodle <unfixed> (embed)
        - cacti <unknown> (embed)
        [sarge] - cacti <unfixed> (embed)
        NOTE: dependency exists, but internal version is used

gzip
        - linux-kernel <unfixed> (embed)
        NOTE: lib/inflate.c
        - klibc <unfixed> (embed)
        NOTE: based on linux-kernel gzip code
        - busybox <unfixed> (embed)

neon
        - cadaver <unfixed> (embed; bug #188381)
        - gnome-vfs2 <unfixed> (embed; bug #395874)
        - litmus <unfixed> (embed; #395875)
        [sarge] - screem <unfixed> (embed)
        - sitecopy <unfixed> (embed; bug #395876)
        - [etch] tla <unfixed> (embed; bug #395877)
        - [sarge] tla <unfixed> (embed; bug #395877)

libmodplug
        - gst-plugins-bad0.10 <unfixed> (embed)

libvncserver
        - vino <unfixed> (embed)

putty
        - filezilla <unfixed> (embed)

tinyxml (not packaged in Debian)
        - filezilla <unfixed>

gv
        - evince <unfixed> (embed)
        NOTE: ps/ tree from gv 3.5.8
        - evince-gtk <unfixed> (embed)
        NOTE: not packaged in Debian

libXbae
        [etch] - libpawlib2-lesstif <unfixed> (embed)
        NOTE: from Cernlib

libXaw
        [etc] - libpawlib2-lesstif
        NOTE: from Cernlib
        NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty

libgd2
        - graphviz <unfixed> (embed)
        NOTE: lib/gd seems to be 2.0.33

rar
        - unrar-nonfree <unfixed> (embed)

unrar-free (maybe this code is derived from the original rar, too?)
        - clamav <unfixed> (embed)
        NOTE: seems to be disabled in default config

mplayer (DirectMedia Object loader)
        - xine-lib <unfixed> (embed)
        NOTE: src/libw32dll/
        - vlc <unfixed> (embed)
        NOTE: modules/codec/dmo/

libwpd (WordPerfect converter)
        - openoffice.org <unfixed> (embed)

fsplib (http://sourceforge.net/projects/fsp/)
        - gftp <unfixed> (embed)
        NOTE: lib/fsplib version 0.3

librpcsecgss
        - krb5 <unfixed> (embed)

jasper
        - ghostscript <unfixed> (embed)
        - gs-gpl <unfixed> (embed)

libidn
        - monotone <unfixed> (embed)

liblua
        - monotone <unfixed> (embed)

libbotan
        - montone <unfixed> (embed)

NetXX
        - monotone <unfixed> (embed)

libgc
        - mono <unfixed> (embed)

lzma
        - p7zip <unfixed> (embed)

lzo
        - grub2 <unfixed> (embed)

pax code
        - tar <unfixed> (embed)
        - cpio <unfixed> (embed)

t1lib
        - tetex-bin 2.0.2-1 (embed)
        - texlive-bin <unknown> (embed)
1	Embedded code copies
2	====================
3
4	This file collects cases, where a source package embeds code from
5	other projects which is considered bad for fixing security flaws
6	because the fix needs to be applied in multiple source packages.
7
8	Format:
9	<srcpkg> (<optional comment about srcpkg>)
10	- <embedding srcpkg> <status> (<sort>; bug #<number>)
11	NOTE: optional comments about the linkage of the embedding srcpkg
12
13	status: version number fixing the embedded copy, <unfixed>, <removed>, <itp> or <unknown> if the version number can not be determined
14	sort: static (linking statically against a lib)
15	embed (embedding a copy of the library into another source package)
16	fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)
17
18	The srcpkg might be some string to identify the code if there is no specific source package.
19
20	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
21	NOTE: Fixed packages link to poppler library unless otherwise noted
22	- gpdf <removed>
23	[sarge] - gpdf <unfixed>
24	NOTE: has been replaced by evince in etch
25	- pdftohtml <unknown>
26	[sarge] - pdftohtml <unfixed>
27	[etch] - pdftohtml <unfixed>
28	NOTE: has been replaced by poppler-utils
29	- kdegraphics <unfixed> (embed; bug #436164)
30	NOTE: the kpdf replacement in KDE 4 is using poppler
31	- tetex-bin 3.0-12 (embed)
32	- texlive-bin 2007-1 (embed)
33	NOTE: links to poppler
34	- koffice <unfixed> (embed; bug #436163)
35	- libextractor 0.5.12-1 (embed)
36	NOTE: libextractor is using its own pdf decoder now
37	- libextractor 0.5.12-1 (embed)
38	- pdfkit.framework 0.8-4 (embed)
39	- ipe <unfixed> (embed)
40	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
41	- ruby-gnome2 <unknown> (embed)
42	NOTE: copy only present in source but links to poppler
43
44	ppmd
45	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
46
47	silc-toolkit
48	- silc-client 1.1~beta6-1 (embed)
49
50	dietlibc
51	- ccontrol 0.9.1+20071204-1 (static)
52
53	libiax
54	- iaxmodem <unfixed> (embed)
55
56	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
57	- dpkg <unfixed> (embed)
58	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
59	- rsync <unfixed> (embed)
60	NOTE: somehow derived code base
61	- mono <unfixed> (embed)
62	TODO: check mozilla
63	- Linux kernels <unfixed> (embed)
64	- pvpgn 1.7.8-2 (embed)
65	- mrtg 2.12.2-1 (embed)
66	- rpm <unknown> (embed)
67	NOTE: pinged anibal since when rpm was fixed
68
69	libbz2
70	- dpkg <unfixed> (static)
71
72	ekg
73	- centericq <unfixed> (embed)
74	- gaim <unfixed> (embed)
75	- pigdin <unfixed> (embed)(links dynamically against libgadu)
76	- kopete 4:3.3.2-5 (embed)
77	- kadu <unfixed> (embed)
78	- gadu <unfixed> (embed)
79	NOTE: g/kadu not packaged in Debian yet
80
81	xmlrpc (which package is the "origin" of this code?)
82	- drupal <unfixed> (embed)
83	- phpgroupware <unfixed> (embed)
84	- egroupware <unfixed> (embed)
85	- phpwiki (embed)
86	- php4 <unfixed> (embed)
87	TODO: check, php-pear, IIRC this was reorganized some weeks ago?
88
89	shtool (affects build-time only)
90	- mysql-ocaml <unfixed> (embed)
91	- php4 <unfixed> (embed)
92
93	mozilla source code
94	- mozilla-firefox <unfixed> (embed)
95	- mozilla-thunderbird
96	- firefox <removed>
97	[etch] - firefox <unfixed> (embed)
98	- thunderbird <removed>
99	[etch] - thunderbird <unfixed> (embed)
100	- iceweasel <unfixed> (embed)
101	- iceape <unfixed> (embed)
102	- icedove <unfixed> (embed)
103	- xulrunner <unfixed> (embed)
104	- nvu <removed> (embed)
105
106	xli
107	- xloadimage <unfixed> (embed)
108
109	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
110	- openmotif <unfixed> (embed)
111	- xfree86/xorg <unfixed> (embed)
112	NOTE: in libxpm
113
114	kerberized apps with BSD origin
115	- krb4 <unfixed> (embed)
116	- krb5 <unfixed> (embed)
117	- heimdal <unfixed> (embed)
118
119	grip (which pkg is the origin?)
120	- libcdaudio
121	- grip
122	- gnome-vfs
123	TODO: check vfs2 as well
124
125	fudforum
126	- phpgroupware-fudforum <unfixed> (embed)
127	- egroupware-fudforum <removed>
128	[sarge] - egroupware-fudforum <unfixed> (embed)
129
130	cvs
131	- gcvs <unfixed> (embed)
132	NOTE: see cvsunix/src in tarball
133
134	pcre
135	- python* <unfixed> (embed)
136	- php4 <unknown> (embed)
137	- analog 2:5.23-0woody1 (embed)
138	- libgoffice-1 <unfixed> (embed)
139	- vfu 4.06-4.1 (embed; bug #450754)
140	- tf5 5.0beta7-1 (embed)
141	- monotone <unfixed> (embed)
142	NOTE: this only affects versions >= 0.37
143	- glib <unfixed> (embed)
144	NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
145	- apache2 2.0.53-4 (embed)
146	- exim4 4.10-0.srh20.12 (embed)
147	- yacas <unfixed> (embed)
148	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
149	- gtamsanalyzer.app 0.42-5 (embed)
150
151	tiff
152	- wxpythongtk <unfixed> (embed)
153	TODO: check, which debian pkg this is in
154
155	uudeview
156	- libconvert-uulib-perl <unfixed> (embed)
157
158	sqlite (not affected by security vulnerabilities so far)
159	- amarok <unfixed> (embed)
160	- monotone <unfixed> (embed)
161	- iceweasel <unfixed> (embed)
162
163	util-linux/mount
164	- loop-aes-utils <unfixed> (embed)
165	NOTE: contains code from util-linux' mount in the mount-aes-udeb
166
167	webmin
168	- usermin <unknown> (embed)
169	[sarge] - usermin <unfixed> (embed)
170
171	sylpheed
172	- sylpheed-claws <unfixed> (fork)
173
174	phpsysinfo
175	- egroupware <unfixed> (embed)
176	- phpgroupware <unfixed> (embed)
177
178	phpldapadmin
179	- [sarge] egroupware <unfixed> (embed)
180	NOTE: removed from egroupware after sarge
181
182	chmlib
183	- kchmviewer <unknown> (embed)
184
185	libavcodec/libavformat (source: ffmpeg)
186	- mplayer <unfixed> (embed; bug #395252)
187	- xvidcap <unfixed> (embed)
188	- kino <unfixed> (static)
189	- vlc <unfixed> (static)
190	- smilutils <unfixed> (static)
191	- motion <unfixed> (static)
192	- gst-ffmpeg <unfixed> (embed)
193	- gstreamer0.10-ffmpeg <unfixed> (embed)
194	- xmovie <unfixed>
195	TODO: gimp-gap (potentially using ffmpeg code as well)
196
197	mad MPEG decoding lib
198	- mad <unfixed> (embed)
199	- xine-lib <unfixed> (embed)
200
201	libdts
202	- xine-lib <unfixed> (embed)
203
204	flac
205	- xine-lib <unfixed> (embed)
206
207	liba52
208	- a52dec <unfixed> (embed)
209	- xine-lib <unfixed> (embed)
210
211	libmpeg2
212	- mpeg2dec <unfixed> (embed)
213	- xine-lib <unfixed> (embed)
214
215	curl
216	- wget <unfixed> (embed)
217	NOTE: code for NTLM authentication
218
219	uw-imap
220	- pine <unfixed> (embed)
221	- alpine <unfixed> (embed)
222
223	imagemagick
224	- graphicsmagick <unfixed> (fork)
225
226	halibut
227	- nsis <unfixed> (embed)
228
229	libghttp
230	- hotway <unfixed> (embed)
231
232	libsndfile
233	- ardour <unfixed> (embed)
234
235	glibmm2.4
236	- ardour <unfixed> (embed)
237
238	libgnomecanvasmm2.6
239	- ardour <unfixed> (embed)
240
241	libsigc++-2.0
242	- ardour <unfixed> (embed)
243
244	soundtouch
245	- ardour <unfixed> (embed)
246
247	libmms
248	- xine-lib <unfixed> (embed)
249	- mimms <unfixed> (embed)
250
251	fckeditor
252	- knowledgeroot <unfixed> (embed)
253	- moin <unfixed> (embed; bug #452599)
254	- karrigell <unfixed> (embed; bug #452598)
255	- gforge-plugins-extra 4.6.99+svn6225-1 (embed)
256
257	libphp-adodb
258	- moodle <unfixed> (embed)
259	NOTE: also AdoDB-XML Schema
260
261	ipatlas (not packaged in Debian)
262	- moodle <unfixed> (embed)
263
264	libphp-phpmailer
265	- moodle <unfixed> (embed)
266
267	htmlArea (not packaged in Debian)
268	- moodle <unfixed> (embed)
269
270	bennu (not packaged in Debian)
271	- moodle <unfixed> (embed)
272
273	smarty:
274	- moodle <unfixed> (embed)
275
276	TinyMCE
277	- wordpress <unfixed> (embed)
278	- moodle <unfixed> (embed)
279	- knowledgeroot <unfixed> (embed)
280	- joomla <itp> (bug #326398)
281
282	scintilla
283	- scite <unfixed> (embed)
284	- qscintilla <unfixed> (embed)
285	- qscintilla2 <unfixed> (embed)
286	- geany <unfixed> (embed)
287
288	libphp-adodb
289	- gallery2 <unfixed> (embed)
290	- phppgadmin <unfixed> (embed)
291	- egroupware <unfixed> (embed)
292	- phpwiki <unfixed> (embed)
293	- ipplan <unfixed> (embed)
294	- typo3 <unfixed> (embed)
295	- moodle <unfixed> (embed)
296	- cacti <unknown> (embed)
297	[sarge] - cacti <unfixed> (embed)
298	NOTE: dependency exists, but internal version is used
299
300	gzip
301	- linux-kernel <unfixed> (embed)
302	NOTE: lib/inflate.c
303	- klibc <unfixed> (embed)
304	NOTE: based on linux-kernel gzip code
305	- busybox <unfixed> (embed)
306
307	neon
308	- cadaver <unfixed> (embed; bug #188381)
309	- gnome-vfs2 <unfixed> (embed; bug #395874)
310	- litmus <unfixed> (embed; #395875)
311	[sarge] - screem <unfixed> (embed)
312	- sitecopy <unfixed> (embed; bug #395876)
313	- [etch] tla <unfixed> (embed; bug #395877)
314	- [sarge] tla <unfixed> (embed; bug #395877)
315
316	libmodplug
317	- gst-plugins-bad0.10 <unfixed> (embed)
318
319	libvncserver
320	- vino <unfixed> (embed)
321
322	putty
323	- filezilla <unfixed> (embed)
324
325	tinyxml (not packaged in Debian)
326	- filezilla <unfixed>
327
328	gv
329	- evince <unfixed> (embed)
330	NOTE: ps/ tree from gv 3.5.8
331	- evince-gtk <unfixed> (embed)
332	NOTE: not packaged in Debian
333
334	libXbae
335	[etch] - libpawlib2-lesstif <unfixed> (embed)
336	NOTE: from Cernlib
337
338	libXaw
339	[etc] - libpawlib2-lesstif
340	NOTE: from Cernlib
341	NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
342
343	libgd2
344	- graphviz <unfixed> (embed)
345	NOTE: lib/gd seems to be 2.0.33
346
347	rar
348	- unrar-nonfree <unfixed> (embed)
349
350	unrar-free (maybe this code is derived from the original rar, too?)
351	- clamav <unfixed> (embed)
352	NOTE: seems to be disabled in default config
353
354	mplayer (DirectMedia Object loader)
355	- xine-lib <unfixed> (embed)
356	NOTE: src/libw32dll/
357	- vlc <unfixed> (embed)
358	NOTE: modules/codec/dmo/
359
360	libwpd (WordPerfect converter)
361	- openoffice.org <unfixed> (embed)
362
363	fsplib (http://sourceforge.net/projects/fsp/)
364	- gftp <unfixed> (embed)
365	NOTE: lib/fsplib version 0.3
366
367	librpcsecgss
368	- krb5 <unfixed> (embed)
369
370	jasper
371	- ghostscript <unfixed> (embed)
372	- gs-gpl <unfixed> (embed)
373
374	libidn
375	- monotone <unfixed> (embed)
376
377	liblua
378	- monotone <unfixed> (embed)
379
380	libbotan
381	- montone <unfixed> (embed)
382
383	NetXX
384	- monotone <unfixed> (embed)
385
386	libgc
387	- mono <unfixed> (embed)
388
389	lzma
390	- p7zip <unfixed> (embed)
391
392	lzo
393	- grub2 <unfixed> (embed)
394
395	pax code
396	- tar <unfixed> (embed)
397	- cpio <unfixed> (embed)
398
399	t1lib
400	- tetex-bin 2.0.2-1 (embed)
401	- texlive-bin <unknown> (embed)