Embedded code copies
====================

This file collects cases, where a source package embeds code from
other projects which is considered bad for fixing security flaws
because the fix needs to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
	- <embedding srcpkg> <status> (<sort>; bug #<number>)
	NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed>, <itp> or <unknown> if the version number can not be determined
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)

The srcpkg might be some string to identify the code if there is no specific source package.

Everything up to the next line is ignored
---BEGIN
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
	NOTE: Fixed packages link to poppler library unless otherwise noted
	- gpdf <removed>
	[sarge] - gpdf <unfixed>
	NOTE: has been replaced by evince in etch
	- pdftohtml <unknown>
	[sarge] - pdftohtml <unfixed>
	[etch] - pdftohtml <unfixed>
	NOTE: has been replaced by poppler-utils
	- kdegraphics <unfixed> (embed; bug #436164)
	NOTE: the kpdf replacement in KDE 4 is using poppler
	- tetex-bin 3.0-12 (embed)
	- texlive-bin 2007-1 (embed)
	NOTE: links to poppler
	- koffice <unfixed> (embed; bug #436163)
	- libextractor 0.5.12-1 (embed)
	NOTE: libextractor is using its own pdf decoder now
	- libextractor 0.5.12-1 (embed)
	- pdfkit.framework 0.8-4 (embed)
	- ipe <unfixed> (embed)
	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
	- ruby-gnome2 <unknown> (embed)
	NOTE: copy only present in source but links to poppler

ppmd
	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

silc-toolkit
	- silc-client 1.1~beta6-1 (embed)

dietlibc
	- ccontrol 0.9.1+20071204-1 (static)

libiax
	- iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
	- dpkg <unfixed> (embed)
	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
	- rsync <unfixed> (embed)
	NOTE: somehow derived code base
	- mono <unfixed> (embed)
	TODO: check mozilla
	- Linux kernels <unfixed> (embed)
	- pvpgn 1.7.8-2 (embed)
	- mrtg 2.12.2-1 (embed)
	- rpm <unknown> (embed)
	NOTE: pinged anibal since when rpm was fixed

libbz2
	- dpkg <unfixed> (static)

ekg
	- centericq <unfixed> (embed)
	- gaim <unfixed> (embed)
	- pigdin <unfixed> (embed)(links dynamically against libgadu)
	- kopete 4:3.3.2-5 (embed)
	- kadu <unfixed> (embed)
	- gadu <unfixed> (embed)
	NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
	- drupal <unfixed> (embed)
	- phpgroupware <unfixed> (embed)
	- egroupware <unfixed> (embed)
	- phpwiki (embed)
	- php4 <unfixed> (embed)
	TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
	- mysql-ocaml <unfixed> (embed)
	- php4 <unfixed> (embed)

mozilla source code
	- mozilla-firefox <unfixed> (embed)
	- mozilla-thunderbird
	- firefox <removed>
	[etch] - firefox <unfixed> (embed)
	- thunderbird <removed>
	[etch] - thunderbird <unfixed> (embed)
	- iceweasel <unfixed> (embed)
	- iceape <unfixed> (embed)
	- icedove <unfixed> (embed)
	- xulrunner <unfixed> (embed)
	- nvu <removed> (embed)

xli
	- xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
	- openmotif <unfixed> (embed)
	- xfree86/xorg <unfixed> (embed)
	NOTE: in libxpm

kerberized apps with BSD origin
	- krb4 <unfixed> (embed)
	- krb5 <unfixed> (embed)
	- heimdal <unfixed> (embed)

grip (which pkg is the origin?)
	- libcdaudio
	- grip
	- gnome-vfs
	TODO: check vfs2 as well

fudforum
	- phpgroupware-fudforum <unfixed> (embed)
	- egroupware-fudforum <removed>
	[sarge] - egroupware-fudforum <unfixed> (embed)

cvs
	- gcvs <unfixed> (embed)
	NOTE: see cvsunix/src in tarball

pcre
	- python* <unfixed> (embed)
	- php4 <unknown> (embed)
	- analog 2:5.23-0woody1 (embed)
	- libgoffice-1 <unfixed> (embed)
	- vfu 4.06-4.1 (embed; bug #450754)
	- tf5 5.0beta7-1 (embed)
	- monotone <unfixed> (embed)
	NOTE: this only affects versions >= 0.37
	- glib <unfixed> (embed)
	NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
	- apache2 2.0.53-4 (embed)
	- exim4 4.10-0.srh20.12 (embed)
	- yacas <unfixed> (embed)
	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
	- gtamsanalyzer.app 0.42-5 (embed)

tiff
	- wxpythongtk <unfixed> (embed)
	TODO: check, which debian pkg this is in

uudeview
	- libconvert-uulib-perl <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
	- amarok <unfixed> (embed)
	- monotone <unfixed> (embed)
	- iceweasel <unfixed> (embed)

util-linux/mount
	- loop-aes-utils <unfixed> (embed)
	NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
	- usermin <unknown> (embed)
	[sarge] - usermin <unfixed> (embed)

sylpheed
	- sylpheed-claws <unfixed> (fork)

phpsysinfo
	- egroupware <unfixed> (embed)
	- phpgroupware <unfixed> (embed)

phpldapadmin
	[sarge] - egroupware <unfixed> (embed)
	NOTE: removed from egroupware after sarge

chmlib
	- kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
	- mplayer <unfixed> (embed; bug #395252)
	- xvidcap <unfixed> (embed)
	- kino <unfixed> (static)
	- vlc <unfixed> (static)
	- smilutils <unfixed> (static)
	- motion <unfixed> (static)
	- gst-ffmpeg <unfixed> (embed)
	- gstreamer0.10-ffmpeg <unfixed> (embed)
	- xmovie <unfixed>
	TODO: gimp-gap (potentially using ffmpeg code as well)

mad MPEG decoding lib
	- mad <unfixed> (embed)
	- xine-lib <unfixed> (embed)

libdts
	- xine-lib <unfixed> (embed)

flac
	- xine-lib <unfixed> (embed)

liba52
	- a52dec <unfixed> (embed)
	- xine-lib <unfixed> (embed)

libmpeg2
	- mpeg2dec <unfixed> (embed)
	- xine-lib <unfixed> (embed)

curl
	- wget <unfixed> (embed)
	NOTE: code for NTLM authentication

uw-imap
	- pine <unfixed> (embed)
	- alpine <unfixed> (embed)

imagemagick
	- graphicsmagick <unfixed> (fork)

halibut
	- nsis <unfixed> (embed)

libghttp
	- hotway <unfixed> (embed)

libsndfile
	- ardour <unfixed> (embed)

glibmm2.4
	- ardour <unfixed> (embed)

libgnomecanvasmm2.6
	- ardour <unfixed> (embed)

libsigc++-2.0
	- ardour <unfixed> (embed)

soundtouch
	- ardour <unfixed> (embed)

libmms
	- xine-lib <unfixed> (embed)
	- mimms <unfixed> (embed)

fckeditor
	- knowledgeroot <unfixed> (embed; bug #461555)
	- moin <unfixed> (embed; bug #452599)
	- karrigell <unfixed> (embed; bug #452598)
	- gforge-plugins-extra 4.6.99+svn6225-1 (embed)

ipatlas (not packaged in Debian)
	- moodle <unfixed> (embed)

libphp-phpmailer
	- moodle <unfixed> (embed)

htmlArea (not packaged in Debian)
	- moodle <unfixed> (embed)

bennu (not packaged in Debian)
	- moodle <unfixed> (embed)

smarty:
	- moodle <unfixed> (embed)

TinyMCE
	- wordpress <unfixed> (embed)
	- moodle <unfixed> (embed)
	- knowledgeroot <unfixed> (embed)
	- joomla <itp> (bug #326398)

scintilla
	- scite <unfixed> (embed)
	- qscintilla <unfixed> (embed)
	- qscintilla2 <unfixed> (embed)
	- geany <unfixed> (embed)

libphp-adodb
	- moodle <unfixed> (embed)
	NOTE: also AdoDB-XML Schema
	- gallery2 <unfixed> (embed)
	- phppgadmin <unfixed> (embed)
	- egroupware <unfixed> (embed)
	- phpwiki <unfixed> (embed)
	- ipplan <unfixed> (embed)
	- typo3 <unfixed> (embed)
	- moodle <unfixed> (embed)
	- cacti <unknown> (embed)
	[sarge] - cacti <unfixed> (embed)
	NOTE: dependency exists, but internal version is used

gzip
	- linux-kernel <unfixed> (embed)
	NOTE: lib/inflate.c
	- klibc <unfixed> (embed)
	NOTE: based on linux-kernel gzip code
	- busybox <unfixed> (embed)

neon
	- cadaver <unfixed> (embed; bug #188381)
	- gnome-vfs2 <unfixed> (embed; bug #395874)
	- litmus <unfixed> (embed; #395875)
	[sarge] - screem <unfixed> (embed)
	- sitecopy <unfixed> (embed; bug #395876)
	[etch] - tla <unfixed> (embed; bug #395877)
	[sarge] - tla <unfixed> (embed; bug #395877)

libmodplug
	- gst-plugins-bad0.10 <unfixed> (embed)

libvncserver
	- vino <unfixed> (embed)

putty
	- filezilla <unfixed> (embed)

tinyxml (not packaged in Debian)
	- filezilla <unfixed>

gv
	- evince <unfixed> (embed)
	NOTE: ps/ tree from gv 3.5.8
	- evince-gtk <unfixed> (embed)
	NOTE: not packaged in Debian

libXbae
	[etch] - libpawlib2-lesstif <unfixed> (embed)
	NOTE: from Cernlib

libXaw
	[etch] - libpawlib2-lesstif
	NOTE: from Cernlib
	NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty

libgd2
	- graphviz <unfixed> (embed)
	NOTE: lib/gd seems to be 2.0.33

rar
	- unrar-nonfree <unfixed> (embed)

unrar-free (maybe this code is derived from the original rar, too?)
	- clamav <unfixed> (embed)
	NOTE: seems to be disabled in default config

mplayer (DirectMedia Object loader)
	- xine-lib <unfixed> (embed)
	NOTE: src/libw32dll/
	- vlc <unfixed> (embed)
	NOTE: modules/codec/dmo/

libwpd (WordPerfect converter)
	- openoffice.org <unfixed> (embed)

fsplib (http://sourceforge.net/projects/fsp/)
	- gftp <unfixed> (embed)
	NOTE: lib/fsplib version 0.3

librpcsecgss
	- krb5 <unfixed> (embed)

jasper
	- ghostscript <unfixed> (embed)
	- gs-gpl <unfixed> (embed)

libidn
	- monotone <unfixed> (embed)

liblua
	- monotone <unfixed> (embed)

libbotan
	- montone <unfixed> (embed)

NetXX
	- monotone <unfixed> (embed)

libgc
	- mono <unfixed> (embed)

lzma
	- p7zip <unfixed> (embed)

lzo
	- grub2 <unfixed> (embed)

yassl
	- mysql-dfsg-5.0 <unfixed> (embed)

pax code
	- tar <unfixed> (embed)
	- cpio <unfixed> (embed)

t1lib
	- tetex-bin 2.0.2-1 (embed)
	- texlive-bin <unknown> (embed)

guichan
	- boswars <unfixed> (embed)
	NOTE: maintainer notified us, working on it

tolua
	- boswars <unfixed> (embed)
	NOTE: maintainer notified us, working on it

asio-dev
	- luxrender <unfixed> (embed)
	NOTE: maintainer notified us, working on it
	NOTE: may be merged with boost "soon"

xine-lib
	- vlc <unfixed> (embed)
	NOTE: only parts included in modules/access/rtsp

netpbm
	- tcl8.3 <unfixed> (embed)
	- tcl8.4 <unfixed> (embed)
	- tcl8.5 <unfixed> (embed)
	NOTE: generic/tkImgGIF.c