Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects source packages that embed code from other projects.
This is considered bad for fixing security flaws because the fix needs
to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed>,
        <itp> or <unknown> if the version number can not be determined
        <unfixable> for unavoidable cases (e.g., forks that add real value)
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and
            thus might share parts of the source code)
      old-version (the package is an older version of essentially
                   the same code)

The srcpkg might be some string to identify the code if there is no
specific source package.

Everything up to the next line is ignored.
---BEGIN
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - texlive-base 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

peercast
        - gnome-peercast <unfixed> (embed)
        NOTE: gnome-peercast may better be removed, see #466539

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged anibal since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib2.0 2.15.2-1 (embed)
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)
        - tin <unknown> (embed)
        - kazehakase 0.5.2-1
        - webkit <unfixed> (embed)
        - qt4-x11 <unfixed> (embed)
        NOTE: embedded via webkit copy

tiff
        - wxwindows2.4 2.2.1 (embed)

uudeview
        - libconvert-uulib-perl <unfixed> (embed)
        - pan <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin
        [sarge] - egroupware <unfixed> (embed)
        NOTE: removed from egroupware after sarge

chmlib
        - kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
        - mplayer 1.0~rc2-14 (embed; bug #395252)
        - xvidcap <unfixed> (embed)
        - kino <unfixed> (static)
        - vlc <not-affected> (Links dynamically since initial release)
        - smilutils <unfixed> (static)
        - motion <unfixed> (static)
        - gst-ffmpeg <unfixed> (embed)
        - gstreamer0.10-ffmpeg <unfixed> (embed)
        - xmovie <unfixed>
        TODO: gimp-gap (potentially using ffmpeg code as well)

mad MPEG decoding lib
        - mad <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libdts
        - xine-lib <unfixed> (embed)

flac
        - xine-lib <unfixed> (embed)

liba52
        - a52dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libmpeg2
        - mpeg2dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

curl
        - wget <unfixed> (embed)
        NOTE: code for NTLM authentication

uw-imap
        - pine <unfixed> (embed)
        - alpine <unfixed> (embed)

imagemagick
        - graphicsmagick <unfixed> (fork)

halibut
        - nsis <unfixed> (embed)

libghttp
        - hotway <unfixed> (embed)

libsndfile
        - ardour <unfixed> (embed)

glibmm2.4
        - ardour <unfixed> (embed)

libgnomecanvasmm2.6
        - ardour <unfixed> (embed)

libsigc++-2.0
        - ardour <unfixed> (embed)

soundtouch
        - ardour <unfixed> (embed)

libmms
        - xine-lib <unfixed> (embed)
        - mimms <unfixed> (embed)

fckeditor
        - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
        - moin <unfixed> (embed; bug #452599)
        - karrigell <unfixed> (embed; bug #452598)
        - gforge-plugins-extra 4.6.99+svn6225-1 (embed)

ipatlas (not packaged in Debian)
        - moodle <unfixed> (embed)

libphp-phpmailer
        - moodle <unfixed> (embed)

htmlArea (not packaged in Debian)
        - moodle <unfixed> (embed)

giflib:
        - wine <unfixed> (embed; bug #466181)

bennu (not packaged in Debian)
        - moodle <unfixed> (embed)

smarty:
        - moodle <unfixed> (embed; bug #471158)
        - gallery2 <unfixed> (embed; bug #471160)
        - mahara 0.9.2-2 (embed; bug #471201)
        - gosa 2.4beta1-1 (embed; bug #471200)

TinyMCE
        - wordpress <unfixed> (embed; bug #478257)
        - moodle <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - joomla <itp> (bug #326398)

scintilla
        - scite <unfixed> (embed)
        - qscintilla <unfixed> (embed)
        - qscintilla2 <unfixed> (embed)
        - geany <unfixed> (embed)

libphp-adodb
        - moodle <unfixed> (embed)
        NOTE: also AdoDB-XML Schema
        - gallery2 <unfixed> (embed)
        - phppgadmin <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki <unfixed> (embed)
        - ipplan <unfixed> (embed)
        - typo3 <unfixed> (embed)
        - moodle <unfixed> (embed)
        - cacti <unknown> (embed)
        [sarge] - cacti <unfixed> (embed)
        NOTE: dependency exists, but internal version is used

gzip
        - linux-kernel <unfixed> (embed)
        NOTE: lib/inflate.c
        - klibc <unfixed> (embed)
        NOTE: based on linux-kernel gzip code
        - busybox <unfixed> (embed)

neon
        - cadaver <unfixed> (embed; bug #188381)
        - gnome-vfs2 <unfixed> (embed; bug #395874)
        - litmus <unfixed> (embed; #395875)
        [sarge] - screem <unfixed> (embed)
        - sitecopy <unfixed> (embed; bug #395876)
        [etch] - tla <unfixed> (embed; bug #395877)
        [sarge] - tla <unfixed> (embed; bug #395877)

libmodplug
        - gst-plugins-bad0.10 <unfixed> (embed)

libvncserver
        - vino <unfixed> (embed)

putty
        - filezilla <unfixed> (embed)

tinyxml (not packaged in Debian)
        - filezilla <unfixed>

gv
        - evince <unfixed> (embed)
        NOTE: ps/ tree from gv 3.5.8
        - evince-gtk <unfixed> (embed)
        NOTE: not packaged in Debian

libXbae
        [etch] - libpawlib2-lesstif <unfixed> (embed)
        NOTE: from Cernlib

libXaw
        [etch] - libpawlib2-lesstif
        NOTE: from Cernlib
        NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty

libgd2
        - graphviz <unfixed> (embed)
        NOTE: lib/gd seems to be 2.0.33
        - wml <unfixed> (embed)
        NOTE: derived from gd 1.6.3

rar
        - unrar-nonfree <unfixed> (embed)

unrar-free (maybe this code is derived from the original rar, too?)
        - clamav <unfixed> (embed)
        NOTE: seems to be disabled in default config

mplayer (DirectMedia Object loader)
        - xine-lib <unfixed> (embed)
        NOTE: src/libw32dll/
        - vlc <unfixed> (embed)
        NOTE: modules/codec/dmo/

libwpd (WordPerfect converter)
        - openoffice.org <unfixed> (embed)

fsplib (http://sourceforge.net/projects/fsp/)
        - gftp <unfixed> (embed)
        NOTE: lib/fsplib version 0.3

librpcsecgss
        - krb5 <unfixed> (embed)

jasper
        - ghostscript <unfixed> (embed)
        - gs-gpl <unfixed> (embed)

libidn
        - monotone <unfixed> (embed)

liblua
        - monotone <unfixed> (embed)

libbotan
        - montone <unfixed> (embed)

NetXX
        - monotone <unfixed> (embed)

libgc
        - mono <unfixed> (embed)

lzma
        - p7zip <unfixed> (embed)

lzo
        - grub2 <unfixed> (embed)

yassl
        - mysql-dfsg-5.0 <unfixed> (embed)

pax code
        - tar <unfixed> (embed)
        - cpio <unfixed> (embed)

t1lib
        - tetex-bin 2.0.2-1 (embed)
        - texlive-bin <unknown> (embed)

guichan
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

tolua
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

asio-dev
        - luxrender <unfixed> (embed)
        NOTE: maintainer notified us, working on it
        NOTE: may be merged with boost "soon"

xine-lib
        - vlc <unfixed> (embed)
        NOTE: only parts included in modules/access/rtsp

netpbm
        - tcl8.3 <unfixed> (embed)
        - tcl8.4 <unfixed> (embed)
        - tcl8.5 <unfixed> (embed)
        NOTE: generic/tkImgGIF.c

tk8.5
        - tk8.0 <removed> (old-version)
        - tk8.3 <unfixed> (old-version)
        - tk8.4 <unfixed> (old-version)
        - perl-tk <unfixable> (fork)

samba
        - mc <unfixed> (embed)
        NOTE: maintainer is aware of this, currently searching a solution

plib1.8.4c2
        - boson <unfixed> (fork)
        NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar

fribidi
        - quesoglc <unfixed> (embed)

glew
        - quesoglc <unfixed> (embed)

minorGems
        - transcend <unfixed> (embed)
        - cultivation <unfixed> (embed)

tar
        - libarchive <unfixed> (embed)
        NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable

cpio
        - libarchive <unfixed> (embed)
        NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)

webkit
        - qt4-x11 <unfixed> (embed)

ftgl
        - blender 2.46+dfsg-1 (embed)

wv
        - abiword <unfixed>

qemu
        - kvm <unfixed> (embed)

bochs
        - kvm <unfixed> (embed; bug #489442)

speex
        - vorbis-tools <unfixed> (embed)
        NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
        - gst-plugins-good0.10 <unfixed> (embed)
        - xine-lib <unfixed> (embed)
        - libfishsound <unfixed> (embed)
        - libannodex <unfixed> (embed)
        - vlc <unfixed> (embed)
        - xmms-speex <unfixed> (embed)
        - libsdl-sound1.2 <unfixed> (embed)
        - sweep <unfixed> (embed)

libreadline
        - magic <unfixed> (old-version)
        NOTE: magic is currently an RFS

opcode
        - ode <unfixed> (embed)
        NOTE: opcode is not a package in debian, it is just embedded
        NOTE: http://www.codercorner.com/Opcode.htm

gimpact 
        - ode <unfixed> (embed)
        NOTE: gimpact is not a package in debian, it is just embedded
        NOTE: http://gimpact.sf.net

MochiKit.js
        - mahara <unfixed> (embed)
        - ntop <unfixed> (embed)
        - python-oherence <unfixed> (embed)
        - python-paste <unfixed> (embed)
        - python-turbogears <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)

prototype.js
        - netbeans-ide <unfixed> (embed)
        - auth2db-frontend <unfixed> (embed)
        - citadel-webcit <unfixed> (embed)
        - asterisk <unfixed> (embed)
        - doc-iana <unfixed> (embed)
        - libaws-doc <unfixed> (embed)
        - libgettext-ruby-data <unfixed> (embed)
        - libjson-ruby-doc <unfixed> (embed)
        - liblucene2-java-doc <unfixed> (embed)
        - libopenid-ruby <unfixed> (embed)
        - solr-common <unfixed> (embed)
        - glpi <unfixed> (embed)
        - hobbix <unfixed> (embed)
        - mnemo2 <unfixed> (embed)
        - nag2 <unfixed> (embed)
        - libjs-prototype <unfixed> (embed)
        - libjs-scriptaculous <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - mediatomb-common <unfixed> (embed)
        - mt-daapd <unfixed> (embed)
        - op-panel <unfixed> (embed)
        - ebug-http <unfixed> (embed)
        - phpgedview <removed> (embed)
        - poker-web <unfixed> (embed)
        - python-webhelpers <unfixed> (embed)
        - qwik <unfixed> (embed)
        - rails <unfixed> (embed)
        - typo3-src-4.1 <unfixed> (embed)
        - wordpress <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)
        - smokeping <unfixed> (embed)

gdb
        - insight <unfixed> (embed)
1	Embedded code copies
2	====================
3
4	This file collects source packages that embed code from other projects.
5	This is considered bad for fixing security flaws because the fix needs
6	to be applied in multiple source packages.
7
8	Format:
9	<srcpkg> (<optional comment about srcpkg>)
10	- <embedding srcpkg> <status> (<sort>; bug #<number>)
11	NOTE: optional comments about the linkage of the embedding srcpkg
12
13	status: version number fixing the embedded copy, <unfixed>, <removed>,
14	<itp> or <unknown> if the version number can not be determined
15	<unfixable> for unavoidable cases (e.g., forks that add real value)
16	sort: static (linking statically against a lib)
17	embed (embedding a copy of the library into another source package)
18	fork (the package is not just embedding code but it is a fork and
19	thus might share parts of the source code)
20	old-version (the package is an older version of essentially
21	the same code)
22
23	The srcpkg might be some string to identify the code if there is no
24	specific source package.
25
26	Everything up to the next line is ignored.
27	---BEGIN
28	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
29	NOTE: Fixed packages link to poppler library unless otherwise noted
30	- gpdf <removed>
31	[sarge] - gpdf <unfixed>
32	NOTE: has been replaced by evince in etch
33	- pdftohtml <unknown>
34	[sarge] - pdftohtml <unfixed>
35	[etch] - pdftohtml <unfixed>
36	NOTE: has been replaced by poppler-utils
37	- kdegraphics <unfixed> (embed; bug #436164)
38	NOTE: the kpdf replacement in KDE 4 is using poppler
39	- texlive-base 3.0-12 (embed)
40	- texlive-bin 2007-1 (embed)
41	NOTE: links to poppler
42	- koffice <unfixed> (embed; bug #436163)
43	- libextractor 0.5.12-1 (embed)
44	NOTE: libextractor is using its own pdf decoder now
45	- libextractor 0.5.12-1 (embed)
46	- pdfkit.framework 0.8-4 (embed)
47	- ipe <unfixed> (embed)
48	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
49	- ruby-gnome2 <unknown> (embed)
50	NOTE: copy only present in source but links to poppler
51
52	ppmd
53	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
54
55	peercast
56	- gnome-peercast <unfixed> (embed)
57	NOTE: gnome-peercast may better be removed, see #466539
58
59	silc-toolkit
60	- silc-client 1.1~beta6-1 (embed)
61
62	dietlibc
63	- ccontrol 0.9.1+20071204-1 (static)
64
65	libiax
66	- iaxmodem <unfixed> (embed)
67
68	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
69	- dpkg <unfixed> (embed)
70	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
71	- rsync <unfixed> (embed)
72	NOTE: somehow derived code base
73	- mono <unfixed> (embed)
74	TODO: check mozilla
75	- Linux kernels <unfixed> (embed)
76	- pvpgn 1.7.8-2 (embed)
77	- mrtg 2.12.2-1 (embed)
78	- rpm <unknown> (embed)
79	NOTE: pinged anibal since when rpm was fixed
80
81	libbz2
82	- dpkg <unfixed> (static)
83
84	ekg
85	- centericq <unfixed> (embed)
86	- gaim <unfixed> (embed)
87	- pigdin <unfixed> (embed)(links dynamically against libgadu)
88	- kopete 4:3.3.2-5 (embed)
89	- kadu <unfixed> (embed)
90	- gadu <unfixed> (embed)
91	NOTE: g/kadu not packaged in Debian yet
92
93	xmlrpc (which package is the "origin" of this code?)
94	- drupal <unfixed> (embed)
95	- phpgroupware <unfixed> (embed)
96	- egroupware <unfixed> (embed)
97	- phpwiki (embed)
98	- php4 <unfixed> (embed)
99	TODO: check, php-pear, IIRC this was reorganized some weeks ago?
100
101	shtool (affects build-time only)
102	- mysql-ocaml <unfixed> (embed)
103	- php4 <unfixed> (embed)
104
105	mozilla source code
106	- mozilla-firefox <unfixed> (embed)
107	- mozilla-thunderbird
108	- firefox <removed>
109	[etch] - firefox <unfixed> (embed)
110	- thunderbird <removed>
111	[etch] - thunderbird <unfixed> (embed)
112	- iceweasel <unfixed> (embed)
113	- iceape <unfixed> (embed)
114	- icedove <unfixed> (embed)
115	- xulrunner <unfixed> (embed)
116	- nvu <removed> (embed)
117
118	xli
119	- xloadimage <unfixed> (embed)
120
121	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
122	- openmotif <unfixed> (embed)
123	- xfree86/xorg <unfixed> (embed)
124	NOTE: in libxpm
125
126	kerberized apps with BSD origin
127	- krb4 <unfixed> (embed)
128	- krb5 <unfixed> (embed)
129	- heimdal <unfixed> (embed)
130
131	grip (which pkg is the origin?)
132	- libcdaudio
133	- grip
134	- gnome-vfs
135	TODO: check vfs2 as well
136
137	fudforum
138	- phpgroupware-fudforum <unfixed> (embed)
139	- egroupware-fudforum <removed>
140	[sarge] - egroupware-fudforum <unfixed> (embed)
141
142	cvs
143	- gcvs <unfixed> (embed)
144	NOTE: see cvsunix/src in tarball
145
146	pcre
147	- python* <unfixed> (embed)
148	- php4 <unknown> (embed)
149	- analog 2:5.23-0woody1 (embed)
150	- libgoffice-1 <unfixed> (embed)
151	- vfu 4.06-4.1 (embed; bug #450754)
152	- tf5 5.0beta7-1 (embed)
153	- monotone <unfixed> (embed)
154	NOTE: this only affects versions >= 0.37
155	- glib2.0 2.15.2-1 (embed)
156	- apache2 2.0.53-4 (embed)
157	- exim4 4.10-0.srh20.12 (embed)
158	- yacas <unfixed> (embed)
159	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
160	- gtamsanalyzer.app 0.42-5 (embed)
161	- tin <unknown> (embed)
162	- kazehakase 0.5.2-1
163	- webkit <unfixed> (embed)
164	- qt4-x11 <unfixed> (embed)
165	NOTE: embedded via webkit copy
166
167	tiff
168	- wxwindows2.4 2.2.1 (embed)
169
170	uudeview
171	- libconvert-uulib-perl <unfixed> (embed)
172	- pan <unfixed> (embed)
173
174	sqlite (not affected by security vulnerabilities so far)
175	- amarok <unfixed> (embed)
176	- monotone <unfixed> (embed)
177	- iceweasel <unfixed> (embed)
178
179	util-linux/mount
180	- loop-aes-utils <unfixed> (embed)
181	NOTE: contains code from util-linux' mount in the mount-aes-udeb
182
183	webmin
184	- usermin <unknown> (embed)
185	[sarge] - usermin <unfixed> (embed)
186
187	sylpheed
188	- sylpheed-claws <unfixed> (fork)
189
190	phpsysinfo
191	- egroupware <unfixed> (embed)
192	- phpgroupware <unfixed> (embed)
193
194	phpldapadmin
195	[sarge] - egroupware <unfixed> (embed)
196	NOTE: removed from egroupware after sarge
197
198	chmlib
199	- kchmviewer <unknown> (embed)
200
201	libavcodec/libavformat (source: ffmpeg)
202	- mplayer 1.0~rc2-14 (embed; bug #395252)
203	- xvidcap <unfixed> (embed)
204	- kino <unfixed> (static)
205	- vlc <not-affected> (Links dynamically since initial release)
206	- smilutils <unfixed> (static)
207	- motion <unfixed> (static)
208	- gst-ffmpeg <unfixed> (embed)
209	- gstreamer0.10-ffmpeg <unfixed> (embed)
210	- xmovie <unfixed>
211	TODO: gimp-gap (potentially using ffmpeg code as well)
212
213	mad MPEG decoding lib
214	- mad <unfixed> (embed)
215	- xine-lib <unfixed> (embed)
216
217	libdts
218	- xine-lib <unfixed> (embed)
219
220	flac
221	- xine-lib <unfixed> (embed)
222
223	liba52
224	- a52dec <unfixed> (embed)
225	- xine-lib <unfixed> (embed)
226
227	libmpeg2
228	- mpeg2dec <unfixed> (embed)
229	- xine-lib <unfixed> (embed)
230
231	curl
232	- wget <unfixed> (embed)
233	NOTE: code for NTLM authentication
234
235	uw-imap
236	- pine <unfixed> (embed)
237	- alpine <unfixed> (embed)
238
239	imagemagick
240	- graphicsmagick <unfixed> (fork)
241
242	halibut
243	- nsis <unfixed> (embed)
244
245	libghttp
246	- hotway <unfixed> (embed)
247
248	libsndfile
249	- ardour <unfixed> (embed)
250
251	glibmm2.4
252	- ardour <unfixed> (embed)
253
254	libgnomecanvasmm2.6
255	- ardour <unfixed> (embed)
256
257	libsigc++-2.0
258	- ardour <unfixed> (embed)
259
260	soundtouch
261	- ardour <unfixed> (embed)
262
263	libmms
264	- xine-lib <unfixed> (embed)
265	- mimms <unfixed> (embed)
266
267	fckeditor
268	- knowledgeroot 0.9.8.5-3 (embed; bug #461555)
269	- moin <unfixed> (embed; bug #452599)
270	- karrigell <unfixed> (embed; bug #452598)
271	- gforge-plugins-extra 4.6.99+svn6225-1 (embed)
272
273	ipatlas (not packaged in Debian)
274	- moodle <unfixed> (embed)
275
276	libphp-phpmailer
277	- moodle <unfixed> (embed)
278
279	htmlArea (not packaged in Debian)
280	- moodle <unfixed> (embed)
281
282	giflib:
283	- wine <unfixed> (embed; bug #466181)
284
285	bennu (not packaged in Debian)
286	- moodle <unfixed> (embed)
287
288	smarty:
289	- moodle <unfixed> (embed; bug #471158)
290	- gallery2 <unfixed> (embed; bug #471160)
291	- mahara 0.9.2-2 (embed; bug #471201)
292	- gosa 2.4beta1-1 (embed; bug #471200)
293
294	TinyMCE
295	- wordpress <unfixed> (embed; bug #478257)
296	- moodle <unfixed> (embed)
297	- knowledgeroot <unfixed> (embed)
298	- joomla <itp> (bug #326398)
299
300	scintilla
301	- scite <unfixed> (embed)
302	- qscintilla <unfixed> (embed)
303	- qscintilla2 <unfixed> (embed)
304	- geany <unfixed> (embed)
305
306	libphp-adodb
307	- moodle <unfixed> (embed)
308	NOTE: also AdoDB-XML Schema
309	- gallery2 <unfixed> (embed)
310	- phppgadmin <unfixed> (embed)
311	- egroupware <unfixed> (embed)
312	- phpwiki <unfixed> (embed)
313	- ipplan <unfixed> (embed)
314	- typo3 <unfixed> (embed)
315	- moodle <unfixed> (embed)
316	- cacti <unknown> (embed)
317	[sarge] - cacti <unfixed> (embed)
318	NOTE: dependency exists, but internal version is used
319
320	gzip
321	- linux-kernel <unfixed> (embed)
322	NOTE: lib/inflate.c
323	- klibc <unfixed> (embed)
324	NOTE: based on linux-kernel gzip code
325	- busybox <unfixed> (embed)
326
327	neon
328	- cadaver <unfixed> (embed; bug #188381)
329	- gnome-vfs2 <unfixed> (embed; bug #395874)
330	- litmus <unfixed> (embed; #395875)
331	[sarge] - screem <unfixed> (embed)
332	- sitecopy <unfixed> (embed; bug #395876)
333	[etch] - tla <unfixed> (embed; bug #395877)
334	[sarge] - tla <unfixed> (embed; bug #395877)
335
336	libmodplug
337	- gst-plugins-bad0.10 <unfixed> (embed)
338
339	libvncserver
340	- vino <unfixed> (embed)
341
342	putty
343	- filezilla <unfixed> (embed)
344
345	tinyxml (not packaged in Debian)
346	- filezilla <unfixed>
347
348	gv
349	- evince <unfixed> (embed)
350	NOTE: ps/ tree from gv 3.5.8
351	- evince-gtk <unfixed> (embed)
352	NOTE: not packaged in Debian
353
354	libXbae
355	[etch] - libpawlib2-lesstif <unfixed> (embed)
356	NOTE: from Cernlib
357
358	libXaw
359	[etch] - libpawlib2-lesstif
360	NOTE: from Cernlib
361	NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
362
363	libgd2
364	- graphviz <unfixed> (embed)
365	NOTE: lib/gd seems to be 2.0.33
366	- wml <unfixed> (embed)
367	NOTE: derived from gd 1.6.3
368
369	rar
370	- unrar-nonfree <unfixed> (embed)
371
372	unrar-free (maybe this code is derived from the original rar, too?)
373	- clamav <unfixed> (embed)
374	NOTE: seems to be disabled in default config
375
376	mplayer (DirectMedia Object loader)
377	- xine-lib <unfixed> (embed)
378	NOTE: src/libw32dll/
379	- vlc <unfixed> (embed)
380	NOTE: modules/codec/dmo/
381
382	libwpd (WordPerfect converter)
383	- openoffice.org <unfixed> (embed)
384
385	fsplib (http://sourceforge.net/projects/fsp/)
386	- gftp <unfixed> (embed)
387	NOTE: lib/fsplib version 0.3
388
389	librpcsecgss
390	- krb5 <unfixed> (embed)
391
392	jasper
393	- ghostscript <unfixed> (embed)
394	- gs-gpl <unfixed> (embed)
395
396	libidn
397	- monotone <unfixed> (embed)
398
399	liblua
400	- monotone <unfixed> (embed)
401
402	libbotan
403	- montone <unfixed> (embed)
404
405	NetXX
406	- monotone <unfixed> (embed)
407
408	libgc
409	- mono <unfixed> (embed)
410
411	lzma
412	- p7zip <unfixed> (embed)
413
414	lzo
415	- grub2 <unfixed> (embed)
416
417	yassl
418	- mysql-dfsg-5.0 <unfixed> (embed)
419
420	pax code
421	- tar <unfixed> (embed)
422	- cpio <unfixed> (embed)
423
424	t1lib
425	- tetex-bin 2.0.2-1 (embed)
426	- texlive-bin <unknown> (embed)
427
428	guichan
429	- boswars <unfixed> (embed)
430	NOTE: maintainer notified us, working on it
431
432	tolua
433	- boswars <unfixed> (embed)
434	NOTE: maintainer notified us, working on it
435
436	asio-dev
437	- luxrender <unfixed> (embed)
438	NOTE: maintainer notified us, working on it
439	NOTE: may be merged with boost "soon"
440
441	xine-lib
442	- vlc <unfixed> (embed)
443	NOTE: only parts included in modules/access/rtsp
444
445	netpbm
446	- tcl8.3 <unfixed> (embed)
447	- tcl8.4 <unfixed> (embed)
448	- tcl8.5 <unfixed> (embed)
449	NOTE: generic/tkImgGIF.c
450
451	tk8.5
452	- tk8.0 <removed> (old-version)
453	- tk8.3 <unfixed> (old-version)
454	- tk8.4 <unfixed> (old-version)
455	- perl-tk <unfixable> (fork)
456
457	samba
458	- mc <unfixed> (embed)
459	NOTE: maintainer is aware of this, currently searching a solution
460
461	plib1.8.4c2
462	- boson <unfixed> (fork)
463	NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
464
465	fribidi
466	- quesoglc <unfixed> (embed)
467
468	glew
469	- quesoglc <unfixed> (embed)
470
471	minorGems
472	- transcend <unfixed> (embed)
473	- cultivation <unfixed> (embed)
474
475	tar
476	- libarchive <unfixed> (embed)
477	NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
478
479	cpio
480	- libarchive <unfixed> (embed)
481	NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
482
483	webkit
484	- qt4-x11 <unfixed> (embed)
485
486	ftgl
487	- blender 2.46+dfsg-1 (embed)
488
489	wv
490	- abiword <unfixed>
491
492	qemu
493	- kvm <unfixed> (embed)
494
495	bochs
496	- kvm <unfixed> (embed; bug #489442)
497
498	speex
499	- vorbis-tools <unfixed> (embed)
500	NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
501	- gst-plugins-good0.10 <unfixed> (embed)
502	- xine-lib <unfixed> (embed)
503	- libfishsound <unfixed> (embed)
504	- libannodex <unfixed> (embed)
505	- vlc <unfixed> (embed)
506	- xmms-speex <unfixed> (embed)
507	- libsdl-sound1.2 <unfixed> (embed)
508	- sweep <unfixed> (embed)
509
510	libreadline
511	- magic <unfixed> (old-version)
512	NOTE: magic is currently an RFS
513
514	opcode
515	- ode <unfixed> (embed)
516	NOTE: opcode is not a package in debian, it is just embedded
517	NOTE: http://www.codercorner.com/Opcode.htm
518
519	gimpact
520	- ode <unfixed> (embed)
521	NOTE: gimpact is not a package in debian, it is just embedded
522	NOTE: http://gimpact.sf.net
523
524	MochiKit.js
525	- mahara <unfixed> (embed)
526	- ntop <unfixed> (embed)
527	- python-oherence <unfixed> (embed)
528	- python-paste <unfixed> (embed)
529	- python-turbogears <unfixed> (embed)
530	- zope-plone3 <unfixed> (embed)
531
532	prototype.js
533	- netbeans-ide <unfixed> (embed)
534	- auth2db-frontend <unfixed> (embed)
535	- citadel-webcit <unfixed> (embed)
536	- asterisk <unfixed> (embed)
537	- doc-iana <unfixed> (embed)
538	- libaws-doc <unfixed> (embed)
539	- libgettext-ruby-data <unfixed> (embed)
540	- libjson-ruby-doc <unfixed> (embed)
541	- liblucene2-java-doc <unfixed> (embed)
542	- libopenid-ruby <unfixed> (embed)
543	- solr-common <unfixed> (embed)
544	- glpi <unfixed> (embed)
545	- hobbix <unfixed> (embed)
546	- mnemo2 <unfixed> (embed)
547	- nag2 <unfixed> (embed)
548	- libjs-prototype <unfixed> (embed)
549	- libjs-scriptaculous <unfixed> (embed)
550	- knowledgeroot <unfixed> (embed)
551	- mediatomb-common <unfixed> (embed)
552	- mt-daapd <unfixed> (embed)
553	- op-panel <unfixed> (embed)
554	- ebug-http <unfixed> (embed)
555	- phpgedview <removed> (embed)
556	- poker-web <unfixed> (embed)
557	- python-webhelpers <unfixed> (embed)
558	- qwik <unfixed> (embed)
559	- rails <unfixed> (embed)
560	- typo3-src-4.1 <unfixed> (embed)
561	- wordpress <unfixed> (embed)
562	- zope-plone3 <unfixed> (embed)
563	- smokeping <unfixed> (embed)
564
565	gdb
566	- insight <unfixed> (embed)