Contents of /data/embedded-code-copies

Embedded code copies
====================

This file collects source packages that embed code from other projects.
This is considered bad for fixing security flaws because the fix needs
to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
        - <embedding srcpkg> <status> (<sort>; bug #<number>)
        NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy, <unfixed>, <removed>,
        <itp> or <unknown> if the version number can not be determined
        <unfixable> for unavoidable cases (e.g., forks that add real value)
sort: static (linking statically against a lib)
      embed (embedding a copy of the library into another source package)
      fork (the package is not just embedding code but it is a fork and
            thus might share parts of the source code)
      old-version (the package is an older version of essentially
                   the same code)

The srcpkg might be some string to identify the code if there is no
specific source package.

Everything up to the next line is ignored.
---BEGIN
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
        NOTE: Fixed packages link to poppler library unless otherwise noted
        - gpdf <removed>
        [sarge] - gpdf <unfixed>
        NOTE: has been replaced by evince in etch
        - pdftohtml <unknown>
        [sarge] - pdftohtml <unfixed>
        [etch] - pdftohtml <unfixed>
        NOTE: has been replaced by poppler-utils
        - kdegraphics <unfixed> (embed; bug #436164)
        NOTE: the kpdf replacement in KDE 4 is using poppler
        - texlive-base 3.0-12 (embed)
        - texlive-bin 2007-1 (embed)
        NOTE: links to poppler
        - koffice <unfixed> (embed; bug #436163)
        - libextractor 0.5.12-1 (embed)
        NOTE: libextractor is using its own pdf decoder now
        - libextractor 0.5.12-1 (embed)
        - pdfkit.framework 0.8-4 (embed)
        - ipe <unfixed> (embed)
        NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
        - ruby-gnome2 <unknown> (embed)
        NOTE: copy only present in source but links to poppler

ppmd
        - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)

peercast
        - gnome-peercast <unfixed> (embed)
        NOTE: gnome-peercast may better be removed, see #466539

silc-toolkit
        - silc-client 1.1~beta6-1 (embed)

dietlibc
        - ccontrol 0.9.1+20071204-1 (static)

libiax
        - iaxmodem <unfixed> (embed)

zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
        - dpkg <unfixed> (embed)
        NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
        - rsync <unfixed> (embed)
        NOTE: somehow derived code base
        - mono <unfixed> (embed)
        TODO: check mozilla
        - Linux kernels <unfixed> (embed)
        - pvpgn 1.7.8-2 (embed)
        - mrtg 2.12.2-1 (embed)
        - rpm <unknown> (embed)
        NOTE: pinged anibal since when rpm was fixed

libbz2
        - dpkg <unfixed> (static)

ekg
        - centericq <unfixed> (embed)
        - gaim <unfixed> (embed)
        - pigdin <unfixed> (embed)(links dynamically against libgadu)
        - kopete 4:3.3.2-5 (embed)
        - kadu <unfixed> (embed)
        - gadu <unfixed> (embed)
        NOTE: g/kadu not packaged in Debian yet

xmlrpc (which package is the "origin" of this code?)
        - drupal <unfixed> (embed)
        - phpgroupware <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki (embed)
        - php4 <unfixed> (embed)
        TODO: check, php-pear, IIRC this was reorganized some weeks ago?

shtool (affects build-time only)
        - mysql-ocaml <unfixed> (embed)
        - php4 <unfixed> (embed)

mozilla source code
        - mozilla-firefox <unfixed> (embed)
        - mozilla-thunderbird
        - firefox <removed>
        [etch] - firefox <unfixed> (embed)
        - thunderbird <removed>
        [etch] - thunderbird <unfixed> (embed)
        - iceweasel <unfixed> (embed)
        - iceape <unfixed> (embed)
        - icedove <unfixed> (embed)
        - xulrunner <unfixed> (embed)
        - nvu <removed> (embed)

xli
        - xloadimage <unfixed> (embed)

lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
        - openmotif <unfixed> (embed)
        - xfree86/xorg <unfixed> (embed)
        NOTE: in libxpm

kerberized apps with BSD origin
        - krb4 <unfixed> (embed)
        - krb5 <unfixed> (embed)
        - heimdal <unfixed> (embed)

grip (which pkg is the origin?)
        - libcdaudio
        - grip
        - gnome-vfs
        TODO: check vfs2 as well

fudforum
        - phpgroupware-fudforum <unfixed> (embed)
        - egroupware-fudforum <removed>
        [sarge] - egroupware-fudforum <unfixed> (embed)

cvs
        - gcvs <unfixed> (embed)
        NOTE: see cvsunix/src in tarball

pcre
        - python* <unfixed> (embed)
        - php4 <unknown> (embed)
        - analog 2:5.23-0woody1 (embed)
        - libgoffice-1 <unfixed> (embed)
        - vfu 4.06-4.1 (embed; bug #450754)
        - tf5 5.0beta7-1 (embed)
        - monotone <unfixed> (embed)
        NOTE: this only affects versions >= 0.37
        - glib2.0 2.15.2-1 (embed)
        - apache2 2.0.53-4 (embed)
        - exim4 4.10-0.srh20.12 (embed)
        - yacas <unfixed> (embed)
        NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
        - gtamsanalyzer.app 0.42-5 (embed)
        - tin <unknown> (embed)
        - kazehakase 0.5.2-1
        - webkit <unfixed> (embed)
        - qt4-x11 <unfixed> (embed)
        NOTE: embedded via webkit copy

tiff
        - wxwindows2.4 2.2.1 (embed)

uudeview
        - libconvert-uulib-perl <unfixed> (embed)
        - pan <unfixed> (embed)

sqlite (not affected by security vulnerabilities so far)
        - amarok <unfixed> (embed)
        - monotone <unfixed> (embed)
        - iceweasel <unfixed> (embed)

util-linux/mount
        - loop-aes-utils <unfixed> (embed)
        NOTE: contains code from util-linux' mount in the mount-aes-udeb

webmin
        - usermin <unknown> (embed)
        [sarge] - usermin <unfixed> (embed)

sylpheed
        - sylpheed-claws <unfixed> (fork)

phpsysinfo
        - egroupware <unfixed> (embed)
        - phpgroupware <unfixed> (embed)

phpldapadmin
        [sarge] - egroupware <unfixed> (embed)
        NOTE: removed from egroupware after sarge

chmlib
        - kchmviewer <unknown> (embed)

libavcodec/libavformat (source: ffmpeg)
        - mplayer 1.0~rc2-14 (embed; bug #395252)
        - kino 1.0.0-1
        - vlc <not-affected> (Links dynamically since initial release)
        - smilutils <unfixed> (static)
        - motion <unfixed> (static)
        - gst-ffmpeg <unfixed> (embed)
        - gstreamer0.10-ffmpeg <unfixed> (embed)
        - xmovie <unfixed>
        TODO: gimp-gap (potentially using ffmpeg code as well)

mad MPEG decoding lib
        - mad <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libdts
        - xine-lib <unfixed> (embed)

flac
        - xine-lib <unfixed> (embed)

liba52
        - a52dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

libmpeg2
        - mpeg2dec <unfixed> (embed)
        - xine-lib <unfixed> (embed)

curl
        - wget <unfixed> (embed)
        NOTE: code for NTLM authentication

uw-imap
        - pine <unfixed> (embed)
        - alpine <unfixed> (embed)

imagemagick
        - graphicsmagick <unfixed> (fork)

halibut
        - nsis <unfixed> (embed)

libghttp
        - hotway <unfixed> (embed)

libsndfile
        - ardour <unfixed> (embed)

glibmm2.4
        - ardour <unfixed> (embed)

libgnomecanvasmm2.6
        - ardour <unfixed> (embed)

libsigc++-2.0
        - ardour <unfixed> (embed)

soundtouch
        - ardour <unfixed> (embed)

libmms
        - xine-lib <unfixed> (embed)
        - mimms <unfixed> (embed)

fckeditor
        - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
        - moin <unfixed> (embed; bug #452599)
        - karrigell <unfixed> (embed; bug #452598)
        - gforge-plugins-extra 4.6.99+svn6225-1 (embed)

ipatlas (not packaged in Debian)
        - moodle <unfixed> (embed)

libphp-phpmailer
        - moodle <unfixed> (embed)

htmlArea (not packaged in Debian)
        - moodle <unfixed> (embed)

giflib:
        - wine <unfixed> (embed; bug #466181)

bennu (not packaged in Debian)
        - moodle <unfixed> (embed)

smarty:
        - moodle <unfixed> (embed; bug #471158)
        - gallery2 <unfixed> (embed; bug #471160)
        - mahara 0.9.2-2 (embed; bug #471201)
        - gosa 2.4beta1-1 (embed; bug #471200)

TinyMCE
        - wordpress <unfixed> (embed; bug #478257)
        - moodle <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - joomla <itp> (bug #326398)

scintilla
        - scite <unfixed> (embed)
        - qscintilla <unfixed> (embed)
        - qscintilla2 <unfixed> (embed)
        - geany <unfixed> (embed)

libphp-adodb
        - moodle <unfixed> (embed)
        NOTE: also AdoDB-XML Schema
        - gallery2 <unfixed> (embed)
        - phppgadmin <unfixed> (embed)
        - egroupware <unfixed> (embed)
        - phpwiki <unfixed> (embed)
        - ipplan <unfixed> (embed)
        - typo3 <unfixed> (embed)
        - moodle <unfixed> (embed)
        - cacti <unknown> (embed)
        [sarge] - cacti <unfixed> (embed)
        NOTE: dependency exists, but internal version is used

gzip
        - linux-kernel <unfixed> (embed)
        NOTE: lib/inflate.c
        - klibc <unfixed> (embed)
        NOTE: based on linux-kernel gzip code
        - busybox <unfixed> (embed)

neon
        - cadaver <unfixed> (embed; bug #188381)
        - gnome-vfs2 <unfixed> (embed; bug #395874)
        - litmus <unfixed> (embed; #395875)
        [sarge] - screem <unfixed> (embed)
        - sitecopy <unfixed> (embed; bug #395876)
        [etch] - tla <unfixed> (embed; bug #395877)
        [sarge] - tla <unfixed> (embed; bug #395877)

libmodplug
        - gst-plugins-bad0.10 <unfixed> (embed)

libvncserver
        - vino <unfixed> (embed)

putty
        - filezilla <unfixed> (embed)

tinyxml (not packaged in Debian)
        - filezilla <unfixed>

gv
        - evince <unfixed> (embed)
        NOTE: ps/ tree from gv 3.5.8
        - evince-gtk <unfixed> (embed)
        NOTE: not packaged in Debian

libXbae
        [etch] - libpawlib2-lesstif <unfixed> (embed)
        NOTE: from Cernlib

libXaw
        [etch] - libpawlib2-lesstif
        NOTE: from Cernlib
        NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty

libgd2
        - graphviz <unfixed> (embed)
        NOTE: lib/gd seems to be 2.0.33
        - wml <unfixed> (embed)
        NOTE: derived from gd 1.6.3

rar
        - unrar-nonfree <unfixed> (embed)

unrar-free (maybe this code is derived from the original rar, too?)
        - clamav <unfixed> (embed)
        NOTE: seems to be disabled in default config

mplayer (DirectMedia Object loader)
        - xine-lib <unfixed> (embed)
        NOTE: src/libw32dll/
        - vlc <unfixed> (embed)
        NOTE: modules/codec/dmo/

libwpd (WordPerfect converter)
        - openoffice.org <unfixed> (embed)

fsplib (http://sourceforge.net/projects/fsp/)
        - gftp <unfixed> (embed)
        NOTE: lib/fsplib version 0.3

sprng
        - tree-puzzle <unfixed> (embed)

librpcsecgss
        - krb5 <unfixed> (embed)

jasper
        - ghostscript <unfixed> (embed)
        - gs-gpl <unfixed> (embed)

libidn
        - monotone <unfixed> (embed)

liblua
        - monotone <unfixed> (embed)

libbotan
        - montone <unfixed> (embed)

NetXX
        - monotone <unfixed> (embed)

libgc
        - mono <unfixed> (embed)

lzma
        - p7zip <unfixed> (embed)

lzo
        - grub2 <unfixed> (embed)

yassl
        - mysql-dfsg-5.0 <unfixed> (embed)

pax code
        - tar <unfixed> (embed)
        - cpio <unfixed> (embed)

t1lib
        - tetex-bin 2.0.2-1 (embed)
        - texlive-bin <unknown> (embed)

guichan
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

tolua
        - boswars <unfixed> (embed)
        NOTE: maintainer notified us, working on it

asio-dev
        - luxrender <unfixed> (embed)
        NOTE: maintainer notified us, working on it
        NOTE: may be merged with boost "soon"

xine-lib
        - vlc <unfixed> (embed)
        NOTE: only parts included in modules/access/rtsp

netpbm
        - tcl8.3 <unfixed> (embed)
        - tcl8.4 <unfixed> (embed)
        - tcl8.5 <unfixed> (embed)
        NOTE: generic/tkImgGIF.c

tk8.5
        - tk8.0 <removed> (old-version)
        - tk8.3 <unfixed> (old-version)
        - tk8.4 <unfixed> (old-version)
        - perl-tk <unfixable> (fork)

samba
        - mc <unfixed> (embed)
        NOTE: maintainer is aware of this, currently searching a solution

plib1.8.4c2
        - boson <unfixed> (fork)
        NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar

fribidi
        - quesoglc <unfixed> (embed)

glew
        - quesoglc <unfixed> (embed)

minorGems
        - transcend <unfixed> (embed)
        - cultivation <unfixed> (embed)

tar
        - libarchive <unfixed> (embed)
        NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable

cpio
        - libarchive <unfixed> (embed)
        NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)

webkit
        - qt4-x11 <unfixed> (embed)

ftgl
        - blender 2.46+dfsg-1 (embed)

wv
        - abiword <unfixed>

qemu
        - kvm <unfixed> (embed)

bochs
        - kvm <unfixed> (embed; bug #489442)

speex
        - vorbis-tools <unfixed> (embed)
        NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
        - gst-plugins-good0.10 <unfixed> (embed)
        - xine-lib <unfixed> (embed)
        - libfishsound <unfixed> (embed)
        - libannodex <unfixed> (embed)
        - vlc <unfixed> (embed)
        - xmms-speex <unfixed> (embed)
        - libsdl-sound1.2 <unfixed> (embed)
        - sweep <unfixed> (embed)

libreadline
        - magic <unfixed> (old-version)
        NOTE: magic is currently an RFS

opcode
        - ode <unfixed> (embed)
        NOTE: opcode is not a package in debian, it is just embedded
        NOTE: http://www.codercorner.com/Opcode.htm

gimpact 
        - ode <unfixed> (embed)
        NOTE: gimpact is not a package in debian, it is just embedded
        NOTE: http://gimpact.sf.net

MochiKit.js
        - mahara <unfixed> (embed)
        - ntop <unfixed> (embed)
        - python-oherence <unfixed> (embed)
        - python-paste <unfixed> (embed)
        - python-turbogears <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)

prototype.js
        - netbeans-ide <unfixed> (embed)
        - auth2db-frontend <unfixed> (embed)
        - citadel-webcit <unfixed> (embed)
        - asterisk <unfixed> (embed)
        - doc-iana <unfixed> (embed)
        - libaws-doc <unfixed> (embed)
        - libgettext-ruby-data <unfixed> (embed)
        - libjson-ruby-doc <unfixed> (embed)
        - liblucene2-java-doc <unfixed> (embed)
        - libopenid-ruby <unfixed> (embed)
        - solr-common <unfixed> (embed)
        - glpi <unfixed> (embed)
        - hobbix <unfixed> (embed)
        - mnemo2 <unfixed> (embed)
        - nag2 <unfixed> (embed)
        - libjs-prototype <unfixed> (embed)
        - libjs-scriptaculous <unfixed> (embed)
        - knowledgeroot <unfixed> (embed)
        - mediatomb-common <unfixed> (embed)
        - mt-daapd <unfixed> (embed)
        - op-panel <unfixed> (embed)
        - ebug-http <unfixed> (embed)
        - phpgedview <removed> (embed)
        - poker-web <unfixed> (embed)
        - python-webhelpers <unfixed> (embed)
        - qwik <unfixed> (embed)
        - rails <unfixed> (embed)
        - typo3-src-4.1 <unfixed> (embed)
        - wordpress <unfixed> (embed)
        - zope-plone3 <unfixed> (embed)
        - smokeping <unfixed> (embed)

gdb
        - insight <unfixed> (embed)
1	Embedded code copies
2	====================
3
4	This file collects source packages that embed code from other projects.
5	This is considered bad for fixing security flaws because the fix needs
6	to be applied in multiple source packages.
7
8	Format:
9	<srcpkg> (<optional comment about srcpkg>)
10	- <embedding srcpkg> <status> (<sort>; bug #<number>)
11	NOTE: optional comments about the linkage of the embedding srcpkg
12
13	status: version number fixing the embedded copy, <unfixed>, <removed>,
14	<itp> or <unknown> if the version number can not be determined
15	<unfixable> for unavoidable cases (e.g., forks that add real value)
16	sort: static (linking statically against a lib)
17	embed (embedding a copy of the library into another source package)
18	fork (the package is not just embedding code but it is a fork and
19	thus might share parts of the source code)
20	old-version (the package is an older version of essentially
21	the same code)
22
23	The srcpkg might be some string to identify the code if there is no
24	specific source package.
25
26	Everything up to the next line is ignored.
27	---BEGIN
28	xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
29	NOTE: Fixed packages link to poppler library unless otherwise noted
30	- gpdf <removed>
31	[sarge] - gpdf <unfixed>
32	NOTE: has been replaced by evince in etch
33	- pdftohtml <unknown>
34	[sarge] - pdftohtml <unfixed>
35	[etch] - pdftohtml <unfixed>
36	NOTE: has been replaced by poppler-utils
37	- kdegraphics <unfixed> (embed; bug #436164)
38	NOTE: the kpdf replacement in KDE 4 is using poppler
39	- texlive-base 3.0-12 (embed)
40	- texlive-bin 2007-1 (embed)
41	NOTE: links to poppler
42	- koffice <unfixed> (embed; bug #436163)
43	- libextractor 0.5.12-1 (embed)
44	NOTE: libextractor is using its own pdf decoder now
45	- libextractor 0.5.12-1 (embed)
46	- pdfkit.framework 0.8-4 (embed)
47	- ipe <unfixed> (embed)
48	NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
49	- ruby-gnome2 <unknown> (embed)
50	NOTE: copy only present in source but links to poppler
51
52	ppmd
53	- libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
54
55	peercast
56	- gnome-peercast <unfixed> (embed)
57	NOTE: gnome-peercast may better be removed, see #466539
58
59	silc-toolkit
60	- silc-client 1.1~beta6-1 (embed)
61
62	dietlibc
63	- ccontrol 0.9.1+20071204-1 (static)
64
65	libiax
66	- iaxmodem <unfixed> (embed)
67
68	zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
69	- dpkg <unfixed> (embed)
70	NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
71	- rsync <unfixed> (embed)
72	NOTE: somehow derived code base
73	- mono <unfixed> (embed)
74	TODO: check mozilla
75	- Linux kernels <unfixed> (embed)
76	- pvpgn 1.7.8-2 (embed)
77	- mrtg 2.12.2-1 (embed)
78	- rpm <unknown> (embed)
79	NOTE: pinged anibal since when rpm was fixed
80
81	libbz2
82	- dpkg <unfixed> (static)
83
84	ekg
85	- centericq <unfixed> (embed)
86	- gaim <unfixed> (embed)
87	- pigdin <unfixed> (embed)(links dynamically against libgadu)
88	- kopete 4:3.3.2-5 (embed)
89	- kadu <unfixed> (embed)
90	- gadu <unfixed> (embed)
91	NOTE: g/kadu not packaged in Debian yet
92
93	xmlrpc (which package is the "origin" of this code?)
94	- drupal <unfixed> (embed)
95	- phpgroupware <unfixed> (embed)
96	- egroupware <unfixed> (embed)
97	- phpwiki (embed)
98	- php4 <unfixed> (embed)
99	TODO: check, php-pear, IIRC this was reorganized some weeks ago?
100
101	shtool (affects build-time only)
102	- mysql-ocaml <unfixed> (embed)
103	- php4 <unfixed> (embed)
104
105	mozilla source code
106	- mozilla-firefox <unfixed> (embed)
107	- mozilla-thunderbird
108	- firefox <removed>
109	[etch] - firefox <unfixed> (embed)
110	- thunderbird <removed>
111	[etch] - thunderbird <unfixed> (embed)
112	- iceweasel <unfixed> (embed)
113	- iceape <unfixed> (embed)
114	- icedove <unfixed> (embed)
115	- xulrunner <unfixed> (embed)
116	- nvu <removed> (embed)
117
118	xli
119	- xloadimage <unfixed> (embed)
120
121	lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
122	- openmotif <unfixed> (embed)
123	- xfree86/xorg <unfixed> (embed)
124	NOTE: in libxpm
125
126	kerberized apps with BSD origin
127	- krb4 <unfixed> (embed)
128	- krb5 <unfixed> (embed)
129	- heimdal <unfixed> (embed)
130
131	grip (which pkg is the origin?)
132	- libcdaudio
133	- grip
134	- gnome-vfs
135	TODO: check vfs2 as well
136
137	fudforum
138	- phpgroupware-fudforum <unfixed> (embed)
139	- egroupware-fudforum <removed>
140	[sarge] - egroupware-fudforum <unfixed> (embed)
141
142	cvs
143	- gcvs <unfixed> (embed)
144	NOTE: see cvsunix/src in tarball
145
146	pcre
147	- python* <unfixed> (embed)
148	- php4 <unknown> (embed)
149	- analog 2:5.23-0woody1 (embed)
150	- libgoffice-1 <unfixed> (embed)
151	- vfu 4.06-4.1 (embed; bug #450754)
152	- tf5 5.0beta7-1 (embed)
153	- monotone <unfixed> (embed)
154	NOTE: this only affects versions >= 0.37
155	- glib2.0 2.15.2-1 (embed)
156	- apache2 2.0.53-4 (embed)
157	- exim4 4.10-0.srh20.12 (embed)
158	- yacas <unfixed> (embed)
159	NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
160	- gtamsanalyzer.app 0.42-5 (embed)
161	- tin <unknown> (embed)
162	- kazehakase 0.5.2-1
163	- webkit <unfixed> (embed)
164	- qt4-x11 <unfixed> (embed)
165	NOTE: embedded via webkit copy
166
167	tiff
168	- wxwindows2.4 2.2.1 (embed)
169
170	uudeview
171	- libconvert-uulib-perl <unfixed> (embed)
172	- pan <unfixed> (embed)
173
174	sqlite (not affected by security vulnerabilities so far)
175	- amarok <unfixed> (embed)
176	- monotone <unfixed> (embed)
177	- iceweasel <unfixed> (embed)
178
179	util-linux/mount
180	- loop-aes-utils <unfixed> (embed)
181	NOTE: contains code from util-linux' mount in the mount-aes-udeb
182
183	webmin
184	- usermin <unknown> (embed)
185	[sarge] - usermin <unfixed> (embed)
186
187	sylpheed
188	- sylpheed-claws <unfixed> (fork)
189
190	phpsysinfo
191	- egroupware <unfixed> (embed)
192	- phpgroupware <unfixed> (embed)
193
194	phpldapadmin
195	[sarge] - egroupware <unfixed> (embed)
196	NOTE: removed from egroupware after sarge
197
198	chmlib
199	- kchmviewer <unknown> (embed)
200
201	libavcodec/libavformat (source: ffmpeg)
202	- mplayer 1.0~rc2-14 (embed; bug #395252)
203	- kino 1.0.0-1
204	- vlc <not-affected> (Links dynamically since initial release)
205	- smilutils <unfixed> (static)
206	- motion <unfixed> (static)
207	- gst-ffmpeg <unfixed> (embed)
208	- gstreamer0.10-ffmpeg <unfixed> (embed)
209	- xmovie <unfixed>
210	TODO: gimp-gap (potentially using ffmpeg code as well)
211
212	mad MPEG decoding lib
213	- mad <unfixed> (embed)
214	- xine-lib <unfixed> (embed)
215
216	libdts
217	- xine-lib <unfixed> (embed)
218
219	flac
220	- xine-lib <unfixed> (embed)
221
222	liba52
223	- a52dec <unfixed> (embed)
224	- xine-lib <unfixed> (embed)
225
226	libmpeg2
227	- mpeg2dec <unfixed> (embed)
228	- xine-lib <unfixed> (embed)
229
230	curl
231	- wget <unfixed> (embed)
232	NOTE: code for NTLM authentication
233
234	uw-imap
235	- pine <unfixed> (embed)
236	- alpine <unfixed> (embed)
237
238	imagemagick
239	- graphicsmagick <unfixed> (fork)
240
241	halibut
242	- nsis <unfixed> (embed)
243
244	libghttp
245	- hotway <unfixed> (embed)
246
247	libsndfile
248	- ardour <unfixed> (embed)
249
250	glibmm2.4
251	- ardour <unfixed> (embed)
252
253	libgnomecanvasmm2.6
254	- ardour <unfixed> (embed)
255
256	libsigc++-2.0
257	- ardour <unfixed> (embed)
258
259	soundtouch
260	- ardour <unfixed> (embed)
261
262	libmms
263	- xine-lib <unfixed> (embed)
264	- mimms <unfixed> (embed)
265
266	fckeditor
267	- knowledgeroot 0.9.8.5-3 (embed; bug #461555)
268	- moin <unfixed> (embed; bug #452599)
269	- karrigell <unfixed> (embed; bug #452598)
270	- gforge-plugins-extra 4.6.99+svn6225-1 (embed)
271
272	ipatlas (not packaged in Debian)
273	- moodle <unfixed> (embed)
274
275	libphp-phpmailer
276	- moodle <unfixed> (embed)
277
278	htmlArea (not packaged in Debian)
279	- moodle <unfixed> (embed)
280
281	giflib:
282	- wine <unfixed> (embed; bug #466181)
283
284	bennu (not packaged in Debian)
285	- moodle <unfixed> (embed)
286
287	smarty:
288	- moodle <unfixed> (embed; bug #471158)
289	- gallery2 <unfixed> (embed; bug #471160)
290	- mahara 0.9.2-2 (embed; bug #471201)
291	- gosa 2.4beta1-1 (embed; bug #471200)
292
293	TinyMCE
294	- wordpress <unfixed> (embed; bug #478257)
295	- moodle <unfixed> (embed)
296	- knowledgeroot <unfixed> (embed)
297	- joomla <itp> (bug #326398)
298
299	scintilla
300	- scite <unfixed> (embed)
301	- qscintilla <unfixed> (embed)
302	- qscintilla2 <unfixed> (embed)
303	- geany <unfixed> (embed)
304
305	libphp-adodb
306	- moodle <unfixed> (embed)
307	NOTE: also AdoDB-XML Schema
308	- gallery2 <unfixed> (embed)
309	- phppgadmin <unfixed> (embed)
310	- egroupware <unfixed> (embed)
311	- phpwiki <unfixed> (embed)
312	- ipplan <unfixed> (embed)
313	- typo3 <unfixed> (embed)
314	- moodle <unfixed> (embed)
315	- cacti <unknown> (embed)
316	[sarge] - cacti <unfixed> (embed)
317	NOTE: dependency exists, but internal version is used
318
319	gzip
320	- linux-kernel <unfixed> (embed)
321	NOTE: lib/inflate.c
322	- klibc <unfixed> (embed)
323	NOTE: based on linux-kernel gzip code
324	- busybox <unfixed> (embed)
325
326	neon
327	- cadaver <unfixed> (embed; bug #188381)
328	- gnome-vfs2 <unfixed> (embed; bug #395874)
329	- litmus <unfixed> (embed; #395875)
330	[sarge] - screem <unfixed> (embed)
331	- sitecopy <unfixed> (embed; bug #395876)
332	[etch] - tla <unfixed> (embed; bug #395877)
333	[sarge] - tla <unfixed> (embed; bug #395877)
334
335	libmodplug
336	- gst-plugins-bad0.10 <unfixed> (embed)
337
338	libvncserver
339	- vino <unfixed> (embed)
340
341	putty
342	- filezilla <unfixed> (embed)
343
344	tinyxml (not packaged in Debian)
345	- filezilla <unfixed>
346
347	gv
348	- evince <unfixed> (embed)
349	NOTE: ps/ tree from gv 3.5.8
350	- evince-gtk <unfixed> (embed)
351	NOTE: not packaged in Debian
352
353	libXbae
354	[etch] - libpawlib2-lesstif <unfixed> (embed)
355	NOTE: from Cernlib
356
357	libXaw
358	[etch] - libpawlib2-lesstif
359	NOTE: from Cernlib
360	NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
361
362	libgd2
363	- graphviz <unfixed> (embed)
364	NOTE: lib/gd seems to be 2.0.33
365	- wml <unfixed> (embed)
366	NOTE: derived from gd 1.6.3
367
368	rar
369	- unrar-nonfree <unfixed> (embed)
370
371	unrar-free (maybe this code is derived from the original rar, too?)
372	- clamav <unfixed> (embed)
373	NOTE: seems to be disabled in default config
374
375	mplayer (DirectMedia Object loader)
376	- xine-lib <unfixed> (embed)
377	NOTE: src/libw32dll/
378	- vlc <unfixed> (embed)
379	NOTE: modules/codec/dmo/
380
381	libwpd (WordPerfect converter)
382	- openoffice.org <unfixed> (embed)
383
384	fsplib (http://sourceforge.net/projects/fsp/)
385	- gftp <unfixed> (embed)
386	NOTE: lib/fsplib version 0.3
387
388	sprng
389	- tree-puzzle <unfixed> (embed)
390
391	librpcsecgss
392	- krb5 <unfixed> (embed)
393
394	jasper
395	- ghostscript <unfixed> (embed)
396	- gs-gpl <unfixed> (embed)
397
398	libidn
399	- monotone <unfixed> (embed)
400
401	liblua
402	- monotone <unfixed> (embed)
403
404	libbotan
405	- montone <unfixed> (embed)
406
407	NetXX
408	- monotone <unfixed> (embed)
409
410	libgc
411	- mono <unfixed> (embed)
412
413	lzma
414	- p7zip <unfixed> (embed)
415
416	lzo
417	- grub2 <unfixed> (embed)
418
419	yassl
420	- mysql-dfsg-5.0 <unfixed> (embed)
421
422	pax code
423	- tar <unfixed> (embed)
424	- cpio <unfixed> (embed)
425
426	t1lib
427	- tetex-bin 2.0.2-1 (embed)
428	- texlive-bin <unknown> (embed)
429
430	guichan
431	- boswars <unfixed> (embed)
432	NOTE: maintainer notified us, working on it
433
434	tolua
435	- boswars <unfixed> (embed)
436	NOTE: maintainer notified us, working on it
437
438	asio-dev
439	- luxrender <unfixed> (embed)
440	NOTE: maintainer notified us, working on it
441	NOTE: may be merged with boost "soon"
442
443	xine-lib
444	- vlc <unfixed> (embed)
445	NOTE: only parts included in modules/access/rtsp
446
447	netpbm
448	- tcl8.3 <unfixed> (embed)
449	- tcl8.4 <unfixed> (embed)
450	- tcl8.5 <unfixed> (embed)
451	NOTE: generic/tkImgGIF.c
452
453	tk8.5
454	- tk8.0 <removed> (old-version)
455	- tk8.3 <unfixed> (old-version)
456	- tk8.4 <unfixed> (old-version)
457	- perl-tk <unfixable> (fork)
458
459	samba
460	- mc <unfixed> (embed)
461	NOTE: maintainer is aware of this, currently searching a solution
462
463	plib1.8.4c2
464	- boson <unfixed> (fork)
465	NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
466
467	fribidi
468	- quesoglc <unfixed> (embed)
469
470	glew
471	- quesoglc <unfixed> (embed)
472
473	minorGems
474	- transcend <unfixed> (embed)
475	- cultivation <unfixed> (embed)
476
477	tar
478	- libarchive <unfixed> (embed)
479	NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
480
481	cpio
482	- libarchive <unfixed> (embed)
483	NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
484
485	webkit
486	- qt4-x11 <unfixed> (embed)
487
488	ftgl
489	- blender 2.46+dfsg-1 (embed)
490
491	wv
492	- abiword <unfixed>
493
494	qemu
495	- kvm <unfixed> (embed)
496
497	bochs
498	- kvm <unfixed> (embed; bug #489442)
499
500	speex
501	- vorbis-tools <unfixed> (embed)
502	NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
503	- gst-plugins-good0.10 <unfixed> (embed)
504	- xine-lib <unfixed> (embed)
505	- libfishsound <unfixed> (embed)
506	- libannodex <unfixed> (embed)
507	- vlc <unfixed> (embed)
508	- xmms-speex <unfixed> (embed)
509	- libsdl-sound1.2 <unfixed> (embed)
510	- sweep <unfixed> (embed)
511
512	libreadline
513	- magic <unfixed> (old-version)
514	NOTE: magic is currently an RFS
515
516	opcode
517	- ode <unfixed> (embed)
518	NOTE: opcode is not a package in debian, it is just embedded
519	NOTE: http://www.codercorner.com/Opcode.htm
520
521	gimpact
522	- ode <unfixed> (embed)
523	NOTE: gimpact is not a package in debian, it is just embedded
524	NOTE: http://gimpact.sf.net
525
526	MochiKit.js
527	- mahara <unfixed> (embed)
528	- ntop <unfixed> (embed)
529	- python-oherence <unfixed> (embed)
530	- python-paste <unfixed> (embed)
531	- python-turbogears <unfixed> (embed)
532	- zope-plone3 <unfixed> (embed)
533
534	prototype.js
535	- netbeans-ide <unfixed> (embed)
536	- auth2db-frontend <unfixed> (embed)
537	- citadel-webcit <unfixed> (embed)
538	- asterisk <unfixed> (embed)
539	- doc-iana <unfixed> (embed)
540	- libaws-doc <unfixed> (embed)
541	- libgettext-ruby-data <unfixed> (embed)
542	- libjson-ruby-doc <unfixed> (embed)
543	- liblucene2-java-doc <unfixed> (embed)
544	- libopenid-ruby <unfixed> (embed)
545	- solr-common <unfixed> (embed)
546	- glpi <unfixed> (embed)
547	- hobbix <unfixed> (embed)
548	- mnemo2 <unfixed> (embed)
549	- nag2 <unfixed> (embed)
550	- libjs-prototype <unfixed> (embed)
551	- libjs-scriptaculous <unfixed> (embed)
552	- knowledgeroot <unfixed> (embed)
553	- mediatomb-common <unfixed> (embed)
554	- mt-daapd <unfixed> (embed)
555	- op-panel <unfixed> (embed)
556	- ebug-http <unfixed> (embed)
557	- phpgedview <removed> (embed)
558	- poker-web <unfixed> (embed)
559	- python-webhelpers <unfixed> (embed)
560	- qwik <unfixed> (embed)
561	- rails <unfixed> (embed)
562	- typo3-src-4.1 <unfixed> (embed)
563	- wordpress <unfixed> (embed)
564	- zope-plone3 <unfixed> (embed)
565	- smokeping <unfixed> (embed)
566
567	gdb
568	- insight <unfixed> (embed)