/[secure-testing]/data/embedded-code-copies

Diff of /data/embedded-code-copies

Parent Directory | Revision Log | View Patch Patch

-revision 7924 by stef-guest,
Mon Jan 14 23:05:37 2008 UTC
+revision 10237 by white,
Sun Nov  2 11:11:40 2008 UTC
 Line 1
  Embedded code copies
  ====================
- This file collects cases, where a source package embeds code from
+ This file collects source packages that embed code from other projects.
- other projects which is considered bad for fixing security flaws
+ This is considered bad for fixing security flaws because the fix needs
- because the fix needs to be applied in multiple source packages.
+ to be applied in multiple source packages.
  Format:
  <srcpkg> (<optional comment about srcpkg>)
          - <embedding srcpkg> <status> (<sort>; bug #<number>)
          NOTE: optional comments about the linkage of the embedding srcpkg
- status: version number fixing the embedded copy, <unfixed>, <removed>, <itp> or <unknown> if the version number can not be determined
+ status: version number fixing the embedded copy, <unfixed>, <removed>,
+         <itp> or <unknown> if the version number can not be determined
+         <unfixable> for unavoidable cases (e.g., forks that add real value)
  sort: static (linking statically against a lib)
        embed (embedding a copy of the library into another source package)
-       fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)
+       fork (the package is not just embedding code but it is a fork and
+             thus might share parts of the source code)
+       old-version (the package is an older version of essentially
+                    the same code)
- The srcpkg might be some string to identify the code if there is no specific source package.
+ The srcpkg might be some string to identify the code if there is no
+ specific source package.
- Everything up to the next line is ignored
+ Everything up to the next line is ignored.
  ---BEGIN
  xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
          NOTE: Fixed packages link to poppler library unless otherwise noted
-Line 30 
 xpdf (some srcpkgs use xpdf2 code, some
+Line 36 
 xpdf (some srcpkgs use xpdf2 code, some
          NOTE: has been replaced by poppler-utils
          - kdegraphics <unfixed> (embed; bug #436164)
          NOTE: the kpdf replacement in KDE 4 is using poppler
-         - tetex-bin 3.0-12 (embed)
+         - texlive-base 3.0-12 (embed)
          - texlive-bin 2007-1 (embed)
          NOTE: links to poppler
          - koffice <unfixed> (embed; bug #436163)
-Line 46 
 xpdf (some srcpkgs use xpdf2 code, some
+Line 52 
 xpdf (some srcpkgs use xpdf2 code, some
  ppmd
          - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
+ peercast
+         - gnome-peercast <unfixed> (embed)
+         NOTE: gnome-peercast may better be removed, see #466539
  silc-toolkit
          - silc-client 1.1~beta6-1 (embed)
-Line 142 
 pcre
+Line 152 
 pcre
          - tf5 5.0beta7-1 (embed)
          - monotone <unfixed> (embed)
          NOTE: this only affects versions >= 0.37
-         - glib <unfixed> (embed)
+         - glib2.0 2.15.2-1 (embed)
-         NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
          - apache2 2.0.53-4 (embed)
          - exim4 4.10-0.srh20.12 (embed)
          - yacas <unfixed> (embed)
          NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
          - gtamsanalyzer.app 0.42-5 (embed)
+         - tin <unknown> (embed)
+         - kazehakase 0.5.2-1
+         - webkit <unfixed> (embed)
+         - qt4-x11 <unfixed> (embed)
+         NOTE: embedded via webkit copy
  tiff
-         - wxpythongtk <unfixed> (embed)
+         - wxwindows2.4 2.2.1 (embed)
-         TODO: check, which debian pkg this is in
  uudeview
          - libconvert-uulib-perl <unfixed> (embed)
+         - pan <unfixed> (embed)
  sqlite (not affected by security vulnerabilities so far)
          - amarok <unfixed> (embed)
-Line 185 
 chmlib
+Line 199 
 chmlib
          - kchmviewer <unknown> (embed)
  libavcodec/libavformat (source: ffmpeg)
-         - mplayer <unfixed> (embed; bug #395252)
+         - mplayer 1.0~rc2-14 (embed; bug #395252)
-         - xvidcap <unfixed> (embed)
+         - kino 1.0.0-1
-         - kino <unfixed> (static)
+         - vlc <not-affected> (Links dynamically since initial release)
-         - vlc <unfixed> (static)
+         - smilutils 0.3.0-10
-         - smilutils <unfixed> (static)
+         NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
-         - motion <unfixed> (static)
+         - motion 3.1.19-1
-         - gst-ffmpeg <unfixed> (embed)
+         - gstreamer0.10-ffmpeg 0.10.3-2
-         - gstreamer0.10-ffmpeg <unfixed> (embed)
          - xmovie <unfixed>
          TODO: gimp-gap (potentially using ffmpeg code as well)
-Line 225 
 uw-imap
+Line 238 
 uw-imap
  imagemagick
          - graphicsmagick <unfixed> (fork)
+ libphp-snoopy
+         - ampache <unfixed> (embed)
+         - mahara <unfixed> (embed)
+         - pixelpost <unfixed> (embed)
  halibut
          - nsis <unfixed> (embed)
-Line 251 
 libmms
+Line 269 
 libmms
          - mimms <unfixed> (embed)
  fckeditor
-         - knowledgeroot <unfixed> (embed)
+         - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
          - moin <unfixed> (embed; bug #452599)
-         - karrigell <unfixed> (embed; bug #452598)
+         - karrigell <removed> (embed; bug #452598)
          - gforge-plugins-extra 4.6.99+svn6225-1 (embed)
  ipatlas (not packaged in Debian)
-Line 261 
 ipatlas (not packaged in Debian)
+Line 279 
 ipatlas (not packaged in Debian)
  libphp-phpmailer
          - moodle <unfixed> (embed)
+         - mahara <unfixed> (embed)
+         - symfony <unfixed> (embed)
+         - phpgroupware-felamimail <unfixed> (embed)
  htmlArea (not packaged in Debian)
          - moodle <unfixed> (embed)
+ giflib:
+         - wine <unfixed> (embed; bug #466181)
  bennu (not packaged in Debian)
          - moodle <unfixed> (embed)
  smarty:
-         - moodle <unfixed> (embed)
+         - moodle <unfixed> (embed; bug #471158)
+         - gallery2 2.2.5-2 (embed; bug #471160)
+         - mahara 0.9.2-2 (embed; bug #471201)
+         - gosa 2.4beta1-1 (embed; bug #471200)
  TinyMCE
-         - wordpress <unfixed> (embed)
+         - wordpress 2.5.1-3 (embed; bug #478257)
          - moodle <unfixed> (embed)
          - knowledgeroot <unfixed> (embed)
          - joomla <itp> (bug #326398)
-Line 296 
 libphp-adodb
+Line 323 
 libphp-adodb
          - cacti <unknown> (embed)
          [sarge] - cacti <unfixed> (embed)
          NOTE: dependency exists, but internal version is used
+         - gforge <unfixed> (embed)
+         - mahara <unfixed> (embed)
  gzip
          - linux-kernel <unfixed> (embed)
-Line 343 
 libXaw
+Line 372 
 libXaw
  libgd2
          - graphviz <unfixed> (embed)
          NOTE: lib/gd seems to be 2.0.33
+         - wml <unfixed> (embed)
+         NOTE: derived from gd 1.6.3
  rar
          - unrar-nonfree <unfixed> (embed)
-Line 364 
 fsplib (http://sourceforge.net/projects/
+Line 395 
 fsplib (http://sourceforge.net/projects/
          - gftp <unfixed> (embed)
          NOTE: lib/fsplib version 0.3
+ sprng
+         - tree-puzzle <unfixed> (embed)
  librpcsecgss
          - krb5 <unfixed> (embed)
-Line 392 
 lzma
+Line 426 
 lzma
  lzo
          - grub2 <unfixed> (embed)
+ yassl
+         - mysql-dfsg-5.0 <unfixed> (embed)
  pax code
          - tar <unfixed> (embed)
          - cpio <unfixed> (embed)
-Line 399 
 pax code
+Line 436 
 pax code
  t1lib
          - tetex-bin 2.0.2-1 (embed)
          - texlive-bin <unknown> (embed)
+ guichan
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+ tolua
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+ asio-dev
+         - luxrender <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+         NOTE: may be merged with boost "soon"
+ xine-lib
+         - vlc <unfixed> (embed)
+         NOTE: only parts included in modules/access/rtsp
+ netpbm
+         - tcl8.3 <unfixed> (embed)
+         - tcl8.4 <unfixed> (embed)
+         - tcl8.5 <unfixed> (embed)
+         NOTE: generic/tkImgGIF.c
+ tk8.5
+         - tk8.0 <removed> (old-version)
+         - tk8.3 <unfixed> (old-version)
+         - tk8.4 <unfixed> (old-version)
+         - perl-tk <unfixable> (fork)
+ samba
+         - mc <unfixed> (embed)
+         NOTE: maintainer is aware of this, currently searching a solution
+ plib1.8.4c2
+         - boson <unfixed> (fork)
+         NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
+ fribidi
+         - quesoglc <unfixed> (embed)
+ glew
+         - quesoglc <unfixed> (embed)
+ minorGems
+         - transcend <unfixed> (embed)
+         - cultivation <unfixed> (embed)
+ tar
+         - libarchive <unfixed> (embed)
+         NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
+ cpio
+         - libarchive <unfixed> (embed)
+         NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
+ webkit
+         - qt4-x11 <unfixed> (embed)
+ ftgl
+         - blender 2.46+dfsg-1 (embed)
+ wv
+         - abiword <unfixed>
+ qemu
+         - kvm <unfixed> (embed)
+         - xen-3 <unfixed> (embed)
+         - xen-unstable <unfixed> (embed)
+ bochs
+         - kvm <unfixed> (embed; bug #489442)
+ speex
+         - vorbis-tools <unfixed> (embed)
+         NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
+         - gst-plugins-good0.10 <unfixed> (embed)
+         - xine-lib <unfixed> (embed)
+         - libfishsound <unfixed> (embed)
+         - libannodex <unfixed> (embed)
+         - vlc <unfixed> (embed)
+         - xmms-speex <unfixed> (embed)
+         - libsdl-sound1.2 <unfixed> (embed)
+         - sweep <unfixed> (embed)
+ libreadline
+         - magic <unfixed> (old-version)
+         NOTE: magic is currently an RFS
+ opcode
+         - ode <unfixed> (embed)
+         NOTE: opcode is not a package in debian, it is just embedded
+         NOTE: http://www.codercorner.com/Opcode.htm
+ gimpact
+         - ode <unfixed> (embed)
+         NOTE: gimpact is not a package in debian, it is just embedded
+         NOTE: http://gimpact.sf.net
+ MochiKit.js
+         - mahara <unfixed> (embed)
+         NOTE: they require extra patches, still unmerged upstream
+         - ntop <unfixed> (embed)
+         - python-oherence <unfixed> (embed)
+         - python-paste <unfixed> (embed)
+         - python-turbogears <unfixed> (embed)
+         - zope-plone3 <unfixed> (embed)
+ prototype.js
+         - netbeans-ide <unfixed> (embed)
+         - auth2db-frontend <unfixed> (embed)
+         - citadel-webcit <unfixed> (embed)
+         - asterisk <unfixed> (embed)
+         - doc-iana <unfixed> (embed)
+         - libaws-doc <unfixed> (embed)
+         - libgettext-ruby-data <unfixed> (embed)
+         - libjson-ruby-doc <unfixed> (embed)
+         - liblucene2-java-doc <unfixed> (embed)
+         - libopenid-ruby <unfixed> (embed)
+         - solr-common <unfixed> (embed)
+         - glpi <unfixed> (embed)
+         - hobbix <unfixed> (embed)
+         - mnemo2 <unfixed> (embed)
+         - nag2 <unfixed> (embed)
+         - libjs-prototype <unfixed> (embed)
+         - libjs-scriptaculous <unfixed> (embed)
+         - knowledgeroot <unfixed> (embed)
+         - mediatomb-common <unfixed> (embed)
+         - mt-daapd <unfixed> (embed)
+         - op-panel <unfixed> (embed)
+         - ebug-http <unfixed> (embed)
+         - phpgedview <removed> (embed)
+         - poker-web <unfixed> (embed)
+         - python-webhelpers <unfixed> (embed)
+         - qwik <unfixed> (embed)
+         - rails <unfixed> (embed)
+         - typo3-src-4.1 <unfixed> (embed)
+         - wordpress <unfixed> (embed)
+         - zope-plone3 <unfixed> (embed)
+         - smokeping <unfixed> (embed)
+         - ampache <unfixed> (embed)
+         - exaile <unfixed> (embed)
+         - hobix <unfixed> (embed)
+         - pixelpost <unfixed> (embed)
+         - symfony <unfixed> (embed)
+         NOTE: it's been said that there are custom changes
+         - zabbix-frontend-php <unfixed> (embed)
+ gdb
+         - insight <unfixed> (embed)
+ e2fsprogs
+         - ldiskfsprogs <unfixable> (fork)
+ quazip (not packaged in Debian)
+         - qcake <unfixed> (embed)
+         NOTE: starting with upstream version 0.6.4
+ exo
+         - pcmanfm <unfixed> (embed; bug #499677)
+         NOTE: slightly modified source code
+ java
+         - openjdk-6 <unfixed>
+         - sun-java5 <unfixed>
+         - sun-java6 <unfixed>
+ libphp-snoopy
+         - ampache 3.4.1-2 (embed; bug #504169)
+         - mahara <unfixed> (embed; bug #504170)
+         - pixelpost <unfixed> (embed; bug #504171)
+         - mediamate 0.9.3.6-5 (embed; bug #504172)
+         - opendb <unfixed> (embed; bug #504173)
+         - wordpress <unfixed> (embed; bug #443948)
+         - moodle <unfixed> (embed)
+         - phpgroupware-felamimail <unfixed> (embed)
+         - magpierss 0.72-3 (embed; bug #431089)
+ jquery.js
+         - zekr <unfixed> (embed)
+ kses
+         - wordpress <unfixed> (embed; bug #504242)
+         NOTE: their copy has all methods renamed to wp_<foo>
+         - moodle <unfixed> (embed)
+         - egroupware-core <unfixed> (embed)
+ magpierss
+         - wordpress <unfixed> (embed; bug #504242)
+ php-gettext
+         - wordpress <unfixed> (embed; bug #504242)
+ libphp-ixr (name may change, it is the Incutio XML-RPC)
+         - wordpress <unfixed> (embed; bug #504242)
+         - dokuwiki <unfixed> (embed)
+         - textpattern <unfixed> (embed)

 Legend:



Removed from v.7924
 


changed lines


 
Added in v.10237
 Legend:



Removed from v.7924
 


changed lines


 
Added in v.10237
-Removed from v.7924
+Added in v.10237

	ViewVC Help
Powered by ViewVC 1.1.5