| 1 |
|
Embedded code copies |
| 2 |
|
==================== |
| 3 |
|
|
| 4 |
This file collects cases, where a source package embeds code from |
This file collects cases, where a source package embeds code from |
| 5 |
other projects, without linking dynamically: |
other projects which is considered bad for fixing security flaws |
| 6 |
|
because the fix needs to be applied in multiple source packages. |
| 7 |
|
|
| 8 |
xpdf code: (some use xpdf 2, some xpdf 3) |
Format: |
| 9 |
gpdf (will be replaced by evince in Gnome 2.12) |
<srcpkg> (<optional comment about srcpkg>) |
| 10 |
pdftohtml (current poppler source package has a ported version, pinged maintainer) |
- <embedding srcpkg> <status> (<sort>; bug #<number>) |
| 11 |
kdegraphics/kpdf (upstream is working on using poppler, probably not in time for Etch) |
NOTE: optional comments about the linkage of the embedding srcpkg |
| 12 |
tetex-bin (links to poppler since 3.0-12) |
|
| 13 |
cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though) |
status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined |
| 14 |
poppler |
sort: static (linking statically against a lib), embed (embedding a copy of the library into another source package) |
| 15 |
koffice (upstream is working on using poppler, probably not in time for Etch) |
|
| 16 |
libextractor (uses internal pdf decoder since 0.5.12-1) |
xpdf (some srcpkgs use xpdf2 code, some xpdf3 code) |
| 17 |
pdfkit.framework (links to poppler since 0.8-4) |
- gpdf <removed> |
| 18 |
|
[sarge] - gpdf <unfixed> |
| 19 |
|
NOTE: has been replaced by evince in etch |
| 20 |
|
- pdftohtml <unknown> |
| 21 |
|
[sarge] - pdftohtml <unfixed> |
| 22 |
|
[etch] - pdftohtml <unfixed> |
| 23 |
|
NOTE: has been replaced by poppler-utils |
| 24 |
|
- kdegraphics <unfixed> (embed; bug #436164) |
| 25 |
|
NOTE: the kpdf replacement in KDE 4 is using poppler |
| 26 |
|
- tetex-bin 3.0-12 (embed) |
| 27 |
|
NOTE: links to poppler |
| 28 |
|
- texlive-bin <unknown> (embed) |
| 29 |
|
NOTE: links to poppler |
| 30 |
|
- koffice <unfixed> (embed; bug #436163) |
| 31 |
|
- libextractor 0.5.12-1 (embed) |
| 32 |
|
NOTE: libextractor is using its own pdf decoder |
| 33 |
|
- libextractor 0.5.12-1 (embed) |
| 34 |
|
NOTE: links to poppler |
| 35 |
|
- pdfkit.framework 0.8-4 (embed) |
| 36 |
|
NOTE: links to poppler |
| 37 |
|
- ipe <unfixed> (embed) |
| 38 |
|
NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp |
| 39 |
|
- ruby-gnome2 <unknown> (embed) |
| 40 |
|
NOTE: copy only present in source but links to poppler |
| 41 |
|
|
| 42 |
|
silc-toolkit: |
| 43 |
|
- silc-client 1.1~beta6-1 (embed) |
| 44 |
|
|
| 45 |
|
dietlibc: |
| 46 |
|
- ccontrol 0.9.1+20071204-1 (static) |
| 47 |
|
|
| 48 |
|
libiax: |
| 49 |
|
- iaxmodem <unfixed> (embed) |
| 50 |
|
|
| 51 |
zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions) |
zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions) |
| 52 |
dpkg |
dpkg |
| 53 |
rsync (somehow derived code base) |
rsync (somehow derived code base) |
| 54 |
|
mono |
| 55 |
mozilla(?) |
mozilla(?) |
| 56 |
Linux kernels |
Linux kernels |
| 57 |
pvpgn (links dynamically since 1.7.8-2) |
pvpgn (links dynamically since 1.7.8-2) |
| 58 |
mrtg (links dynamically since 2.12.2-1) |
mrtg (links dynamically since 2.12.2-1) |
| 59 |
|
rpm |
| 60 |
|
|
| 61 |
|
libbz2: |
| 62 |
|
dpkg (statically linked) |
| 63 |
|
|
| 64 |
libgadu/ekg: |
libgadu/ekg: |
| 65 |
centericq |
centericq |
| 66 |
gaim |
gaim |
| 67 |
|
pigdin (links dynamically against libgadu) |
| 68 |
kopete (ships the code, but links dynamically in the Debian package) |
kopete (ships the code, but links dynamically in the Debian package) |
| 69 |
kadu (not packaged in Debian) |
kadu (not packaged in Debian) |
| 70 |
GNU gadu (not yet packaged in Debian) |
GNU gadu (not yet packaged in Debian) |
| 71 |
|
|
|
|
|
| 72 |
xmlrpc: (which package is the "origin" of this code?) |
xmlrpc: (which package is the "origin" of this code?) |
| 73 |
drupal |
drupal |
| 74 |
phpgroupware |
phpgroupware |
| 75 |
egroupware |
egroupware |
| 76 |
phpwiki |
phpwiki |
| 77 |
php4 (php-pear, IIRC this was reorganized some weeks ago?) |
php4 (php-pear, IIRC this was reorganized some weeks ago?) |
|
tikiwiki (not packaged in Debian) |
|
|
|
|
| 78 |
|
|
| 79 |
shtool: (affects build-time only) |
shtool: (affects build-time only) |
| 80 |
mysql-ocaml |
mysql-ocaml |
| 81 |
php4 |
php4 |
| 82 |
|
|
|
|
|
| 83 |
mozilla: |
mozilla: |
| 84 |
mozilla-firefox |
mozilla-firefox |
| 85 |
mozilla-thunderbird |
mozilla-thunderbird |
| 86 |
nvu |
firefox (to be removed) |
| 87 |
|
thunderbird (to be removed) |
| 88 |
|
iceweasel |
| 89 |
|
iceape |
| 90 |
|
icedove |
| 91 |
|
xulrunner |
| 92 |
|
nvu (no longer in Debian) |
| 93 |
|
|
| 94 |
xli: |
xli: |
| 95 |
xloadimage |
xloadimage |
| 96 |
|
|
|
|
|
| 97 |
lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream) |
lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream) |
| 98 |
openmotif |
openmotif |
| 99 |
xfree86/xorg (in libxpm) |
xfree86/xorg (in libxpm) |
| 100 |
|
|
|
|
|
| 101 |
kerberized apps with BSD origin: |
kerberized apps with BSD origin: |
| 102 |
krb4 |
krb4 |
| 103 |
krb5 |
krb5 |
| 104 |
heimdal |
heimdal |
| 105 |
|
|
|
|
|
| 106 |
grip: (which pkg is the origin?) |
grip: (which pkg is the origin?) |
| 107 |
libcdaudio |
libcdaudio |
| 108 |
grip |
grip |
| 109 |
gnome-vfs (vfs2 as well?) |
gnome-vfs (vfs2 as well?) |
| 110 |
|
|
|
|
|
| 111 |
fudforum: |
fudforum: |
| 112 |
phpgroupware-fudforum |
phpgroupware-fudforum |
| 113 |
egroupware-fudforum |
egroupware-fudforum (removed from egroupware after sarge) |
| 114 |
|
|
| 115 |
cvs: |
cvs: |
| 116 |
gcvs (at least an additional script is included, check if there's more) |
gcvs (at least an additional script is included, check if there's more) |
| 120 |
php4 (src included, but Debian package links dynamically) |
php4 (src included, but Debian package links dynamically) |
| 121 |
analog (src included, but Debian package links dynamically) |
analog (src included, but Debian package links dynamically) |
| 122 |
libgoffice-1 |
libgoffice-1 |
| 123 |
|
vfu (removed linking against embedded copy in 4.06-4.1; #450754) |
| 124 |
tf5 (since 5.0beta7 the Debian package links dynamically) |
tf5 (since 5.0beta7 the Debian package links dynamically) |
| 125 |
|
monotone (including this starting from 0.37) |
| 126 |
|
glib (2.14 series for gregex support, only for udeb, regular packag links dynamic) |
| 127 |
|
apache2 (since 2.0.53-4 uses 040_link_external_pcre patch) |
| 128 |
|
exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre) |
| 129 |
|
yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway) |
| 130 |
|
gtamsanalyzer.app (links dynamically since 0.42-5) |
| 131 |
|
|
| 132 |
tiff: |
tiff: |
| 133 |
wxpythongtk (check, which debian pkg this is in) |
wxpythongtk (check, which debian pkg this is in) |
| 134 |
older kdegraphics/kpdf releases < 3.3 embedded a copy |
older kdegraphics/kpdf releases < 3.3 embedded a copy |
| 135 |
|
|
|
|
|
| 136 |
uudeview: |
uudeview: |
| 137 |
libconvert-uulib-perl |
libconvert-uulib-perl |
| 138 |
|
|
| 139 |
sqlite: (not affected by security vulnerabilities so far) |
sqlite: (not affected by security vulnerabilities so far) |
| 140 |
amarok |
amarok |
| 141 |
|
monotone |
| 142 |
|
iceweasel |
| 143 |
|
|
| 144 |
util-linux/mount: |
util-linux/mount: |
| 145 |
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb |
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb |
| 146 |
|
|
| 147 |
webmin: |
webmin: |
| 148 |
usermin |
usermin (only in sarge) |
| 149 |
|
|
| 150 |
sylpheed: |
sylpheed: |
| 151 |
sylpheed-claws |
sylpheed-claws |
| 155 |
phpgroupware |
phpgroupware |
| 156 |
|
|
| 157 |
phpldapadmin: |
phpldapadmin: |
| 158 |
egroupware |
egroupware (removed from egroupware after sarge) |
| 159 |
|
|
| 160 |
chmlib: |
chmlib: |
| 161 |
kchmviewer (not packaged in Debian) |
kchmviewer (ships the code but links dynamically) |
| 162 |
|
|
| 163 |
libavcodec/libavformat: |
libavcodec/libavformat (source: ffmpeg): |
| 164 |
ffmpeg |
mplayer (#395252) |
| 165 |
xine-lib |
xvidcap |
|
xvidcap (currently in NEW) |
|
| 166 |
kino (links statically, does not include code) |
kino (links statically, does not include code) |
| 167 |
vlc (links statically, does not include code) |
vlc (links statically, does not include code) |
| 168 |
smilutils (links statically, does not include code) |
smilutils (links statically, does not include code) |
| 169 |
motion (links statically, does not include code) |
motion (links statically, does not include code) |
| 170 |
gst-ffmpeg |
gst-ffmpeg |
| 171 |
xmovie (currently in NEW) |
gstreamer0.10-ffmpeg |
| 172 |
gst-ffmpeg |
xmovie |
| 173 |
|
|
| 174 |
mad MPEG decoding lib: |
mad MPEG decoding lib: |
| 175 |
mad |
mad |
| 199 |
|
|
| 200 |
uw-imap: |
uw-imap: |
| 201 |
pine |
pine |
| 202 |
|
alpine |
| 203 |
|
|
| 204 |
imagemagick: |
imagemagick: |
| 205 |
graphicsmagick |
graphicsmagick |
| 210 |
libghttp: |
libghttp: |
| 211 |
hotway |
hotway |
| 212 |
|
|
| 213 |
etl-dev (will be renamed to libetl-dev soon): |
libsndfile: |
| 214 |
synfig |
ardour |
| 215 |
|
|
| 216 |
|
glibmm2.4: |
| 217 |
|
ardour |
| 218 |
|
|
| 219 |
|
libgnomecanvasmm2.6: |
| 220 |
|
ardour |
| 221 |
|
|
| 222 |
|
libsigc++-2.0: |
| 223 |
|
ardour |
| 224 |
|
|
| 225 |
|
soundtouch: |
| 226 |
|
ardour |
| 227 |
|
|
| 228 |
libmms: |
libmms: |
| 229 |
xine-lib |
xine-lib |
| 230 |
mimms |
mimms |
| 231 |
|
|
| 232 |
FCKeditor: |
FCKeditor: (packaged as fckeditor) |
| 233 |
knowledgeroot |
knowledgeroot |
| 234 |
|
moin (452599) |
| 235 |
|
karrigell (452598) |
| 236 |
|
gforge-plugins-extra (fixed since 4.6.99+svn6225-1) |
| 237 |
|
|
| 238 |
|
|
| 239 |
|
|
| 240 |
|
Moodle contains lots of things: |
| 241 |
|
AdoDB |
| 242 |
|
AdoDB-XML Schema |
| 243 |
|
ipatlas |
| 244 |
|
PHPMailer |
| 245 |
|
Smarty |
| 246 |
|
htmlArea |
| 247 |
|
TinyMCE |
| 248 |
|
bennu |
| 249 |
|
|
| 250 |
TinyMCE: |
TinyMCE: |
| 251 |
wordpress |
wordpress |
| 256 |
scintilla: |
scintilla: |
| 257 |
scite |
scite |
| 258 |
qscintilla |
qscintilla |
| 259 |
|
qscintilla2 |
| 260 |
geany |
geany |
| 261 |
|
|
| 262 |
libphp-adodb: |
libphp-adodb: |
| 264 |
phppgadmin |
phppgadmin |
| 265 |
egroupware |
egroupware |
| 266 |
phpwiki |
phpwiki |
| 267 |
|
ipplan |
| 268 |
|
typo3 |
| 269 |
moodle |
moodle |
| 270 |
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch) |
cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch) |
| 271 |
|
|
| 274 |
klibc (based on linux-kernel gzip code) |
klibc (based on linux-kernel gzip code) |
| 275 |
busybox |
busybox |
| 276 |
|
|
| 277 |
|
neon: |
| 278 |
|
cadaver (all, but being worked on: #188381) |
| 279 |
|
gnome-vfs2 (#395874) |
| 280 |
|
litmus (#395875) |
| 281 |
|
screem (sarge only) |
| 282 |
|
sitecopy (#395876) |
| 283 |
|
tla (etch/sid only: #395877) |
| 284 |
|
|
| 285 |
|
libmodplug: |
| 286 |
|
gst-plugins-bad0.10 |
| 287 |
|
|
| 288 |
|
libvncserver: |
| 289 |
|
vino |
| 290 |
|
|
| 291 |
|
putty: |
| 292 |
|
filezilla |
| 293 |
|
|
| 294 |
|
tinyxml (not packaged in Debian): |
| 295 |
|
filezilla |
| 296 |
|
|
| 297 |
|
gv: |
| 298 |
|
evince (ps/ tree from gv 3.5.8) |
| 299 |
|
evince-gtk (not packaged in Debian) |
| 300 |
|
|
| 301 |
|
libXbae: |
| 302 |
|
libpawlib2-lesstif package (from Cernlib) |
| 303 |
|
|
| 304 |
|
libXaw: |
| 305 |
|
libpawlib2-lesstif package (from Cernlib) |
| 306 |
|
|
| 307 |
|
(I plan to deal with the above two cases after Etch release. -- KevinMcCarty) |
| 308 |
|
|
| 309 |
|
libgd2: |
| 310 |
|
graphviz (lib/gd seems to be 2.0.33) |
| 311 |
|
|
| 312 |
|
rar: |
| 313 |
|
unrar-nonfree |
| 314 |
|
|
| 315 |
|
unrar-free: (maybe this code is derived from the original rar, too?) |
| 316 |
|
clamav (seems to be disabled in default config) |
| 317 |
|
|
| 318 |
|
mplayer (DirectMedia Object loader): |
| 319 |
|
xine-lib (src/libw32dll/) |
| 320 |
|
vlc (modules/codec/dmo/) |
| 321 |
|
|
| 322 |
|
libwpd (WordPerfect converter): |
| 323 |
|
openoffice.org |
| 324 |
|
|
| 325 |
|
fsplib (http://sourceforge.net/projects/fsp/): |
| 326 |
|
gftp (lib/fsplib version 0.3) |
| 327 |
|
|
| 328 |
|
librpcsecgss: |
| 329 |
|
krb5 |
| 330 |
|
|
| 331 |
|
jasper: |
| 332 |
|
ghostscript |
| 333 |
|
gs-gpl |
| 334 |
|
|
| 335 |
|
libidn: |
| 336 |
|
monotone |
| 337 |
|
|
| 338 |
|
liblua: |
| 339 |
|
monotone |
| 340 |
|
|
| 341 |
|
libbotan: |
| 342 |
|
montone |
| 343 |
|
|
| 344 |
|
NetXX: |
| 345 |
|
monotone |
| 346 |
|
|
| 347 |
|
libgc: |
| 348 |
|
mono |
| 349 |
|
|
| 350 |
|
lzma: |
| 351 |
|
p7zip |
| 352 |
|
|
| 353 |
|
lzo: |
| 354 |
|
grub2 |
| 355 |
|
|
| 356 |
|
pax code: |
| 357 |
|
tar |
| 358 |
|
cpio |
| 359 |
|
|
| 360 |
|
t1lib: |
| 361 |
|
tetex-bin (links to system t1lib since 2.0.2) |
| 362 |
|
texlive-bin (links to system t1lib) |
| 363 |
|
|
Parent Directory
| 
Revision Log
| 
Patch