/[secure-testing]/data/embedded-code-copies
ViewVC logotype

Diff of /data/embedded-code-copies

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 6966 by nion, Sun Oct 14 23:45:12 2007 UTC revision 8085 by nion, Tue Feb 5 21:40:32 2008 UTC
# Line 1  Line 1 
1  This file collects cases, where a source package embeds code from  Embedded code copies
2  other projects, without linking dynamically:  ====================
3    
4  xpdf code: (some use xpdf 2, some xpdf 3)  This file collects source packages that embed code from other projects.
5  gpdf (has been replaced by evince - which uses poppler - in Etch)  This is considered bad for fixing security flaws because the fix needs
6  pdftohtml (has been replaced by poppler-utils from the poppler source package, still in Etch, though)  to be applied in multiple source packages.
7  kdegraphics/kpdf (okular, the kpdf replacement in KDE 4 is using poppler, #436164)  
8  tetex-bin (links to poppler since 3.0-12)  Format:
9  cupsys (uses xpdf-utils, it's still present in the src, though)  <srcpkg> (<optional comment about srcpkg>)
10  poppler          - <embedding srcpkg> <status> (<sort>; bug #<number>)
11  koffice/kword (upstream is working on using poppler, #436163)          NOTE: optional comments about the linkage of the embedding srcpkg
12  libextractor (uses internal pdf decoder since 0.5.12-1)  
13  pdfkit.framework (links to poppler since 0.8-4)  status: version number fixing the embedded copy, <unfixed>, <removed>,
14  ipe (only small parts, but with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp)          <itp> or <unknown> if the version number can not be determined
15    sort: static (linking statically against a lib)
16  silc-toolkit:        embed (embedding a copy of the library into another source package)
17  silc-client (uses libsilc and libsilcclient)        fork (the package is not just embedding code but it is a fork and
18                thus might share parts of the source code)
19  zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)  
20  dpkg  The srcpkg might be some string to identify the code if there is no
21  rsync (somehow derived code base)  specific source package.
22  mozilla(?)  
23  Linux kernels  Everything up to the next line is ignored.
24  pvpgn (links dynamically since 1.7.8-2)  ---BEGIN
25  mrtg (links dynamically since 2.12.2-1)  xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
26  rpm          NOTE: Fixed packages link to poppler library unless otherwise noted
27            - gpdf <removed>
28  libbz2:          [sarge] - gpdf <unfixed>
29  dpkg (statically linked)          NOTE: has been replaced by evince in etch
30            - pdftohtml <unknown>
31  libgadu/ekg:          [sarge] - pdftohtml <unfixed>
32  centericq          [etch] - pdftohtml <unfixed>
33  gaim          NOTE: has been replaced by poppler-utils
34  kopete (ships the code, but links dynamically in the Debian package)          - kdegraphics <unfixed> (embed; bug #436164)
35  kadu (not packaged in Debian)          NOTE: the kpdf replacement in KDE 4 is using poppler
36  GNU gadu (not yet packaged in Debian)          - tetex-bin 3.0-12 (embed)
37            - texlive-bin 2007-1 (embed)
38  xmlrpc: (which package is the "origin" of this code?)          NOTE: links to poppler
39  drupal          - koffice <unfixed> (embed; bug #436163)
40  phpgroupware          - libextractor 0.5.12-1 (embed)
41  egroupware          NOTE: libextractor is using its own pdf decoder now
42  phpwiki          - libextractor 0.5.12-1 (embed)
43  php4 (php-pear, IIRC this was reorganized some weeks ago?)          - pdfkit.framework 0.8-4 (embed)
44  tikiwiki          - ipe <unfixed> (embed)
45            NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
46  shtool: (affects build-time only)          - ruby-gnome2 <unknown> (embed)
47  mysql-ocaml          NOTE: copy only present in source but links to poppler
48  php4  
49    ppmd
50  mozilla:          - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
51  mozilla-firefox  
52  mozilla-thunderbird  silc-toolkit
53  firefox (to be removed)          - silc-client 1.1~beta6-1 (embed)
54  thunderbird (to be removed)  
55  iceweasel  dietlibc
56  iceape          - ccontrol 0.9.1+20071204-1 (static)
57  icedove  
58  xulrunner  libiax
59  nvu (no longer in Debian)          - iaxmodem <unfixed> (embed)
60    
61  xli:  zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
62  xloadimage          - dpkg <unfixed> (embed)
63            NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
64  lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)          - rsync <unfixed> (embed)
65  openmotif          NOTE: somehow derived code base
66  xfree86/xorg (in libxpm)          - mono <unfixed> (embed)
67            TODO: check mozilla
68  kerberized apps with BSD origin:          - Linux kernels <unfixed> (embed)
69  krb4          - pvpgn 1.7.8-2 (embed)
70  krb5          - mrtg 2.12.2-1 (embed)
71  heimdal          - rpm <unknown> (embed)
72            NOTE: pinged anibal since when rpm was fixed
73  grip: (which pkg is the origin?)  
74  libcdaudio  libbz2
75  grip          - dpkg <unfixed> (static)
76  gnome-vfs (vfs2 as well?)  
77    ekg
78  fudforum:          - centericq <unfixed> (embed)
79  phpgroupware-fudforum          - gaim <unfixed> (embed)
80  egroupware-fudforum (removed from egroupware after sarge)          - pigdin <unfixed> (embed)(links dynamically against libgadu)
81            - kopete 4:3.3.2-5 (embed)
82  cvs:          - kadu <unfixed> (embed)
83  gcvs (at least an additional script is included, check if there's more)          - gadu <unfixed> (embed)
84            NOTE: g/kadu not packaged in Debian yet
85  pcre:  
86  all pythons  xmlrpc (which package is the "origin" of this code?)
87  php4 (src included, but Debian package links dynamically)          - drupal <unfixed> (embed)
88  analog (src included, but Debian package links dynamically)          - phpgroupware <unfixed> (embed)
89  libgoffice-1          - egroupware <unfixed> (embed)
90  vfu          - phpwiki (embed)
91  tf5 (since 5.0beta7 the Debian package links dynamically)          - php4 <unfixed> (embed)
92            TODO: check, php-pear, IIRC this was reorganized some weeks ago?
93  tiff:  
94  wxpythongtk (check, which debian pkg this is in)  shtool (affects build-time only)
95  older kdegraphics/kpdf releases < 3.3 embedded a copy          - mysql-ocaml <unfixed> (embed)
96            - php4 <unfixed> (embed)
97  uudeview:  
98  libconvert-uulib-perl  mozilla source code
99            - mozilla-firefox <unfixed> (embed)
100  sqlite: (not affected by security vulnerabilities so far)          - mozilla-thunderbird
101  amarok          - firefox <removed>
102            [etch] - firefox <unfixed> (embed)
103  util-linux/mount:          - thunderbird <removed>
104  loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb          [etch] - thunderbird <unfixed> (embed)
105            - iceweasel <unfixed> (embed)
106  webmin:          - iceape <unfixed> (embed)
107  usermin (only in sarge)          - icedove <unfixed> (embed)
108            - xulrunner <unfixed> (embed)
109  fckeditor:          - nvu <removed> (embed)
110  knowledgeroot  
111    xli
112  sylpheed:          - xloadimage <unfixed> (embed)
113  sylpheed-claws  
114    lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
115  phpsysinfo:          - openmotif <unfixed> (embed)
116  egroupware          - xfree86/xorg <unfixed> (embed)
117  phpgroupware          NOTE: in libxpm
118    
119    kerberized apps with BSD origin
120            - krb4 <unfixed> (embed)
121            - krb5 <unfixed> (embed)
122            - heimdal <unfixed> (embed)
123    
124    grip (which pkg is the origin?)
125            - libcdaudio
126            - grip
127            - gnome-vfs
128            TODO: check vfs2 as well
129    
130    fudforum
131            - phpgroupware-fudforum <unfixed> (embed)
132            - egroupware-fudforum <removed>
133            [sarge] - egroupware-fudforum <unfixed> (embed)
134    
135    cvs
136            - gcvs <unfixed> (embed)
137            NOTE: see cvsunix/src in tarball
138    
139    pcre
140            - python* <unfixed> (embed)
141            - php4 <unknown> (embed)
142            - analog 2:5.23-0woody1 (embed)
143            - libgoffice-1 <unfixed> (embed)
144            - vfu 4.06-4.1 (embed; bug #450754)
145            - tf5 5.0beta7-1 (embed)
146            - monotone <unfixed> (embed)
147            NOTE: this only affects versions >= 0.37
148            - glib <unfixed> (embed)
149            NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
150            - apache2 2.0.53-4 (embed)
151            - exim4 4.10-0.srh20.12 (embed)
152            - yacas <unfixed> (embed)
153            NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
154            - gtamsanalyzer.app 0.42-5 (embed)
155    
156    tiff
157            - wxpythongtk <unfixed> (embed)
158            TODO: check, which debian pkg this is in
159    
160    uudeview
161            - libconvert-uulib-perl <unfixed> (embed)
162    
163    sqlite (not affected by security vulnerabilities so far)
164            - amarok <unfixed> (embed)
165            - monotone <unfixed> (embed)
166            - iceweasel <unfixed> (embed)
167    
168    util-linux/mount
169            - loop-aes-utils <unfixed> (embed)
170            NOTE: contains code from util-linux' mount in the mount-aes-udeb
171    
172    webmin
173            - usermin <unknown> (embed)
174            [sarge] - usermin <unfixed> (embed)
175    
176    sylpheed
177            - sylpheed-claws <unfixed> (fork)
178    
179    phpsysinfo
180            - egroupware <unfixed> (embed)
181            - phpgroupware <unfixed> (embed)
182    
183    phpldapadmin
184            [sarge] - egroupware <unfixed> (embed)
185            NOTE: removed from egroupware after sarge
186    
187    chmlib
188            - kchmviewer <unknown> (embed)
189    
190    libavcodec/libavformat (source: ffmpeg)
191            - mplayer <unfixed> (embed; bug #395252)
192            - xvidcap <unfixed> (embed)
193            - kino <unfixed> (static)
194            - vlc <unfixed> (static)
195            - smilutils <unfixed> (static)
196            - motion <unfixed> (static)
197            - gst-ffmpeg <unfixed> (embed)
198            - gstreamer0.10-ffmpeg <unfixed> (embed)
199            - xmovie <unfixed>
200            TODO: gimp-gap (potentially using ffmpeg code as well)
201    
202    mad MPEG decoding lib
203            - mad <unfixed> (embed)
204            - xine-lib <unfixed> (embed)
205    
 phpldapadmin:  
 egroupware (removed from egroupware after sarge)  
   
 chmlib:  
 kchmviewer (not packaged in Debian)  
   
 libavcodec/libavformat:  
 ffmpeg  
 xine-lib  
 xvidcap  
 kino (links statically, does not include code)  
 vlc (links statically, does not include code)  
 smilutils (links statically, does not include code)  
 motion (links statically, does not include code)  
 gst-ffmpeg  
 gstreamer0.10-ffmpeg  
 xmovie  
   
 mad MPEG decoding lib:  
 mad  
 xine-lib  
   
 libdts:  
206  libdts  libdts
207  xine-lib          - xine-lib <unfixed> (embed)
208    
 flac:  
209  flac  flac
210  xine-lib          - xine-lib <unfixed> (embed)
211    
212  liba52:  liba52
213  a52dec          - a52dec <unfixed> (embed)
214  xine-lib          - xine-lib <unfixed> (embed)
   
 libmpeg2:  
 mpeg2dec  
 xine-lib  
215    
216  curl:  libmpeg2
217  wget (code for NTLM authentication)          - mpeg2dec <unfixed> (embed)
218            - xine-lib <unfixed> (embed)
219    
220  TODO evaluate:  curl
221  gimp-gap (potentially using ffmpeg code as well)          - wget <unfixed> (embed)
222            NOTE: code for NTLM authentication
223    
224  uw-imap:  uw-imap
225  pine          - pine <unfixed> (embed)
226            - alpine <unfixed> (embed)
227    
228  imagemagick:  imagemagick
229  graphicsmagick          - graphicsmagick <unfixed> (fork)
230    
231  halibut:  halibut
232  nsis          - nsis <unfixed> (embed)
233    
234  libghttp:  libghttp
235  hotway          - hotway <unfixed> (embed)
236    
237  libsndfile:  libsndfile
238  ardour          - ardour <unfixed> (embed)
239    
240  glibmm2.4:  glibmm2.4
241  ardour          - ardour <unfixed> (embed)
242    
243  libgnomecanvasmm2.6:  libgnomecanvasmm2.6
244  ardour          - ardour <unfixed> (embed)
245    
246  libsigc++-2.0:  libsigc++-2.0
247  ardour          - ardour <unfixed> (embed)
248    
249  soundtouch:  soundtouch
250  ardour          - ardour <unfixed> (embed)
251    
252  libmms:  libmms
253  xine-lib          - xine-lib <unfixed> (embed)
254  mimms          - mimms <unfixed> (embed)
   
 FCKeditor:  
 knowledgeroot  
   
 Moodle contains lots of things:  
 AdoDB  
 AdoDB-XML Schema  
 ipatlas  
 PHPMailer  
 Smarty  
 htmlArea  
 TinyMCE  
 bennu  
255    
256  TinyMCE:  fckeditor
257  wordpress          - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
258  moodle          - moin <unfixed> (embed; bug #452599)
259  knowledgeroot          - karrigell <unfixed> (embed; bug #452598)
260  joomla (ITP)          - gforge-plugins-extra 4.6.99+svn6225-1 (embed)
261    
262  scintilla:  ipatlas (not packaged in Debian)
263  scite          - moodle <unfixed> (embed)
 qscintilla  
 geany  
264    
265  libphp-adodb:  libphp-phpmailer
266  gallery2          - moodle <unfixed> (embed)
 phppgadmin  
 egroupware  
 phpwiki  
 moodle  
 cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)  
267    
268  gzip:  htmlArea (not packaged in Debian)
269  linux-kernel (lib/inflate.c)          - moodle <unfixed> (embed)
 klibc (based on linux-kernel gzip code)  
 busybox  
270    
271  ffmpeg:  bennu (not packaged in Debian)
272  mplayer (#395252)          - moodle <unfixed> (embed)
273    
274  neon:  smarty:
275  cadaver (all, but being worked on: #188381)          - moodle <unfixed> (embed)
 gnome-vfs2 (#395874)  
 litmus (#395875)  
 screem (sarge only)  
 sitecopy (#395876)  
 tla (etch/sid only: #395877)  
276    
277  libmodplug:  TinyMCE
278  gst-plugins-bad0.10          - wordpress <unfixed> (embed)
279            - moodle <unfixed> (embed)
280  libvncserver:          - knowledgeroot <unfixed> (embed)
281  vino          - joomla <itp> (bug #326398)
282    
283  putty:  scintilla
284  filezilla          - scite <unfixed> (embed)
285            - qscintilla <unfixed> (embed)
286  tinyxml (not packaged in Debian):          - qscintilla2 <unfixed> (embed)
287  filezilla          - geany <unfixed> (embed)
288    
289  gv:  libphp-adodb
290  evince (ps/ tree from gv 3.5.8)          - moodle <unfixed> (embed)
291  evince-gtk (not packaged in Debian)          NOTE: also AdoDB-XML Schema
292            - gallery2 <unfixed> (embed)
293  libXbae:          - phppgadmin <unfixed> (embed)
294  libpawlib2-lesstif package (from Cernlib)          - egroupware <unfixed> (embed)
295            - phpwiki <unfixed> (embed)
296  libXaw:          - ipplan <unfixed> (embed)
297  libpawlib2-lesstif package (from Cernlib)          - typo3 <unfixed> (embed)
298            - moodle <unfixed> (embed)
299  (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)          - cacti <unknown> (embed)
300            [sarge] - cacti <unfixed> (embed)
301  libgd2:          NOTE: dependency exists, but internal version is used
302  graphviz (lib/gd seems to be 2.0.33)  
303    gzip
304  rar:          - linux-kernel <unfixed> (embed)
305  unrar-nonfree          NOTE: lib/inflate.c
306            - klibc <unfixed> (embed)
307  unrar-free: (maybe this code is derived from the original rar, too?)          NOTE: based on linux-kernel gzip code
308  clamav (seems to be disabled in default config)          - busybox <unfixed> (embed)
309    
310  mplayer (DirectMedia Object loader):  neon
311  xine-lib (src/libw32dll/)          - cadaver <unfixed> (embed; bug #188381)
312  vlc (modules/codec/dmo/)          - gnome-vfs2 <unfixed> (embed; bug #395874)
313            - litmus <unfixed> (embed; #395875)
314  libwpd (WordPerfect converter):          [sarge] - screem <unfixed> (embed)
315  openoffice.org          - sitecopy <unfixed> (embed; bug #395876)
316            [etch] - tla <unfixed> (embed; bug #395877)
317            [sarge] - tla <unfixed> (embed; bug #395877)
318    
319    libmodplug
320            - gst-plugins-bad0.10 <unfixed> (embed)
321    
322    libvncserver
323            - vino <unfixed> (embed)
324    
325    putty
326            - filezilla <unfixed> (embed)
327    
328    tinyxml (not packaged in Debian)
329            - filezilla <unfixed>
330    
331    gv
332            - evince <unfixed> (embed)
333            NOTE: ps/ tree from gv 3.5.8
334            - evince-gtk <unfixed> (embed)
335            NOTE: not packaged in Debian
336    
337    libXbae
338            [etch] - libpawlib2-lesstif <unfixed> (embed)
339            NOTE: from Cernlib
340    
341    libXaw
342            [etch] - libpawlib2-lesstif
343            NOTE: from Cernlib
344            NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
345    
346    libgd2
347            - graphviz <unfixed> (embed)
348            NOTE: lib/gd seems to be 2.0.33
349    
350    rar
351            - unrar-nonfree <unfixed> (embed)
352    
353    unrar-free (maybe this code is derived from the original rar, too?)
354            - clamav <unfixed> (embed)
355            NOTE: seems to be disabled in default config
356    
357    mplayer (DirectMedia Object loader)
358            - xine-lib <unfixed> (embed)
359            NOTE: src/libw32dll/
360            - vlc <unfixed> (embed)
361            NOTE: modules/codec/dmo/
362    
363    libwpd (WordPerfect converter)
364            - openoffice.org <unfixed> (embed)
365    
366    fsplib (http://sourceforge.net/projects/fsp/)
367            - gftp <unfixed> (embed)
368            NOTE: lib/fsplib version 0.3
369    
370    librpcsecgss
371            - krb5 <unfixed> (embed)
372    
373    jasper
374            - ghostscript <unfixed> (embed)
375            - gs-gpl <unfixed> (embed)
376    
377    libidn
378            - monotone <unfixed> (embed)
379    
380    liblua
381            - monotone <unfixed> (embed)
382    
383    libbotan
384            - montone <unfixed> (embed)
385    
386    NetXX
387            - monotone <unfixed> (embed)
388    
389    libgc
390            - mono <unfixed> (embed)
391    
392    lzma
393            - p7zip <unfixed> (embed)
394    
395    lzo
396            - grub2 <unfixed> (embed)
397    
398    yassl
399            - mysql-dfsg-5.0 <unfixed> (embed)
400    
401    pax code
402            - tar <unfixed> (embed)
403            - cpio <unfixed> (embed)
404    
405    t1lib
406            - tetex-bin 2.0.2-1 (embed)
407            - texlive-bin <unknown> (embed)
408    
409    guichan
410            - boswars <unfixed> (embed)
411            NOTE: maintainer notified us, working on it
412    
413    tolua
414            - boswars <unfixed> (embed)
415            NOTE: maintainer notified us, working on it
416    
417    asio-dev
418            - luxrender <unfixed> (embed)
419            NOTE: maintainer notified us, working on it
420            NOTE: may be merged with boost "soon"
421    
422  fsplib (http://sourceforge.net/projects/fsp/):  xine-lib
423  gftp (lib/fsplib version 0.3)          - vlc <unfixed> (embed)
424            NOTE: only parts included in modules/access/rtsp
425    
426  librpcsecgss:  netpbm
427  krb5          - tcl8.3 <unfixed> (embed)
428            - tcl8.4 <unfixed> (embed)
429            - tcl8.5 <unfixed> (embed)
430            NOTE: generic/tkImgGIF.c
Legend:
Removed from v.6966  
changed lines
  Added in v.8085
  ViewVC Help
Powered by ViewVC 1.1.5