/[secure-testing]/data/embedded-code-copies
ViewVC logotype

Diff of /data/embedded-code-copies

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 6985 by stef-guest, Tue Oct 16 20:43:59 2007 UTC revision 8085 by nion, Tue Feb 5 21:40:32 2008 UTC
# Line 1  Line 1 
1  This file collects cases, where a source package embeds code from  Embedded code copies
2  other projects, without linking dynamically:  ====================
3    
4  xpdf code: (some use xpdf 2, some xpdf 3)  This file collects source packages that embed code from other projects.
5  gpdf (has been replaced by evince - which uses poppler - in Etch)  This is considered bad for fixing security flaws because the fix needs
6  pdftohtml (has been replaced by poppler-utils from the poppler source package, still in Etch, though)  to be applied in multiple source packages.
7  kdegraphics/kpdf (okular, the kpdf replacement in KDE 4 is using poppler, #436164)  
8  tetex-bin (links to poppler since 3.0-12)  Format:
9  cupsys (uses xpdf-utils, it's still present in the src, though)  <srcpkg> (<optional comment about srcpkg>)
10  poppler          - <embedding srcpkg> <status> (<sort>; bug #<number>)
11  koffice/kword (upstream is working on using poppler, #436163)          NOTE: optional comments about the linkage of the embedding srcpkg
12  libextractor (uses internal pdf decoder since 0.5.12-1)  
13  pdfkit.framework (links to poppler since 0.8-4)  status: version number fixing the embedded copy, <unfixed>, <removed>,
14  ipe (only small parts, but with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp)          <itp> or <unknown> if the version number can not be determined
15    sort: static (linking statically against a lib)
16  silc-toolkit:        embed (embedding a copy of the library into another source package)
17  silc-client (uses libsilc and libsilcclient)        fork (the package is not just embedding code but it is a fork and
18                thus might share parts of the source code)
19  dietlibc:  
20  ccontrol (links statically)  The srcpkg might be some string to identify the code if there is no
21    specific source package.
22  libiax:  
23  iaxmodem  Everything up to the next line is ignored.
24    ---BEGIN
25  zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)  xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
26  dpkg          NOTE: Fixed packages link to poppler library unless otherwise noted
27  rsync (somehow derived code base)          - gpdf <removed>
28  mozilla(?)          [sarge] - gpdf <unfixed>
29  Linux kernels          NOTE: has been replaced by evince in etch
30  pvpgn (links dynamically since 1.7.8-2)          - pdftohtml <unknown>
31  mrtg (links dynamically since 2.12.2-1)          [sarge] - pdftohtml <unfixed>
32  rpm          [etch] - pdftohtml <unfixed>
33            NOTE: has been replaced by poppler-utils
34  libbz2:          - kdegraphics <unfixed> (embed; bug #436164)
35  dpkg (statically linked)          NOTE: the kpdf replacement in KDE 4 is using poppler
36            - tetex-bin 3.0-12 (embed)
37  libgadu/ekg:          - texlive-bin 2007-1 (embed)
38  centericq          NOTE: links to poppler
39  gaim          - koffice <unfixed> (embed; bug #436163)
40  kopete (ships the code, but links dynamically in the Debian package)          - libextractor 0.5.12-1 (embed)
41  kadu (not packaged in Debian)          NOTE: libextractor is using its own pdf decoder now
42  GNU gadu (not yet packaged in Debian)          - libextractor 0.5.12-1 (embed)
43            - pdfkit.framework 0.8-4 (embed)
44  xmlrpc: (which package is the "origin" of this code?)          - ipe <unfixed> (embed)
45  drupal          NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
46  phpgroupware          - ruby-gnome2 <unknown> (embed)
47  egroupware          NOTE: copy only present in source but links to poppler
48  phpwiki  
49  php4 (php-pear, IIRC this was reorganized some weeks ago?)  ppmd
50  tikiwiki          - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
51    
52  shtool: (affects build-time only)  silc-toolkit
53  mysql-ocaml          - silc-client 1.1~beta6-1 (embed)
54  php4  
55    dietlibc
56  mozilla:          - ccontrol 0.9.1+20071204-1 (static)
57  mozilla-firefox  
58  mozilla-thunderbird  libiax
59  firefox (to be removed)          - iaxmodem <unfixed> (embed)
60  thunderbird (to be removed)  
61  iceweasel  zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
62  iceape          - dpkg <unfixed> (embed)
63  icedove          NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
64  xulrunner          - rsync <unfixed> (embed)
65  nvu (no longer in Debian)          NOTE: somehow derived code base
66            - mono <unfixed> (embed)
67  xli:          TODO: check mozilla
68  xloadimage          - Linux kernels <unfixed> (embed)
69            - pvpgn 1.7.8-2 (embed)
70  lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)          - mrtg 2.12.2-1 (embed)
71  openmotif          - rpm <unknown> (embed)
72  xfree86/xorg (in libxpm)          NOTE: pinged anibal since when rpm was fixed
73    
74  kerberized apps with BSD origin:  libbz2
75  krb4          - dpkg <unfixed> (static)
76  krb5  
77  heimdal  ekg
78            - centericq <unfixed> (embed)
79  grip: (which pkg is the origin?)          - gaim <unfixed> (embed)
80  libcdaudio          - pigdin <unfixed> (embed)(links dynamically against libgadu)
81  grip          - kopete 4:3.3.2-5 (embed)
82  gnome-vfs (vfs2 as well?)          - kadu <unfixed> (embed)
83            - gadu <unfixed> (embed)
84  fudforum:          NOTE: g/kadu not packaged in Debian yet
85  phpgroupware-fudforum  
86  egroupware-fudforum (removed from egroupware after sarge)  xmlrpc (which package is the "origin" of this code?)
87            - drupal <unfixed> (embed)
88  cvs:          - phpgroupware <unfixed> (embed)
89  gcvs (at least an additional script is included, check if there's more)          - egroupware <unfixed> (embed)
90            - phpwiki (embed)
91  pcre:          - php4 <unfixed> (embed)
92  all pythons          TODO: check, php-pear, IIRC this was reorganized some weeks ago?
93  php4 (src included, but Debian package links dynamically)  
94  analog (src included, but Debian package links dynamically)  shtool (affects build-time only)
95  libgoffice-1          - mysql-ocaml <unfixed> (embed)
96  vfu          - php4 <unfixed> (embed)
97  tf5 (since 5.0beta7 the Debian package links dynamically)  
98  monotone  mozilla source code
99            - mozilla-firefox <unfixed> (embed)
100  tiff:          - mozilla-thunderbird
101  wxpythongtk (check, which debian pkg this is in)          - firefox <removed>
102  older kdegraphics/kpdf releases < 3.3 embedded a copy          [etch] - firefox <unfixed> (embed)
103            - thunderbird <removed>
104  uudeview:          [etch] - thunderbird <unfixed> (embed)
105  libconvert-uulib-perl          - iceweasel <unfixed> (embed)
106            - iceape <unfixed> (embed)
107  sqlite: (not affected by security vulnerabilities so far)          - icedove <unfixed> (embed)
108  amarok          - xulrunner <unfixed> (embed)
109  monotone          - nvu <removed> (embed)
110    
111  util-linux/mount:  xli
112  loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb          - xloadimage <unfixed> (embed)
113    
114  webmin:  lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
115  usermin (only in sarge)          - openmotif <unfixed> (embed)
116            - xfree86/xorg <unfixed> (embed)
117  sylpheed:          NOTE: in libxpm
118  sylpheed-claws  
119    kerberized apps with BSD origin
120  phpsysinfo:          - krb4 <unfixed> (embed)
121  egroupware          - krb5 <unfixed> (embed)
122  phpgroupware          - heimdal <unfixed> (embed)
123    
124    grip (which pkg is the origin?)
125            - libcdaudio
126            - grip
127            - gnome-vfs
128            TODO: check vfs2 as well
129    
130    fudforum
131            - phpgroupware-fudforum <unfixed> (embed)
132            - egroupware-fudforum <removed>
133            [sarge] - egroupware-fudforum <unfixed> (embed)
134    
135    cvs
136            - gcvs <unfixed> (embed)
137            NOTE: see cvsunix/src in tarball
138    
139    pcre
140            - python* <unfixed> (embed)
141            - php4 <unknown> (embed)
142            - analog 2:5.23-0woody1 (embed)
143            - libgoffice-1 <unfixed> (embed)
144            - vfu 4.06-4.1 (embed; bug #450754)
145            - tf5 5.0beta7-1 (embed)
146            - monotone <unfixed> (embed)
147            NOTE: this only affects versions >= 0.37
148            - glib <unfixed> (embed)
149            NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
150            - apache2 2.0.53-4 (embed)
151            - exim4 4.10-0.srh20.12 (embed)
152            - yacas <unfixed> (embed)
153            NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
154            - gtamsanalyzer.app 0.42-5 (embed)
155    
156    tiff
157            - wxpythongtk <unfixed> (embed)
158            TODO: check, which debian pkg this is in
159    
160    uudeview
161            - libconvert-uulib-perl <unfixed> (embed)
162    
163    sqlite (not affected by security vulnerabilities so far)
164            - amarok <unfixed> (embed)
165            - monotone <unfixed> (embed)
166            - iceweasel <unfixed> (embed)
167    
168    util-linux/mount
169            - loop-aes-utils <unfixed> (embed)
170            NOTE: contains code from util-linux' mount in the mount-aes-udeb
171    
172    webmin
173            - usermin <unknown> (embed)
174            [sarge] - usermin <unfixed> (embed)
175    
176    sylpheed
177            - sylpheed-claws <unfixed> (fork)
178    
179    phpsysinfo
180            - egroupware <unfixed> (embed)
181            - phpgroupware <unfixed> (embed)
182    
183    phpldapadmin
184            [sarge] - egroupware <unfixed> (embed)
185            NOTE: removed from egroupware after sarge
186    
187    chmlib
188            - kchmviewer <unknown> (embed)
189    
190    libavcodec/libavformat (source: ffmpeg)
191            - mplayer <unfixed> (embed; bug #395252)
192            - xvidcap <unfixed> (embed)
193            - kino <unfixed> (static)
194            - vlc <unfixed> (static)
195            - smilutils <unfixed> (static)
196            - motion <unfixed> (static)
197            - gst-ffmpeg <unfixed> (embed)
198            - gstreamer0.10-ffmpeg <unfixed> (embed)
199            - xmovie <unfixed>
200            TODO: gimp-gap (potentially using ffmpeg code as well)
201    
202    mad MPEG decoding lib
203            - mad <unfixed> (embed)
204            - xine-lib <unfixed> (embed)
205    
 phpldapadmin:  
 egroupware (removed from egroupware after sarge)  
   
 chmlib:  
 kchmviewer (not packaged in Debian)  
   
 libavcodec/libavformat:  
 ffmpeg  
 xine-lib  
 xvidcap  
 kino (links statically, does not include code)  
 vlc (links statically, does not include code)  
 smilutils (links statically, does not include code)  
 motion (links statically, does not include code)  
 gst-ffmpeg  
 gstreamer0.10-ffmpeg  
 xmovie  
   
 mad MPEG decoding lib:  
 mad  
 xine-lib  
   
 libdts:  
206  libdts  libdts
207  xine-lib          - xine-lib <unfixed> (embed)
208    
 flac:  
209  flac  flac
210  xine-lib          - xine-lib <unfixed> (embed)
   
 liba52:  
 a52dec  
 xine-lib  
211    
212  libmpeg2:  liba52
213  mpeg2dec          - a52dec <unfixed> (embed)
214  xine-lib          - xine-lib <unfixed> (embed)
215    
216  curl:  libmpeg2
217  wget (code for NTLM authentication)          - mpeg2dec <unfixed> (embed)
218            - xine-lib <unfixed> (embed)
219    
220  TODO evaluate:  curl
221  gimp-gap (potentially using ffmpeg code as well)          - wget <unfixed> (embed)
222            NOTE: code for NTLM authentication
223    
224  uw-imap:  uw-imap
225  pine          - pine <unfixed> (embed)
226  alpine          - alpine <unfixed> (embed)
227    
228  imagemagick:  imagemagick
229  graphicsmagick          - graphicsmagick <unfixed> (fork)
230    
231  halibut:  halibut
232  nsis          - nsis <unfixed> (embed)
233    
234  libghttp:  libghttp
235  hotway          - hotway <unfixed> (embed)
236    
237  libsndfile:  libsndfile
238  ardour          - ardour <unfixed> (embed)
239    
240  glibmm2.4:  glibmm2.4
241  ardour          - ardour <unfixed> (embed)
242    
243  libgnomecanvasmm2.6:  libgnomecanvasmm2.6
244  ardour          - ardour <unfixed> (embed)
245    
246  libsigc++-2.0:  libsigc++-2.0
247  ardour          - ardour <unfixed> (embed)
248    
249  soundtouch:  soundtouch
250  ardour          - ardour <unfixed> (embed)
251    
252  libmms:  libmms
253  xine-lib          - xine-lib <unfixed> (embed)
254  mimms          - mimms <unfixed> (embed)
255    
256  FCKeditor:  fckeditor
257  knowledgeroot          - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
258            - moin <unfixed> (embed; bug #452599)
259            - karrigell <unfixed> (embed; bug #452598)
260            - gforge-plugins-extra 4.6.99+svn6225-1 (embed)
261    
262  Moodle contains lots of things:  ipatlas (not packaged in Debian)
263  AdoDB          - moodle <unfixed> (embed)
 AdoDB-XML Schema  
 ipatlas  
 PHPMailer  
 Smarty  
 htmlArea  
 TinyMCE  
 bennu  
264    
265  TinyMCE:  libphp-phpmailer
266  wordpress          - moodle <unfixed> (embed)
 moodle  
 knowledgeroot  
 joomla (ITP)  
267    
268  scintilla:  htmlArea (not packaged in Debian)
269  scite          - moodle <unfixed> (embed)
 qscintilla  
 geany  
270    
271  libphp-adodb:  bennu (not packaged in Debian)
272  gallery2          - moodle <unfixed> (embed)
 phppgadmin  
 egroupware  
 phpwiki  
 moodle  
 cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)  
273    
274  gzip:  smarty:
275  linux-kernel (lib/inflate.c)          - moodle <unfixed> (embed)
 klibc (based on linux-kernel gzip code)  
 busybox  
276    
277  ffmpeg:  TinyMCE
278  mplayer (#395252)          - wordpress <unfixed> (embed)
279            - moodle <unfixed> (embed)
280  neon:          - knowledgeroot <unfixed> (embed)
281  cadaver (all, but being worked on: #188381)          - joomla <itp> (bug #326398)
282  gnome-vfs2 (#395874)  
283  litmus (#395875)  scintilla
284  screem (sarge only)          - scite <unfixed> (embed)
285  sitecopy (#395876)          - qscintilla <unfixed> (embed)
286  tla (etch/sid only: #395877)          - qscintilla2 <unfixed> (embed)
287            - geany <unfixed> (embed)
288  libmodplug:  
289  gst-plugins-bad0.10  libphp-adodb
290            - moodle <unfixed> (embed)
291            NOTE: also AdoDB-XML Schema
292            - gallery2 <unfixed> (embed)
293            - phppgadmin <unfixed> (embed)
294            - egroupware <unfixed> (embed)
295            - phpwiki <unfixed> (embed)
296            - ipplan <unfixed> (embed)
297            - typo3 <unfixed> (embed)
298            - moodle <unfixed> (embed)
299            - cacti <unknown> (embed)
300            [sarge] - cacti <unfixed> (embed)
301            NOTE: dependency exists, but internal version is used
302    
303    gzip
304            - linux-kernel <unfixed> (embed)
305            NOTE: lib/inflate.c
306            - klibc <unfixed> (embed)
307            NOTE: based on linux-kernel gzip code
308            - busybox <unfixed> (embed)
309    
310    neon
311            - cadaver <unfixed> (embed; bug #188381)
312            - gnome-vfs2 <unfixed> (embed; bug #395874)
313            - litmus <unfixed> (embed; #395875)
314            [sarge] - screem <unfixed> (embed)
315            - sitecopy <unfixed> (embed; bug #395876)
316            [etch] - tla <unfixed> (embed; bug #395877)
317            [sarge] - tla <unfixed> (embed; bug #395877)
318    
319    libmodplug
320            - gst-plugins-bad0.10 <unfixed> (embed)
321    
322    libvncserver
323            - vino <unfixed> (embed)
324    
325    putty
326            - filezilla <unfixed> (embed)
327    
328    tinyxml (not packaged in Debian)
329            - filezilla <unfixed>
330    
331    gv
332            - evince <unfixed> (embed)
333            NOTE: ps/ tree from gv 3.5.8
334            - evince-gtk <unfixed> (embed)
335            NOTE: not packaged in Debian
336    
337    libXbae
338            [etch] - libpawlib2-lesstif <unfixed> (embed)
339            NOTE: from Cernlib
340    
341    libXaw
342            [etch] - libpawlib2-lesstif
343            NOTE: from Cernlib
344            NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
345    
346    libgd2
347            - graphviz <unfixed> (embed)
348            NOTE: lib/gd seems to be 2.0.33
349    
350    rar
351            - unrar-nonfree <unfixed> (embed)
352    
353    unrar-free (maybe this code is derived from the original rar, too?)
354            - clamav <unfixed> (embed)
355            NOTE: seems to be disabled in default config
356    
357    mplayer (DirectMedia Object loader)
358            - xine-lib <unfixed> (embed)
359            NOTE: src/libw32dll/
360            - vlc <unfixed> (embed)
361            NOTE: modules/codec/dmo/
362    
363    libwpd (WordPerfect converter)
364            - openoffice.org <unfixed> (embed)
365    
366    fsplib (http://sourceforge.net/projects/fsp/)
367            - gftp <unfixed> (embed)
368            NOTE: lib/fsplib version 0.3
369    
370    librpcsecgss
371            - krb5 <unfixed> (embed)
372    
373    jasper
374            - ghostscript <unfixed> (embed)
375            - gs-gpl <unfixed> (embed)
376    
377  libvncserver:  libidn
378  vino          - monotone <unfixed> (embed)
379    
380  putty:  liblua
381  filezilla          - monotone <unfixed> (embed)
382    
383  tinyxml (not packaged in Debian):  libbotan
384  filezilla          - montone <unfixed> (embed)
385    
386  gv:  NetXX
387  evince (ps/ tree from gv 3.5.8)          - monotone <unfixed> (embed)
 evince-gtk (not packaged in Debian)  
388    
389  libXbae:  libgc
390  libpawlib2-lesstif package (from Cernlib)          - mono <unfixed> (embed)
391    
392  libXaw:  lzma
393  libpawlib2-lesstif package (from Cernlib)          - p7zip <unfixed> (embed)
394    
395  (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)  lzo
396            - grub2 <unfixed> (embed)
397    
398  libgd2:  yassl
399  graphviz (lib/gd seems to be 2.0.33)          - mysql-dfsg-5.0 <unfixed> (embed)
400    
401  rar:  pax code
402  unrar-nonfree          - tar <unfixed> (embed)
403            - cpio <unfixed> (embed)
404    
405  unrar-free: (maybe this code is derived from the original rar, too?)  t1lib
406  clamav (seems to be disabled in default config)          - tetex-bin 2.0.2-1 (embed)
407            - texlive-bin <unknown> (embed)
408    
409  mplayer (DirectMedia Object loader):  guichan
410  xine-lib (src/libw32dll/)          - boswars <unfixed> (embed)
411  vlc (modules/codec/dmo/)          NOTE: maintainer notified us, working on it
412    
413  libwpd (WordPerfect converter):  tolua
414  openoffice.org          - boswars <unfixed> (embed)
415            NOTE: maintainer notified us, working on it
416    
417  fsplib (http://sourceforge.net/projects/fsp/):  asio-dev
418  gftp (lib/fsplib version 0.3)          - luxrender <unfixed> (embed)
419            NOTE: maintainer notified us, working on it
420            NOTE: may be merged with boost "soon"
421    
422  librpcsecgss:  xine-lib
423  krb5          - vlc <unfixed> (embed)
424            NOTE: only parts included in modules/access/rtsp
425    
426  monotone embeds lots of things:  netpbm
427  liblua          - tcl8.3 <unfixed> (embed)
428  libidn          - tcl8.4 <unfixed> (embed)
429  libsqlite3          - tcl8.5 <unfixed> (embed)
430  libbotan          NOTE: generic/tkImgGIF.c
 NetXX  
 pcre (starting from 0.37)  
Legend:
Removed from v.6985  
changed lines
  Added in v.8085
  ViewVC Help
Powered by ViewVC 1.1.5