--- data/embedded-code-copies 2005/09/07 14:43:38 1834 +++ data/embedded-code-copies 2009/10/28 15:08:26 13116 @@ -1,94 +1,994 @@ -This file collects cases, where a source package embeds code from -other projects, without linking dynamically: +Embedded code copies +==================== -xpdf code: (some use xpdf 2, some xpdf 3) -gpdf -pdftohtml -kdegraphics/kpdf -tetex-bin -cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though) -poppler +This file collects source packages that embed code from other projects. +This is considered bad for fixing security flaws because the fix needs +to be applied in multiple source packages. + +Format: + () + - (; bug #) + NOTE: optional comments about the linkage of the embedding srcpkg + +status: version number fixing the embedded copy, , , + , , if the version number can not + be determined, or for unavoidable cases (e.g., forks + that add real value) +sort: static (linking statically against a lib) + embed (embedding a copy of the library into another source package) + fork (the package is not just embedding code but it is a fork and + thus might share parts of the source code) + old-version (the package is an older version of essentially + the same code) + +The srcpkg might be some string to identify the code if there is no +specific source package. + +Everything up to the next line is ignored. +---BEGIN +xpdf (some srcpkgs use xpdf2 code, some xpdf3 code) + NOTE: Fixed packages link to poppler library unless otherwise noted + - pdftohtml + [sarge] - pdftohtml + [etch] - pdftohtml + NOTE: has been replaced by poppler-utils + - kdegraphics 4:4.2.2-1 (embed; bug #436164) + - texlive-base 3.0-12 (embed) + - texlive-bin 2007-1 (embed) + NOTE: links to poppler + - koffice (embed; bug #436163) + - libextractor 0.5.12-1 (embed) + NOTE: libextractor is using its own pdf decoder now + - ipe (embed) + NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp + - ruby-gnome2 (embed) + NOTE: copy only present in source but links to poppler + - pdfedit (embed; bug #510794) + - swftools (embed; bug #551293) + - poppler (fork) + +ppmd + - libcomplearn-mod-ppmd (fork) + NOTE: discussion in #458152 + +libevent + - transmission 1.71-1 (embed; bug #529372) + +lrmi + - read-edid 2.0.0-1 (embed; bug #495131) + +peercast + - gnome-peercast (embed) + NOTE: gnome-peercast may better be removed, see #466539 + +silc-toolkit + - silc-client 1.1~beta6-1 (embed) + +icclib + - ghostscript (embed) + - argyll (embed) + +dietlibc + - ccontrol 0.9.1+20071204-1 (static) + +libmikmod + - sdl-mixer1.2 (embed) + TODO: report bug + +libiax + - iaxmodem (embed; bug #548885) + +spandsp + - iaxmodem (embed; bug #548885) + +zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions) + - dpkg (embed) + NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion + - rsync (embed) + NOTE: somehow derived code base + - mono (embed) + TODO: check mozilla + - Linux kernels (embed) + - pvpgn 1.7.8-2 (embed) + - mrtg 2.12.2-1 (embed) + - rpm (embed) + NOTE: pinged anibal since when rpm was fixed + - tuxcmd-modules (embed) + - zsync + - tra + - sash + - nsis + - mseide-msegui + NOTE: mseide + - mirrordir + - poco + - klibc + - ghostscript + - freeimage + - clamav (fork) + NOTE: from the changelog: "libclamav6 does indeed duplicate parts of the zlib code, but there is not way around that" + - tuxonice-userui + - plt-scheme + - perl + - paraview + - gcvs + - erlang + - dump + - aide (static) + - dar (static) + - avfs + - fpc + - winff + NOTE: inherited from fpc, see #472304 + - lazarus + NOTE: inherited from fpc, see #472304 + - erlang (embed) + +dulwich + - hg-git (embed; bug #541996) + +libvigraimpex + - hugin (embed; bug #542259) + - enblend-enfuse (embed; bug #542258) + +libbz2 + - dpkg (static) + +libgadu + - centericq (embed) + - pidgin (embed) + NOTE: pidgin links dynamically against libgadu; that should be fixed, then??? + - kdenetwork 4:3.3.2-5 (embed) + NOTE: from kdenetwork: kopete + - ekg 1:1.8~rc0-1 (embed) + - kadu 0.6.0.2-3 (embed; bug #504430) + - gadu (embed) + +xmlrpc (which package is the "origin" of this code?) + - drupal (embed) + - phpgroupware (embed) + - egroupware (embed) + - phpwiki (embed) + - php4 (embed) + TODO: check, php-pear, IIRC this was reorganized some weeks ago? + +shtool (affects build-time only) + - mysql-ocaml (embed) + - php4 (embed) + +iceape + - iceweasel (fork) + - icedove (fork) + - xulrunner (fork) + - kompozer (embed; bug #532168) + +xli + - xloadimage (embed) + +lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream) + - openmotif (embed) + - libxpm (embed) + +kerberized apps with BSD origin + - krb4 (embed) + - krb5 (embed) + - heimdal (embed) + +grip (which pkg is the origin?) + - libcdaudio + - grip + - gnome-vfs + TODO: check vfs2 as well + +fudforum + [etch] - phpgroupware (embed) + NOTE: phpgroupware-fudforum + [sarge] - egroupware-fudforum (embed) + +libbsd + - rdate 1:1.2-3 (embed) + - atheme-services + - libbsd-arc4random-perl + - isakmpd + +cvs + - gcvs (embed) + NOTE: see cvsunix/src in tarball + +pcre + - python* (embed) + - php4 (embed) + - analog 2:5.23-0woody1 (embed) + - goffice (embed) + NOTE: libgoffice-* + - vfu 4.06-4.1 (embed; bug #450754) + - tf5 5.0beta7-1 (embed) + - monotone 0.43-1 (embed) + NOTE: this only affects versions >= 0.37 + - glib2.0 2.15.2-1 (embed) + - apache2 2.0.53-4 (embed) + - exim4 4.10-0.srh20.12 (embed) + - yacas (embed) + NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway + - gtamsanalyzer.app 0.42-5 (embed) + - tin (embed) + - kazehakase 0.5.2-1 + - webkit 1.0.1-1 (embed) + - qt4-x11 (embed) + NOTE: embedded via webkit copy + - erlang (embed) + +tiff + - wxwindows2.4 2.2.1 (embed) + +uudeview + - libconvert-uulib-perl (embed) + - pan (embed) + +sqlite (not affected by security vulnerabilities so far) + - amarok (embed) + - monotone 0.43-1 (embed) + - iceweasel (embed) + +util-linux/mount + - loop-aes-utils (embed) + NOTE: contains code from util-linux' mount in the mount-aes-udeb + +sylpheed + - sylpheed-claws (fork) + +phpsysinfo + - egroupware (embed) + - phpgroupware (embed) + +phpldapadmin + [sarge] - egroupware (embed) + NOTE: removed from egroupware after sarge + +chmlib + - kchmviewer (embed) + +ffmpeg (libavcodec/libavformat) + - mplayer 1.0~rc2-14 (embed; bug #395252) + - kino 1.0.0-1 + - vlc (Links dynamically since initial release) + - smilutils 0.3.0-10 + NOTE: smilutils likely fixed earlier, marking Etch's version as fixed + - motion 3.1.19-1 + - gstreamer0.10-ffmpeg 0.10.3-2 + - xmovie (static) + TODO: gimp-gap (potentially using ffmpeg code as well) + - avifile (embed; bug #538750) + +faad2 + - mplayer 1.0~rc2-20 (embed) + - avifile (embed; bug #538750) + +libmad (MPEG decoding lib) + - xine-lib (embed) + - avifile (embed) [./plugins/libmad/*] + TODO: check ocaml-mad, madplay, pymad, xmms-mad, xmms2 + +libdts + - xine-lib (embed) + +flac + - xine-lib (embed) + +liba52 + - a52dec (embed) + - xine-lib (embed) + +libmpeg2 + - mpeg2dec (embed) + - xine-lib (embed) + +libntlm + - wget (fork; bug #550436) + - curl (fork; bug #550437) + - cntlm (fork; bug #550438) + +uw-imap + - pine (embed) + - alpine (embed) + +imagemagick + - graphicsmagick (fork) + +python-urlgrabber + - mercurial (embed; bug #531062) + +python-mechanize + - beautifulsoup (embed) + +halibut + - nsis (fork) + +libghttp + - hotway (embed) + +libsndfile + - ardour 1:2.7.1-1 (embed) + +glibmm2.4 + - ardour 1:2.7.1-1 (embed) + +libgnomecanvasmm2.6 + - ardour 1:2.7.1-1 (embed) + +libsigc++-2.0 + - ardour 1:2.7.1-1 (embed) + +soundtouch + - ardour 1:2.7.1-1 (embed) + +libmms + - xine-lib (embed) + - mimms (embed) + +fckeditor + - knowledgeroot 0.9.8.5-3 (embed; bug #461555) + - moin 1.8.2-2 (embed; bug #452599) + - karrigell (embed; bug #452598) + - gforge 4.6.99+svn6225-1 (embed) + - request-tracker3.8 (embed) + +ipatlas (not packaged in Debian) + - moodle (embed; bug #507185) + +libphp-phpmailer + - moodle (embed; bug #507185) + - mahara (embed) + - symfony (embed) + [etch] - phpgroupware (embed) + NOTE: phpgroupware-felamimail is only in etch + - egroupware (embed; bug #504283) + - glpi + +htmlArea (not packaged in Debian) + - moodle (embed) + +giflib: + - wine (embed; bug #466181) + +bennu (not packaged in Debian, http://bennu.sourceforge.net) + - moodle (embed) + +smarty: + - moodle 1.8.2-2 (embed; bug #471158) + - gallery2 2.2.5-2 (embed; bug #471160) + - mahara 0.9.2-2 (embed; bug #471201) + - gosa 2.4beta1-1 (embed; bug #471200) + +TinyMCE + - wordpress 2.5.1-3 (embed; bug #478257) + - moodle (embed; bug #507185) + - knowledgeroot (embed) + - joomla (bug #326398) + +scintilla (upstream provides static lib, rejected shared lib http://sf.net/support/tracker.php?aid=2488121) + - scite (embed) + - qscintilla (embed) + - qscintilla2 (embed) + - geany (fork) + - anjuta (embed) + +libphp-adodb + - moodle (embed; bug #507185) + NOTE: also AdoDB-XML Schema + - gallery2 (embed) + - phppgadmin (embed) + - egroupware (embed) + - phpwiki (embed) + - torrentflux 2.0beta1-2 (embed) + - ipplan (embed) + - typo3-src (embed) + - cacti (embed) + [sarge] - cacti (embed) + NOTE: dependency exists, but internal version is used + - gforge 4.7~rc2-6 (embed) + - mahara (embed) + +gzip + - linux-kernel (embed) + NOTE: lib/inflate.c + - klibc (embed) + NOTE: based on linux-kernel gzip code + - busybox (embed) + +neon + - cadaver 0.22.3+debian-1 (embed; bug #188381) + - gnome-vfs2 (embed; bug #395874) + [etch] - litmus (embed; #395875) + - litmus (embed; #395875) + [sarge] - screem (embed) + - sitecopy 1:0.16.3-5 (embed; bug #395876) + [etch] - tla (embed; bug #395877) + [sarge] - tla (embed; bug #395877) + +libmodplug + - gst-plugins-bad0.10 (embed) + +libvncserver + - vino (embed) + +putty + - filezilla (embed) + +tinyxml (not packaged in Debian) + - filezilla + +gv + - evince (embed) + NOTE: ps/ tree from gv 3.5.8 + NOTE: evince-gtk is affected (a component of evince source package) + +libXbae + - paw (embed) + [etch] - paw (embed) + +libgtkhtml + - claws-mail-extra-plugins (fork) + +libXaw + - paw (embed) + [etch] - paw (embed) + NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty + +libgd2 + - graphviz (embed) + NOTE: lib/gd seems to be 2.0.33 + - wml (embed) + - libwmf (embed) + NOTE: derived from gd 1.6.3 + +rar + - unrar-nonfree (embed) + +unrar-free (maybe this code is derived from the original rar, too?) + - clamav (embed) + NOTE: seems to be disabled in default config + +mplayer (DirectMedia Object loader) + - xine-lib (embed) + NOTE: src/libw32dll/ + - vlc (embed) + NOTE: modules/codec/dmo/ + - mplayer 1.0~rc2-20 (embed) + +libwpd (WordPerfect converter) + - openoffice.org (embed) + +fsplib (http://sourceforge.net/projects/fsp/) + - gftp (embed) + NOTE: lib/fsplib version 0.3 + +sprng + - tree-puzzle (embed) + +librpcsecgss + - krb5 (embed) + +jasper + - ghostscript (embed) + - gs-gpl (embed) + +libiris + - psi (embed) + - kdenetwork (embed) + NOTE: kopete embeds libiris but links dynamically to libidn + - kdegames (embed) + NOTE: ksirk/kde4 + +libidn + - monotone 0.43-1 (embed) + - psi (embed) + NOTE: psi embeds libiris which embeds libidn + - kdegames (embed) + NOTE: kdegames/kde4 embeds libiris which embeds libidn + +liblua + - monotone 0.43-1 (embed) + - nmap (embed; bug #527997) + NOTE: fixed upstream as of nmap svn rev13336. + +libbotan + - monotone 0.43-1 (embed) + +NetXX + - monotone 0.43-1 (embed) + +libgc + - mono (embed) + +lzma + - p7zip (embed) + - xz-utils (fork) + +lzo + - grub2 (embed) + +yassl + - mysql-dfsg-5.0 (embed) + +pax code + - tar (embed) + - cpio (embed) + +t1lib + - tetex-bin 2.0.2-1 (embed) + - texlive-bin (embed) + +guichan + - boswars (embed) + NOTE: maintainer notified us, working on it + +tolua + - boswars (embed) + NOTE: maintainer notified us, working on it + +asio-dev + - luxrender (embed) + NOTE: maintainer notified us, working on it + NOTE: may be merged with boost "soon" + +xine-lib + - vlc (embed) + NOTE: only parts included in modules/access/rtsp + +netpbm + - tcl8.3 (embed) + - tcl8.4 (embed) + - tcl8.5 (embed) + NOTE: generic/tkImgGIF.c + +tk8.5 + - tk8.0 (old-version) + - tk8.3 (old-version) + - tk8.4 (old-version) + - perl-tk (fork) + +samba + - mc 2:4.6.2~git20080311-1 (embed) + NOTE: maintainer is aware of this, currently searching a solution + +plib1.8.4c2 + - boson (fork) + NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar + +fribidi + - quesoglc (embed) + NOTE: compiled against system fribidi in Debian - embed only used when fribidi is not available on the system + +glew + - quesoglc (embed; bug #489341) + NOTE: waiting on GLEW_MX version of glew (see bug #474488) + +minorGems (pabs contacted upstream about shared lib, he considers minorGems an 'ever-evolving collection of reusable code fragments' for his own use) + - transcend (embed) + - cultivation (embed) + - passage (embed) + - gravitation (embed) + +tar + - libarchive (embed) + NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable + +cpio + - libarchive (embed) + NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package) + +webkit + - qt4-x11 (embed) + +ftgl + - blender 2.46+dfsg-1 (embed) + +wv + - abiword + +qemu + - kvm (embed; bug #543159) + - xen-3 (embed) + - xen-unstable (embed) + +vgabios + - kvm (embed; bug #489442) + +bochs + - kvm (embed; bug #489442) + +speex + - vorbis-tools (embed) + NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c + - gst-plugins-good0.10 (embed) + - xine-lib (embed) + - libfishsound (embed) + - libannodex (embed) + - vlc (embed) + - xmms-speex (embed) + - libsdl-sound1.2 (embed) + - sweep (embed) + +libreadline + - magic (old-version) + +opcode + - ode (embed) + NOTE: opcode is not a package in debian, it is just embedded + NOTE: http://www.codercorner.com/Opcode.htm + +gimpact + - ode (embed) + NOTE: gimpact is not a package in debian, it is just embedded + NOTE: http://gimpact.sf.net + +mochikit + - mahara (embed) + NOTE: they require extra patches, still unmerged upstream + - ntop (embed) + - coherence (embed) + NOTE: python-coherence + - paste (embed) + NOTE: python-paste + - turbogears (embed) + NOTE: python-turbogears + - plone3 (embed) + NOTE: zope-plone3 + +prototypejs + - netbeans-ide 6.0.1+dfsg-2 (embed) + - auth2db (embed) + - webcit (embed) + NOTE: citadel-webcit + - asterisk (embed) + - doc-iana (embed) + - libaws (embed) + NOTE: libaws-doc + - libgettext-ruby (embed) + NOTE: libgettext-ruby-data + - libjson-ruby (embed) + NOTE: libjson-ruby-doc + - lucene2 (embed) + NOTE: liblucene2-java-doc + - libopenid-ruby (embed) + - solr (embed) + NOTE: solr-common + - glpi (embed) + - mnemo2 (embed) + - nag2 (embed) + - knowledgeroot (embed) + - mediatomb (embed) + NOTE: mediatomb-common + - mt-daapd (embed) + - op-panel (embed) + - ebug-http (embed) + - phpgedview (embed) + - poker-network (embed) + NOTE: poker-web + - webhelpers (embed) + NOTE: python-webhelpers + - qwik (embed) + - rails (embed) + - typo3-src (embed) + - wordpress 2.5.0-2 (embed) + - zope (embed) + NOTE: zope-plone3 + - smokeping (embed) + - ampache 3.4.1-2 (embed) + - exaile (embed) + - hobix (embed) + - pixelpost (embed) + - symfony (embed) + NOTE: it's been said that there are custom changes + - zabbix (embed) + NOTE: zabbix-frontend-php + - turba2 (embed) + +gdb + - insight (embed) + +e2fsprogs + - ldiskfsprogs (fork) + +quazip (not packaged in Debian) + - qcake (embed) + NOTE: starting with upstream version 0.6.4 + +exo + - pcmanfm (embed; bug #499677) + NOTE: slightly modified source code + +java + - openjdk-6 + - sun-java5 + - sun-java6 + +libphp-snoopy + - ampache 3.4.1-2 (embed; bug #504169) + - mahara 1.0.5-2 (embed; bug #504170) + - pixelpost 1.7.1-5 (embed; bug #504171) + - mediamate 0.9.3.6-5 (embed; bug #504172) + - opendb (embed; bug #504173) + [etch] - opendb (embed; bug #504173) + - wordpress 2.5.1-9 (embed; bug #443948) + - moodle (embed; bug #507185) + [etch] - phpgroupware (embed) + NOTE: phpgroupware-felamimail + - magpierss 0.72-3 (embed; bug #431089) + +jquery + - zekr (embed) + - wordpress (embed) + - yocto-reader (embed) + - textpattern (embed) + - genshi 0.5.1-1 (embed) + NOTE: compressed file under examples/ dir + - prewikka (embed) + - libramaze-ruby (embed) + - drupal5 (embed) + - b2evolution (embed) + - wesnoth (embed) + +tablesorter (jquery plugin, not packaged yet) + - wesnoth (embed) + +kses + - wordpress (embed; bug #504242) + NOTE: their copy has all methods renamed to wp_ + NOTE: kses isn't in Debian, RFP: #504240 + - moodle (embed; bug #507185) + - egroupware (embed) + +magpierss + - wordpress (embed; bug #504242) + - moodle + +php-gettext + - wordpress 2.8.4-1 (embed; bug #504242) + +libphp-ixr (name may change, it is the Incutio XML-RPC) + - wordpress (embed; bug #504242) + NOTE: libphp-ixr isn't in Debian, RFP: #504236 + - dokuwiki (embed) + - textpattern (embed) + +libphp-cas + - glpi (embed) + - moodle (embed; bug #505984) + +scriptaculous + - glpi (embed) + - libaws (embed) + NOTE: libaws-doc + - op-panel (embed) + - symfony (embed) + NOTE: maintainer says there are extra incompatible changes required + - pixelpost (embed) + - webhelpers (embed) + NOTE: python-webhelpers + - qwik (embed) + - smokeping (embed) + - turba2 (embed) + - typo3-src 4.2.3-1 (embed) + +libmarkdown-php + - moodle (embed; bug #507185) + - pixelpost (embed) + +php-openid + - wordpress-openid (embed) + +geshi + - dokuwiki 0.0.20080505-3.1 (embed) + - pgfouine 1.0-1.1 (embed) + - websvn 2.1.0-1 (embed) + +webcalendar + - gforge 4.7~rc2-6 (embed; bug #504758) + +libical + - kdepim (fork) + - kdepimlibs (fork) + NOTE: fixed in KDE4 post 4.1.x series + - claws-mail-extra-plugins (fork) + +libltdl3 + - kdelibs (embed) + NOTE: it's been said it sets RT_GLOBAL (or something like that) at runtime and version in experimental of libltdl can optionally set it + - synfig (embed) + +harfbuzz + - qt4-x11 (embed) + +libzip + - php5 (fork) + - odt2txt (embed; bug #523808) + +json.php (not packaged; should be replaced with php's built-in functions) + - moodle + - yui + - gallery2 + - dokuwiki + - typo3-src + +php-fpdf + - tcpdf (fork) + - moodle + - phpwiki + - egroupware + - ldap-account-manager (fork) + +tcpdf (itp: #495985) + - moodle + - phpmyadmin + +typo3 + - moodle + +spreadsheet_writeexcel (PHP port of libspreadsheet-writeexcel-perl; itp: #487557) + - moodle + - gosa + +php-ole (itp: #487558) + - moodle + +pieforms (http://www.catalyst.net.nz) + - mahara + +savant2 (http://phpsavant.com) + - egroupware + +rssparser (http://nwow.org) + - egroupware + - phpgroupware + +lcms + - openjdk-6 (fork) + +libphp-phplayersmenu + - diogenes + - phpldapadmin + +libphp-pclzip + - docvert + - moodle + - egroupware + +libphp-simplepie + - dokuwiki + +libphp-jpgraph + - egroupware + +php-simpletest + - moodle + +libpng + - iceweasel (uses xulrunner) + - icedove 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1, 2.0.0.19-1 (embed) + - iceape 1.0.13~pre080614i-0etch1 (embed) + - xulrunner 1.9.0.13-1 (embed) + [lenny] - xulrunner 1.9.0.11-0lenny1 + [etch] - xulrunner 1.8.0.15~pre080614i-0etch1 (embed) + +irssi + - silc-client (embed) + NOTE: Seems to be a pre-0.8.12 version that is used in irssi-plugin-silc + +extc + - mtasc (embed) + - haxe (embed) + +swflib + - mtasc (embed) + - haxe (embed) + +libitext-java + - bouncycastle 2.1.4-1 (embed) + +python-ply + - pyke (embed) + +libdumbnet (libdnet upstream) + - nmap (fork) + +gcc-4.4 + - gcc-mingw32 (embed) + +camlimages + - advi (static; bug #550441) + +memcached + - memcachedb (embed) + +yajl + - argyll (embed; bug #544223) + NOTE: reference, confirmed by build logs: http://lists.debian.org/debian-mentors/2009/08/msg00062.html + +libept + - adept (embed; bug #540649) + +libvorbis + - iceweasel (uses xulrunner) + - xulrunner (introduced in 1.9.1) + TODO: recheck when xulrunner 1.9.1 enters unstable [- xulrunner (embed; bug #540959)] + +cairo + - iceweasel (uses xulrunner) + - xulrunner 1.8.0.15~pre080614i-0etch1 (embed) + +php-net-dnsbl + - serendipity (embed) + +php-onyx-rss + - serendipity (embed) + +php-text-wiki + - serendipity (embed) + +php-xml-rpc + - serendipity (embed) + +polarssl (does not have a shared library) + - pdkim (embed; bug #543150) + - xyssl (old-version) + +pidgin + - gaim (old-version) + +icu + - webkit 1.0.1-1 (embed; bug #547214) + - texlive-bin (fork) + NOTE: texlive upstream working with icu upstream to merge their changes + +cyrus-imapd-2.2 + - kolab-cyrus-imapd (fork) + - dovecot 1:1.2.1-1 (embed) [/dovecot-sieve/src/libsieve/*] + +python-cxx-dev + - freecad (embed; bug #547936) + +libzipios++-dev + - freecad (embed; bug #547941) + +linux-2.6 + - kvm (embed; bug #549973) [./kernel/*] + - linux-kbuild-2.6 (embed; bug #550379) [./kbuild/*] + - kernel-source-2.6.8 (old-version) + - kernel-source-2.4.27 (old-version) + - kernel-source-2.4.24 (old-version) + - kernel-source-2.2.25 (old-version) + - kernel-source-2.2.20 (old-version) + +libfdt (not yet packaged separately for debian; http://www.jdl.com/software/) + - kvm (embed) [./libfdt/*] + +qweb (not packaged) + - ajaxterm + +opensaml2 + - opensaml (old-version) + +shibboleth-sp2 + - shibboleth-sp (old-version) + +tuxonice-userui + - suspend2-userui (old-version) + +expat + - w3c-www (embed; bug #551941) [./modules/expat/*] + - python-xml (embed; bug #551940) [./extensions/expat/*] + +xerces-c + - xerces-c2 (old-version) + - xerces27 (old-version) -zlib code: (separate between 1.2 and 1.1) -dpkg -rsync -mozilla-firefox -mozilla(?) -Linux kernels +md5 (RSA's version; not the gnu version provided by coreutils) + - w3c-www (embed; bug #551942) [./modules/md5/*] +enet + - sauerbraten (embed; #497194) -libgadu/ekg: -centericq -gaim -kopete (ships the code, but links dynamically in the Debian package) -kadu (not packaged in Debian) -GNU gadu (not packaged in Debian) - - -xmlrpc: (which package is the "origin" of this code?) -drupal -phpgroupware -egroupware -phpwiki -php4 (php-pear, IIRC this was reorganized some weeks ago?) -tikiwiki (not packaged in Debian) - - -shtool: (affects build-time only) -mysql-ocaml -php4 - - -mozilla: -mozilla-firefox -mozilla-thunderbird -nvu - - -xli: -xloadimage - - -lesstif: (beware: two different lesstif APIs supported in one package, 1.2 discarded upstream) -openmotif -xfree86/xorg (in libxpm, still the case with x.org? - - -kerberized apps with BSD origin: -krb4 -krb5 -heimdal - - -grip: (which pkg is the origin?) -libcdaudio -grip -gnome-vfs (vfs2 as well?) - - -fudforum: -phpgroupware-fudforum -egroupware-fudforum - - -cvs: -gcvs (at least an additional script is included, check if there's more) - -pcre: -python -php4 (src included, but Debian package links dynamically) -analog (src included, but Debian package links dynamically) -libgoffice-1 - -tiff: -wxpythongtk (check, which debian pkg this is in) -older kdegraphics/kpdf releases < 3.3 embedded a copy - -uudeview: -libconvert-uulib-perl - -sqlite: (not affected by security vulnerabilities so far) -amarok - -uudeview: -libconvert-uulib-perl +eglibc + - glibc (old-version)