Embedded code copies ==================== This file collects source packages that embed code from other projects. This is considered bad for fixing security flaws because the fix needs to be applied in multiple source packages. Format: () - (; bug #) NOTE: optional comments about the linkage of the embedding srcpkg status: version number fixing the embedded copy, , , or if the version number can not be determined for unavoidable cases (e.g., forks that add real value) sort: static (linking statically against a lib) embed (embedding a copy of the library into another source package) fork (the package is not just embedding code but it is a fork and thus might share parts of the source code) old-version (the package is an older version of essentially the same code) The srcpkg might be some string to identify the code if there is no specific source package. Everything up to the next line is ignored. ---BEGIN xpdf (some srcpkgs use xpdf2 code, some xpdf3 code) NOTE: Fixed packages link to poppler library unless otherwise noted - gpdf [sarge] - gpdf NOTE: has been replaced by evince in etch - pdftohtml [sarge] - pdftohtml [etch] - pdftohtml NOTE: has been replaced by poppler-utils - kdegraphics 4:4.2.2-1 (embed; bug #436164) - texlive-base 3.0-12 (embed) - texlive-bin 2007-1 (embed) NOTE: links to poppler - koffice (embed; bug #436163) - libextractor 0.5.12-1 (embed) NOTE: libextractor is using its own pdf decoder now - pdfkit.framework 0.8-4 (embed) - ipe (embed) NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp - ruby-gnome2 (embed) NOTE: copy only present in source but links to poppler - pdfedit (embed; bug #510794) - swftools (embed) ppmd - libcomplearn-mod-ppmd (embed; bug #458152) peercast - gnome-peercast (embed) NOTE: gnome-peercast may better be removed, see #466539 silc-toolkit - silc-client 1.1~beta6-1 (embed) icclib - ghostscript (embed) - argyll (embed) dietlibc - ccontrol 0.9.1+20071204-1 (static) libmikmod - sdl-mixer1.2 (embed) TODO: report bug libiax - iaxmodem (embed) zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions) - dpkg (embed) NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion - rsync (embed) NOTE: somehow derived code base - mono (embed) TODO: check mozilla - Linux kernels (embed) - pvpgn 1.7.8-2 (embed) - mrtg 2.12.2-1 (embed) - rpm (embed) NOTE: pinged anibal since when rpm was fixed - tuxcmd-modules (embed) - zsync - tra - sash - nsis - mseide-msegui NOTE: mseide - mirrordir - poco - klibc - ghostscript - freeimage - clamav (fork) NOTE: from the changelog: "libclamav6 does indeed duplicate parts of the zlib code, but there is not way around that" - tuxonice-userui - plt-scheme - perl - paraview - gcvs - erlang - dump - aide (static) - dar (static) - avfs - fpc - winff NOTE: inherited from fpc, see #472304 - lazarus NOTE: inherited from fpc, see #472304 libbz2 - dpkg (static) libgadu: - centericq (embed) - gaim (embed) - pidgin (embed)(links dynamically against libgadu) (that should be fixed, then???) - kdenetwork 4:3.3.2-5 (embed) NOTE: from kdenetwork: kopete - gadu (embed) - ekg 1:1.8~rc0-1 (embed) - kadu 0.6.0.2-3 (embed; bug #504430) NOTE: gadu not packaged in Debian yet xmlrpc (which package is the "origin" of this code?) - drupal (embed) - phpgroupware (embed) - egroupware (embed) - phpwiki (embed) - php4 (embed) TODO: check, php-pear, IIRC this was reorganized some weeks ago? shtool (affects build-time only) - mysql-ocaml (embed) - php4 (embed) mozilla source code - mozilla-firefox (embed) - mozilla-thunderbird - firefox - thunderbird - iceweasel (embed) - iceape (embed) - icedove (embed) - xulrunner (embed) - nvu (embed) xli - xloadimage (embed) lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream) - openmotif (embed) - libxpm (embed) kerberized apps with BSD origin - krb4 (embed) - krb5 (embed) - heimdal (embed) grip (which pkg is the origin?) - libcdaudio - grip - gnome-vfs TODO: check vfs2 as well fudforum [etch] - phpgroupware (embed) NOTE: phpgroupware-fudforum [sarge] - egroupware-fudforum (embed) cvs - gcvs (embed) NOTE: see cvsunix/src in tarball pcre - python* (embed) - php4 (embed) - analog 2:5.23-0woody1 (embed) - goffice (embed) NOTE: libgoffice-* - vfu 4.06-4.1 (embed; bug #450754) - tf5 5.0beta7-1 (embed) - monotone 0.43-1 (embed) NOTE: this only affects versions >= 0.37 - glib2.0 2.15.2-1 (embed) - apache2 2.0.53-4 (embed) - exim4 4.10-0.srh20.12 (embed) - yacas (embed) NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway - gtamsanalyzer.app 0.42-5 (embed) - tin (embed) - kazehakase 0.5.2-1 - webkit (embed) - qt4-x11 (embed) NOTE: embedded via webkit copy tiff - wxwindows2.4 2.2.1 (embed) uudeview - libconvert-uulib-perl (embed) - pan (embed) sqlite (not affected by security vulnerabilities so far) - amarok (embed) - monotone 0.43-1 (embed) - iceweasel (embed) util-linux/mount - loop-aes-utils (embed) NOTE: contains code from util-linux' mount in the mount-aes-udeb webmin - usermin (embed) [sarge] - usermin (embed) sylpheed - sylpheed-claws (fork) phpsysinfo - egroupware (embed) - phpgroupware (embed) phpldapadmin [sarge] - egroupware (embed) NOTE: removed from egroupware after sarge chmlib - kchmviewer (embed) libavcodec/libavformat (source: ffmpeg) - mplayer 1.0~rc2-14 (embed; bug #395252) - kino 1.0.0-1 - vlc (Links dynamically since initial release) - smilutils 0.3.0-10 NOTE: smilutils likely fixed earlier, marking Etch's version as fixed - motion 3.1.19-1 - gstreamer0.10-ffmpeg 0.10.3-2 - xmovie TODO: gimp-gap (potentially using ffmpeg code as well) faad2 - mplayer 1.0~rc2-20 (embed) mad MPEG decoding lib - mad (embed) - xine-lib (embed) libdts - xine-lib (embed) flac - xine-lib (embed) liba52 - a52dec (embed) - xine-lib (embed) libmpeg2 - mpeg2dec (embed) - xine-lib (embed) curl - wget (embed) NOTE: code for NTLM authentication uw-imap - pine (embed) - alpine (embed) imagemagick - graphicsmagick (fork) halibut - nsis (fork) libghttp - hotway (embed) libsndfile - ardour 1:2.7.1-1 (embed) glibmm2.4 - ardour 1:2.7.1-1 (embed) libgnomecanvasmm2.6 - ardour 1:2.7.1-1 (embed) libsigc++-2.0 - ardour 1:2.7.1-1 (embed) soundtouch - ardour 1:2.7.1-1 (embed) libmms - xine-lib (embed) - mimms (embed) fckeditor - knowledgeroot 0.9.8.5-3 (embed; bug #461555) - moin 1.8.2-2 (embed; bug #452599) - karrigell (embed; bug #452598) - gforge 4.6.99+svn6225-1 (embed) ipatlas (not packaged in Debian) - moodle (embed; bug #507185) libphp-phpmailer - moodle (embed; bug #507185) - mahara (embed) - symfony (embed) [etch] - phpgroupware (embed) NOTE: phpgroupware-felamimail is only in etch - egroupware (embed; bug #504283) - glpi htmlArea (not packaged in Debian) - moodle (embed) giflib: - wine (embed; bug #466181) bennu (not packaged in Debian, http://bennu.sourceforge.net) - moodle (embed) smarty: - moodle 1.8.2-2 (embed; bug #471158) - gallery2 2.2.5-2 (embed; bug #471160) - mahara 0.9.2-2 (embed; bug #471201) - gosa 2.4beta1-1 (embed; bug #471200) TinyMCE - wordpress 2.5.1-3 (embed; bug #478257) - moodle (embed; bug #507185) - knowledgeroot (embed) - joomla (bug #326398) scintilla (upstream provides static lib, rejected shared lib http://sf.net/support/tracker.php?aid=2488121) - scite (embed) - qscintilla (embed) - qscintilla2 (embed) - geany (fork) - anjuta (embed) libphp-adodb - moodle (embed; bug #507185) NOTE: also AdoDB-XML Schema - gallery2 (embed) - phppgadmin (embed) - egroupware (embed) - phpwiki (embed) - torrentflux 2.0beta1-2 (embed) - ipplan (embed) - typo3-src (embed) - cacti (embed) [sarge] - cacti (embed) NOTE: dependency exists, but internal version is used - gforge 4.7~rc2-6 (embed) - mahara (embed) gzip - linux-kernel (embed) NOTE: lib/inflate.c - klibc (embed) NOTE: based on linux-kernel gzip code - busybox (embed) neon - cadaver (embed; bug #188381) - gnome-vfs2 (embed; bug #395874) - litmus (embed; #395875) [sarge] - screem (embed) - sitecopy (embed; bug #395876) [etch] - tla (embed; bug #395877) [sarge] - tla (embed; bug #395877) libmodplug - gst-plugins-bad0.10 (embed) libvncserver - vino (embed) putty - filezilla (embed) tinyxml (not packaged in Debian) - filezilla gv - evince (embed) NOTE: ps/ tree from gv 3.5.8 - evince-gtk (embed) NOTE: not packaged in Debian libXbae [etch] - libpawlib2-lesstif (embed) NOTE: from Cernlib libXaw [etch] - libpawlib2-lesstif NOTE: from Cernlib NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty libgd2 - graphviz (embed) NOTE: lib/gd seems to be 2.0.33 - wml (embed) - libwmf (embed) NOTE: derived from gd 1.6.3 rar - unrar-nonfree (embed) unrar-free (maybe this code is derived from the original rar, too?) - clamav (embed) NOTE: seems to be disabled in default config mplayer (DirectMedia Object loader) - xine-lib (embed) NOTE: src/libw32dll/ - vlc (embed) NOTE: modules/codec/dmo/ - mplayer 1.0~rc2-20 (embed) libwpd (WordPerfect converter) - openoffice.org (embed) fsplib (http://sourceforge.net/projects/fsp/) - gftp (embed) NOTE: lib/fsplib version 0.3 sprng - tree-puzzle (embed) librpcsecgss - krb5 (embed) jasper - ghostscript (embed) - gs-gpl (embed) libiris - psi (embed) - kdenetwork (embed) NOTE: kopete embeds libiris but links dynamically to libidn - kdegames (embed) NOTE: ksirk/kde4 libidn - monotone 0.43-1 (embed) - psi (embed) NOTE: psi embeds libiris which embeds libidn - kdegames (embed) NOTE: kdegames/kde4 embeds libiris which embeds libidn liblua - monotone 0.43-1 (embed) - nmap (embed; bug #527997) NOTE: fixed upstream as of nmap svn rev13336. libbotan - monotone 0.43-1 (embed) NetXX - monotone 0.43-1 (embed) libgc - mono (embed) lzma - p7zip (embed) lzo - grub2 (embed) yassl - mysql-dfsg-5.0 (embed) pax code - tar (embed) - cpio (embed) t1lib - tetex-bin 2.0.2-1 (embed) - texlive-bin (embed) guichan - boswars (embed) NOTE: maintainer notified us, working on it tolua - boswars (embed) NOTE: maintainer notified us, working on it asio-dev - luxrender (embed) NOTE: maintainer notified us, working on it NOTE: may be merged with boost "soon" xine-lib - vlc (embed) NOTE: only parts included in modules/access/rtsp netpbm - tcl8.3 (embed) - tcl8.4 (embed) - tcl8.5 (embed) NOTE: generic/tkImgGIF.c tk8.5 - tk8.0 (old-version) - tk8.3 (old-version) - tk8.4 (old-version) - perl-tk (fork) samba - mc 2:4.6.2~git20080311-1 (embed) NOTE: maintainer is aware of this, currently searching a solution plib1.8.4c2 - boson (fork) NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar fribidi - quesoglc (embed) NOTE: compiled against system fribidi in Debian - embed only used when fribidi is not available on the system glew - quesoglc (embed; bug #489341) NOTE: waiting on GLEW_MX version of glew (see bug #474488) minorGems (pabs contacted upstream about shared lib, he considers minorGems an 'ever-evolving collection of reusable code fragments' for his own use) - transcend (embed) - cultivation (embed) - passage (embed) - gravitation (embed) tar - libarchive (embed) NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable cpio - libarchive (embed) NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package) webkit - qt4-x11 (embed) ftgl - blender 2.46+dfsg-1 (embed) wv - abiword qemu - kvm (embed) - xen-3 (embed) - xen-unstable (embed) bochs - kvm (embed; bug #489442) speex - vorbis-tools (embed) NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c - gst-plugins-good0.10 (embed) - xine-lib (embed) - libfishsound (embed) - libannodex (embed) - vlc (embed) - xmms-speex (embed) - libsdl-sound1.2 (embed) - sweep (embed) libreadline - magic (old-version) NOTE: magic is currently an RFS opcode - ode (embed) NOTE: opcode is not a package in debian, it is just embedded NOTE: http://www.codercorner.com/Opcode.htm gimpact - ode (embed) NOTE: gimpact is not a package in debian, it is just embedded NOTE: http://gimpact.sf.net mochikit - mahara (embed) NOTE: they require extra patches, still unmerged upstream - ntop (embed) - coherence (embed) NOTE: python-coherence - paste (embed) NOTE: python-paste - turbogears (embed) NOTE: python-turbogears - plone3 (embed) NOTE: zope-plone3 prototype - netbeans-ide (embed) - auth2db-frontend (embed) - webcit (embed) NOTE: citadel-webcit - asterisk (embed) - doc-iana (embed) - libaws (embed) NOTE: libaws-doc - libgettext-ruby (embed) NOTE: libgettext-ruby-data - libjson-ruby (embed) NOTE: libjson-ruby-doc - lucene2 (embed) NOTE: liblucene2-java-doc - libopenid-ruby (embed) - solr (embed) NOTE: solr-common - glpi (embed) - hobbix (embed) - mnemo2 (embed) - nag2 (embed) - knowledgeroot (embed) - mediatomb (embed) NOTE: mediatomb-common - mt-daapd (embed) - op-panel (embed) - ebug-http (embed) - phpgedview (embed) - poker-network (embed) NOTE: poker-web - webhelpers (embed) NOTE: python-webhelpers - qwik (embed) - rails (embed) - typo3-src (embed) - wordpress (embed) - zope (embed) NOTE: zope-plone3 - smokeping (embed) - ampache 3.4.1-2 (embed) - exaile (embed) - hobix (embed) - pixelpost (embed) - symfony (embed) NOTE: it's been said that there are custom changes - zabbix (embed) NOTE: zabbix-frontend-php - turba2 (embed) gdb - insight (embed) e2fsprogs - ldiskfsprogs (fork) quazip (not packaged in Debian) - qcake (embed) NOTE: starting with upstream version 0.6.4 exo - pcmanfm (embed; bug #499677) NOTE: slightly modified source code java - openjdk-6 - sun-java5 - sun-java6 libphp-snoopy - ampache 3.4.1-2 (embed; bug #504169) - mahara 1.0.5-2 (embed; bug #504170) - pixelpost (embed; bug #504171) - mediamate 0.9.3.6-5 (embed; bug #504172) - opendb (embed; bug #504173) - wordpress 2.5.1-9 (embed; bug #443948) - moodle (embed; bug #507185) [etch] - phpgroupware (embed) NOTE: phpgroupware-felamimail - magpierss 0.72-3 (embed; bug #431089) jquery - zekr (embed) - wordpress (embed) - yocto-reader (embed) - textpattern (embed) - genshi 0.5.1-1 (embed) NOTE: compressed file under examples/ dir - prewikka (embed) - libramaze-ruby (embed) - drupal5 (embed) - b2evolution (embed) - wesnoth (embed) tablesorter (jquery plugin, not packaged yet) - wesnoth (embed) kses - wordpress (embed; bug #504242) NOTE: their copy has all methods renamed to wp_ - moodle (embed; bug #507185) - egroupware (embed) magpierss - wordpress (embed; bug #504242) - moodle php-gettext - wordpress (embed; bug #504242) libphp-ixr (name may change, it is the Incutio XML-RPC) - wordpress (embed; bug #504242) - dokuwiki (embed) - textpattern (embed) libphp-cas - glpi (embed) - moodle (embed; bug #496069) scriptaculous - glpi (embed) - libaws (embed) NOTE: libaws-doc - op-panel (embed) - symfony (embed) NOTE: maintainer says there are extra incompatible changes required - pixelpost (embed) - webhelpers (embed) NOTE: python-webhelpers - qwik (embed) - smokeping (embed) - turba2 (embed) - typo3-src 4.2.3-1 (embed) libmarkdown-php - moodle (embed; bug #507185) - pixelpost (embed) php-openid - wordpress-openid (embed) geshi - dokuwiki 0.0.20080505-3.1 (embed) - pgfouine 1.0-1.1 (embed) - websvn 2.1.0-1 (embed) webcalendar - gforge-plugins-extra 4.7~rc2-6 (embed; bug #504758) libical - kdepim (fork) - kdepimlibs (fork) NOTE: fixed in KDE4 post 4.1.x series libltdl3 - kdelibs (embed) NOTE: it's been said it sets RT_GLOBAL (or something like that) at runtime and version in experimental of libltdl can optionally set it - synfig (embed) harfbuzz - qt4-x11 (embed) libzip - php5 (fork) json.php (not packaged; should be replaced with php's built-in functions) - moodle - yui - gallery2 - dokuwiki - typo3-src php-fpdf - tcpdf (fork) - moodle - phpwiki - egroupware - ldap-account-manager (fork) tcpdf (itp: #495985) - moodle - phpmyadmin typo3 - moodle spreadsheet_writeexcel (PHP port of libspreadsheet-writeexcel-perl; itp: #487557) - moodle - gosa php-ole (itp: #487558) - moodle pieforms (http://www.catalyst.net.nz) - mahara savant2 (http://phpsavant.com) - egroupware rssparser (http://nwow.org) - egroupware - phpgroupware lcms - openjdk-6 (fork) libphp-phplayersmenu - diogenes - phpldapadmin libphp-pclzip - docvert - moodle - egroupware libphp-simplepie - dokuwiki libphp-jpgraph - egroupware php-simpletest - moodle libpng - iceweasel (embed) NOTE: 3.0 uses embedded copy, 2.0 uses system libpng - icedove: 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1, 2.0.0.19-1 (embed) - iceape 1.0.13~pre080614i-0etch1 (embed) - xulrunner (embed) NOTE: Debian 1.9.0.6 uses embedded copy NOTE: Ubuntu: 1.9.x use embedded copy, 1.8 and 1.8.1 use system libpng - firefox 1.5.dfsg+1.5.0.3-0ubuntu3, 2.0.0.6+2nobinonly-0ubuntu1 (embed) NOTE: Ubuntu only - firefox-3.0 (embed) NOTE: Ubuntu only - firefox-3.1 (embed) NOTE: Ubuntu only - seamonkey 1.1.9+nobinonly-0ubuntu1 (embed) NOTE: Ubuntu only - thunderbird 2.0.0.6+nobinonly-0ubuntu1 (embed) NOTE: Ubuntu only - mozilla-thunderbird 1.5.0.2-0ubuntu2 (embed) NOTE: Ubuntu only irssi - silc-client (embed) NOTE: Seems to be a pre-0.8.12 version that is used in irssi-plugin-silc extc - mtasc (embed) - haxe (embed) swflib - mtasc (embed) - haxe (embed) libitext-java - bouncycastle 2.1.4-1 (embed) python-ply - pyke (embed) libdumbnet (libdnet upstream) - nmap (fork)