Differences between revisions 1 and 37 (spanning 36 versions)
Revision 1 as of 2006-01-09 12:14:39
Size: 2581
Editor: ?MartinPitt
Comment: add
Revision 37 as of 2016-09-17 04:02:59
Size: 2935
Editor: PaulWise
Comment: split paragraph to make it more obvious
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Embedded source code copies =
This file collects cases, where a source package embeds code from
other projects, without linking dynamically:
[[https://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles|Debian Policy 4.13]] states that Debian packages should not use convenience copies.
Line 5: Line 3:
xpdf code: (some use xpdf 2, some xpdf 3)
gpdf
pdftohtml
kdegraphics/kpdf
tetex-bin (the very latest tetex-bin started to use poppler)
cupsys (only older releases, recent ones use xpdf-utils, it's still present in the src, though)
poppler
koffice
libextractor
The list of packages embedding code from other projects is maintained in the secure-testing svn repository.
Line 15: Line 5:
https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co
Line 16: Line 7:
zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
dpkg
rsync (somehow derived code base)
mozilla(?)
Linux kernels
pvpgn (links dynamically since 1.7.8-2)
This list also contains information about code forks so that the security team can check if all forks contain the same vulnerabilities.
Line 23: Line 9:
All Debian members have commit access to the secure-testing repository and others can send suggestions or additions to the [[DebianList:debian-security-tracker|debian-security-tracker mailing list]].
Line 24: Line 11:
libgadu/ekg:
centericq
gaim
kopete (ships the code, but links dynamically in the Debian package)
kadu (not packaged in Debian)
GNU gadu (not yet packaged in Debian)
Lintian detects embedding of [[https://lintian.debian.org/tags/embedded-feedparser-library.html|feedparser]], common [[https://lintian.debian.org/tags/embedded-javascript-library.html|JavaScript]]/[[https://lintian.debian.org/tags/embedded-library.html|C/C++]]/[[https://lintian.debian.org/tags/embedded-pear-module.html|PEAR]]/[[https://lintian.debian.org/tags/embedded-php-library.html|PHP]] libraries and !PostScript fragments ([[https://lintian.debian.org/tags/license-problem-font-adobe-copyrighted-fragment.html|1]] [[https://lintian.debian.org/tags/license-problem-font-adobe-copyrighted-fragment-no-credit.html|2]]).
Line 31: Line 13:
The [[dedup.debian.net|Debian duplication detector]] detects duplicate files in binary packages and may be useful for detecting verbatim duplication of interpreted code and data.
Line 32: Line 15:
xmlrpc: (which package is the "origin" of this code?)
drupal
phpgroupware
egroupware
phpwiki
php4 (php-pear, IIRC this was reorganized some weeks ago?)
tikiwiki (not packaged in Debian)
[[https://github.com/silviocesare/Clonewise|Clonewise]] is a tool not yet in Debian that [[https://lists.debian.org/debian-security/2012/07/msg00000.html|could be used to find unfixed vulnerabilities because of embedded code copies]].
Line 40: Line 17:
If you have a particular piece of code with some interesting aspect (security issue etc) you can likely find other copies using the [[DebianCodeSearch|Debian code search site]] or external code search engines such as [[https://code.ohloh.net/|Ohloh code]], [[https://searchcode.com/|searchcode]] and [[https://github.com/|GitHub]].
Line 41: Line 19:
shtool: (affects build-time only)
mysql-ocaml
php4
Various Debian folks keep track of embedded code copies they found via usertags:
Line 45: Line 21:
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embedded-code-copy&user=rbrito@ime.usp.br|rbrito@ime.usp.br]]
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embedded-code-copy&user=jwilk@debian.org|jwilk@debian.org]]
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embed&user=pabs@debian.org|pabs@debian.org]]
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embedded-synctex-parser&user=sramacher@debian.org|sramacher@debian.org]]
[[https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=embed&user=dr@jones.dk|dr@jones.dk]]
Line 46: Line 27:
mozilla:
mozilla-firefox
mozilla-thunderbird
nvu
= See also =
Line 51: Line 29:

xli:
xloadimage


lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
openmotif
xfree86/xorg (in libxpm)


kerberized apps with BSD origin:
krb4
krb5
heimdal


grip: (which pkg is the origin?)
libcdaudio
grip
gnome-vfs (vfs2 as well?)


fudforum:
phpgroupware-fudforum
egroupware-fudforum

cvs:
gcvs (at least an additional script is included, check if there's more)

pcre:
all pythons
php4 (src included, but Debian package links dynamically)
analog (src included, but Debian package links dynamically)
libgoffice-1
tf5 (since 5.0beta7 the Debian package links dynamically)

tiff:
wxpythongtk (check, which debian pkg this is in)
older kdegraphics/kpdf releases < 3.3 embedded a copy


uudeview:
libconvert-uulib-perl

sqlite: (not affected by security vulnerabilities so far)
amarok

util-linux/mount:
loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb

webmin:
usermin

sylpheed:
sylpheed-claws

phpsysinfo:
egroupware
phpgroupware

phpldapadmin:
egroupware

chmlib:
kchmviewer (not packaged in Debian)

libavcodec/libavformat:
ffmpeg
xine-lib
xvidcap (currently in NEW)
kino(?)
gst-ffmpeg
xmovie (currently in NEW)

mad MPEG decoding lib:
mad
xine-lib

libdts:
libdts
xine-lib

flac:
flac
xine-lib

liba52:
a52dec
xine-lib

libmpeg2:
mpeg2dec
xine-lib

curl:
wget (code for NTLM authentication)
 * [[https://fedoraproject.org/wiki/Packaging:Guidelines#Bundling_and_Duplication_of_system_libraries|Fedora policy]]
 * [[https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies|Gentoo policy]]

Debian Policy 4.13 states that Debian packages should not use convenience copies.

The list of packages embedding code from other projects is maintained in the secure-testing svn repository.

https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co

This list also contains information about code forks so that the security team can check if all forks contain the same vulnerabilities.

All Debian members have commit access to the secure-testing repository and others can send suggestions or additions to the debian-security-tracker mailing list.

Lintian detects embedding of feedparser, common JavaScript/C/C++/PEAR/PHP libraries and PostScript fragments (1 2).

The Debian duplication detector detects duplicate files in binary packages and may be useful for detecting verbatim duplication of interpreted code and data.

Clonewise is a tool not yet in Debian that could be used to find unfixed vulnerabilities because of embedded code copies.

If you have a particular piece of code with some interesting aspect (security issue etc) you can likely find other copies using the Debian code search site or external code search engines such as Ohloh code, searchcode and GitHub.

Various Debian folks keep track of embedded code copies they found via usertags:

rbrito@ime.usp.br jwilk@debian.org pabs@debian.org sramacher@debian.org dr@jones.dk

See also