Debian Policy 4.13 states that Debian packages should not use convenience copies.

The list of packages embedding code from other projects is maintained in the security-tracker git repository.

This list also contains information about code forks so that the security team can check if all forks contain the same vulnerabilities.

All Debian members have commit access to the security-tracker repository and others can send suggestions or additions to the debian-security-tracker mailing list.

Lintian detects embedding of feedparser, common JavaScript/C/C++/PEAR/PHP libraries and PostScript fragments (1 2).

These wiki pages mention embedded code copies: arc4random

The Debian duplication detector detects duplicate files in binary packages and may be useful for detecting verbatim duplication of interpreted code and data.

Clonewise is a tool not yet in Debian that could be used to find unfixed vulnerabilities because of embedded code copies. SourcererCC is another tool for detecting embedded code copies.

The Debian Sources website collects hashes and ctags of all Debian source code and allows searching for specific hashes and ctags, which may be useful for detecting duplication of source code and data.

If you have a particular piece of code with some interesting aspect (security issue etc) you can likely find other copies using the Debian code search site or external code search engines such as Ohloh code, searchcode and GitHub.

If a file containing some code has a fairly unique name, you can often find copies of that file by searching the contents of Debian binary or source packages using apt-file:

apt-file search
apt-file search -I dsc uniquename.c

Various Debian folks keep track of embedded code copies they found via usertags:

See also