~ubuntu-security/ubuntu-cve-tracker/master : contents of embedded-code-copies.ubuntu at revision 15006

~ubuntu-security/ubuntu-cve-tracker/master : (revision 15006)
Embedded code copies
====================

This follows the same format as security-testing/data/embedded-code-copies from
Debian, but contain Ubuntu-specific sources that are not included in Debian
(and will likely never be)

This file collects source packages that embed code from other projects.
This is considered bad for fixing security flaws because the fix needs
to be applied in multiple source packages.

Format:
<srcpkg> (<optional comment about srcpkg>)
	- <embedding srcpkg> <status> (<sort>; bug #<number>)
	NOTE: optional comments about the linkage of the embedding srcpkg

status: version number fixing the embedded copy
	<unfixed> if the issue is not yet fixed
	<removed> if the package was removed from the archive
	<itp> if the package is in the process of being packaged
	<not-affected> if the package does not use the embedded copy
	<unknown> if the version number can not be determined
	<unfixable> for unavoidable cases (e.g., forks that add real value)
sort: static (linking statically against a lib)
      embed (embeds a copy of the library into another source package)
      modified-embed (embeds a code copy that differs from upstream code)
      fork (a full-blown fork of another source package)
      old-version (an older version of essentially the same code)

The srcpkg might be some string to identify the code if there is no
specific source package.

Everything up to the next line is ignored.
---BEGIN
aac-enc
	- android <unfixable> (embed)

bouncycastle
	- android <0.20130801-0ubuntu1> (embed; LP: #1203800)

bsdiff
	- android <0.20130801-0ubuntu1> (embed; LP: #1203800)

busybox
	- android <unfixable> (embed)

bzip2
	- android <unfixable> (embed)

e2fsprogs
	- android <unfixable> (embed)

expat
	- android <unfixable> (embed)

flac
	- android <unfixable> (embed)

freetype
	- android <unfixable> (embed)

gcc-demangle
	- android <unfixable> (embed)
	NOTE: ignored (won't process untrusted content), not in archive

genext2fs
	- android <unfixed> (embed)
	NOTE: not shipped in product

giflib
	- android <unfixable> (embed)

gnupg
	- android <unfixable> (embed)

gtest
	- android <unfixable> (embed)

harfbuzz
	- android <unfixed> (embed)
	NOTE: not shipped in product

htop
	- android <0.20130801-0ubuntu1> (embed; LP: #1203800)

icu
	- android <unfixable> (embed)

jhead
	- android <unfixable> (embed)

libjpeg8
	- android <unfixable> (embed)
	NOTE: this is different source than libjpeg-turbo8

kernel-headers
	- android <unfixable> (embed)
	NOTE: ignored (won't process untrusted content)

liblzf
	- android <unfixable> (embed)
	NOTE: this is different than lz4

libnl
	- android <unfixable> (embed)
	NOTE: ignored (just the headers, won't process untrusted content)

libogg
	- android <unfixed> (embed)
	NOTE: not shipped in product

libpng
	- android <unfixable> (embed)

libvpx
	- android <unfixable> (embed)

linux-tools-perf
	- android <0.20130801-0ubuntu1> (embed; LP: #1203800)

mksh
	- android <unfixable> (embed)

openssl
	- android <unfixable> (embed)

protobuf
	- android <unfixable> (embed)

safe-iop
	- android <unfixable> (embed)
	NOTE: not in archive

skia
	- android <unfixable> (embed)
	NOTE: not in archive

sonivox
	- android <unfixable> (embed)
	NOTE: not in archive

speex
	- android <unfixable> (embed)

stlport
	- android <unfixable> (embed)
	NOTE: not in archive

strace
	- android <unfixable> (embed)

tinyalsa
	- android <unfixable> (embed)
	NOTE: not in archive

tremolo
	- android <unfixable> (embed)
	NOTE: not in archive

webp
	- android <unfixable> (embed)

webrtc
	- android <unfixable> (embed)

wpa_supplicant_6
	- android <unfixed> (embed)
	NOTE: not shipped in product

wpa_supplicant_8
	- android <unfixable> (embed)

wpa_supplicant_8_ti
	- android <unfixed> (embed)
	NOTE: not shipped in product

yaffs2
	- android <unfixable> (embed)

zlib
	- android <unfixable> (embed)