[request-tracker-maintainers] Bug#1042527: request-tracker5: Include ckeditor minimified
Ángel
pkgrtmnt at debian.16bits.net
Tue Aug 1 22:53:40 BST 2023
On 2023-07-30 at 16:20 +1200, Andrew Ruthven wrote:
> Hey,
>
> > On Sat, 2023-07-29 at 19:31 +0000, Bastien Roucariès wrote:
> > Source: request-tracker5
> > Severity: serious
> > Tags: ftbfs
> > Justification: FTBFS
> > Control: tags -1 + security
> >
> > Dear Maintainer,
> >
> > https://sources.debian.org/src/request-
> > tracker5/5.0.3+dfsg-3/share/static/RichText/
> >
> > include ckeditor outdated (with CVE) and moreover minified
>
> What do folks think about how we should handle this?
>
> We have:
>
> buster
> - RT 4.4.3-2+deb10u2
> bullseye:
> - RT 4.4.4+dfsg-2+deb11u2
> bookworm
> - RT 4.4.6+dfsg-1.1
> - RT 5.0.3+dfsg-3~deb12u1
> tixie, sid
> - RT 4.4.6+dfsg-1.1
> - RT 5.0.3+dfsg-3
>
> In these releases we have ckeditor versions:
>
> RT 4.4.3-2+deb10u2, 4.4.4+dfsg-2+deb11u2, 4.4.6+dfsg-1.1
> - 4.5.3
> RT 5.0.3+dfsg-3~deb12u1 & RT 5.0.3+dfsg-3
> - 4.13.0
> RT 5.0.4 (not uploaded yet)
> - 4.20.1
>
> It looks like 4.5.3 and 4.13.0 both have a number of CVEs in
> them[0][1], and that Best Practical haven't applied any CVE fixes to
> ckeditor in their releases other than occasional version upgrades.
A priori, it's possible that the ckeditor vulnerabilities (all of them
XSS, I think), are not exploitable from RT, so they would be merely
annoying (automated tools flagging it). But that would need to be
verified.
On the other hand. if a malicious email sent to an RT instance can
result in ckeditor loading html producing XSS execution by the agent
that is going to reply, that would be quite a different scenario.
Ideally, we would use the packaged ckeditor, and defer to it the
bugfixes.
> The ckeditor dialog is displayed, but unsurprisingly the
> styling (background) isn't present and most of the buttons on the
> toolbar are enabled.
...but it needs to work, to begin with.
> I'm happy to raise a security bug with BP about this.
If Best Practical supported running with a stock ckeditor, that would
be easier both for them (when needing to upgrade it) and downstream.
A bigger issue I see is that they are providing just a minified
javascript. With no source.
This has been solved in Debian through the third-party-source tarball,
but they are potentialy violating the license of their dependencies
https://rt.bestpractical.com/Ticket/Display.html?id=37009
On the bright side, the whole debian/build-final-ckeditor.sh should
make it easy to upgrade the minified ckeditor to a newer version.
Even though that would require a new RT release.
I'm leaning to think that perhaps there should be a request-tracker-
ckeditor package (maybe built by ckeditor?) which provided the ckeditor
needed by RT, pushing down this hairy dependency.
Regards
More information about the pkg-request-tracker-maintainers
mailing list