[request-tracker-maintainers] Bug#1042527: request-tracker5: Include ckeditor minimified

Ángel pkgrtmnt at debian.16bits.net
Tue Aug 1 22:53:40 BST 2023 

On 2023-07-30 at 16:20 +1200, Andrew Ruthven wrote:
> Hey,
> 
> > On Sat, 2023-07-29 at 19:31 +0000, Bastien Roucariès wrote:
> > Source: request-tracker5
> > Severity: serious
> > Tags: ftbfs
> > Justification: FTBFS
> > Control: tags -1 + security
> > 
> > Dear Maintainer,
> > 
> > https://sources.debian.org/src/request-
> > tracker5/5.0.3+dfsg-3/share/static/RichText/
> > 
> > include ckeditor outdated (with CVE) and moreover minified
> 
> What do folks think about how we should handle this?
> 
> We have:
> 
> buster
>    - RT 4.4.3-2+deb10u2
> bullseye:
>    - RT 4.4.4+dfsg-2+deb11u2
> bookworm
>   - RT 4.4.6+dfsg-1.1
>   - RT 5.0.3+dfsg-3~deb12u1
> tixie, sid
>   - RT 4.4.6+dfsg-1.1
>   - RT 5.0.3+dfsg-3
> 
> In these releases we have ckeditor versions:
> 
> RT 4.4.3-2+deb10u2,  4.4.4+dfsg-2+deb11u2, 4.4.6+dfsg-1.1
>    - 4.5.3
> RT 5.0.3+dfsg-3~deb12u1 & RT 5.0.3+dfsg-3
>    - 4.13.0
> RT 5.0.4 (not uploaded yet)
>    - 4.20.1
> 
> It looks like 4.5.3 and 4.13.0 both have a number of CVEs in
> them[0][1], and that Best Practical haven't applied any CVE fixes to
> ckeditor in their releases other than occasional version upgrades.

A priori, it's possible that the ckeditor vulnerabilities (all of them
XSS, I think), are not exploitable from RT, so they would be merely
annoying (automated tools flagging it). But that would need to be
verified.
On the other hand. if a malicious email sent to an RT instance can
result in ckeditor loading html producing XSS execution by the agent
that is going to reply, that would be quite a different scenario.


Ideally, we would use the packaged ckeditor, and defer to it the
bugfixes.

> The ckeditor dialog is displayed, but unsurprisingly the
> styling (background) isn't present and most of the buttons on the
> toolbar are enabled. 

...but it needs to work, to begin with.


> I'm happy to raise a security bug with BP about this.

If Best Practical supported running with a stock ckeditor, that would
be easier both for them (when needing to upgrade it) and downstream.

A bigger issue I see is that they are providing just a minified
javascript. With no source.

This has been solved in Debian through the third-party-source tarball,
but they are potentialy violating the license of their dependencies
https://rt.bestpractical.com/Ticket/Display.html?id=37009

On the bright side, the whole debian/build-final-ckeditor.sh should
make it easy to upgrade the minified ckeditor to a newer version.
Even though that would require a new RT release.

I'm leaning to think that perhaps there should be a request-tracker-
ckeditor package (maybe built by ckeditor?) which provided the ckeditor
needed by RT, pushing down this hairy dependency.

Regards

More information about the pkg-request-tracker-maintainers mailing list