[request-tracker-maintainers] Bug#1042527: request-tracker5: Include ckeditor minimified

Andrew Ruthven andrew at etc.gen.nz
Sun Jul 30 05:20:15 BST 2023 

Hey,

> On Sat, 2023-07-29 at 19:31 +0000, Bastien Roucariès wrote:
> Source: request-tracker5
> Severity: serious
> Tags: ftbfs
> Justification: FTBFS
> Control: tags -1 + security
> 
> Dear Maintainer,
> 
> https://sources.debian.org/src/request-
> tracker5/5.0.3+dfsg-3/share/static/RichText/
> 
> include ckeditor outdated (with CVE) and moreover minified

What do folks think about how we should handle this?

We have:

buster
   - RT 4.4.3-2+deb10u2
bullseye:
   - RT 4.4.4+dfsg-2+deb11u2
bookworm
  - RT 4.4.6+dfsg-1.1
  - RT 5.0.3+dfsg-3~deb12u1
tixie, sid
  - RT 4.4.6+dfsg-1.1
  - RT 5.0.3+dfsg-3

In these releases we have ckeditor versions:

RT 4.4.3-2+deb10u2,  4.4.4+dfsg-2+deb11u2, 4.4.6+dfsg-1.1
   - 4.5.3
RT 5.0.3+dfsg-3~deb12u1 & RT 5.0.3+dfsg-3
   - 4.13.0
RT 5.0.4 (not uploaded yet)
   - 4.20.1

It looks like 4.5.3 and 4.13.0 both have a number of CVEs in them[0][1], and
that Best Practical haven't applied any CVE fixes to ckeditor in their
releases other than occasional version upgrades.

I'm happy to raise a security bug with BP about this.

> Could you use the packaged ckeditor.
> 
> Note also that I am going to package ckeditor5 (ckeditor 4 is EOL)

This is probably a bit more complicated as the plugins are different. Also
made a but harder as it seems that only 3 packages are using the packaged
ckeditor, so prior art is limited.

$ apt-cache rdepends ckeditor
ckeditor
Reverse Depends:
  civicrm-common
  wims-modules
  python3-django-ckeditor

These three all place symlinks into their directory structures. Out of
interest I've tried this on a personal RT install (also required changing
/usr/share/request-tracker5/lib/RT/Interface/Web.pm to have ckeditor.js in
the JSFiles list). The ckeditor dialog is displayed, but unsurprisingly the
styling (background) isn't present and most of the buttons on the toolbar
are enabled. 

I've managed to get ckeditor to use my own config file, but a couple of
plugins are missing - ccmsconfighelper and confighelper (possibly why the
buttons are enabled), as is the bootstrapck style. I don't know if we can
provide these alongside or not.

There are more plugins provided by the ckeditor package (61 vs 19), which
also feels like broadening the scope for issues.

Cheers,
Andrew

[0]
https://metadata.ftp-master.debian.org/changelogs//main/c/ckeditor/ckeditor_4.19.1+dfsg-1_changelog
[1] https://security-tracker.debian.org/tracker/source-package/ckeditor


-- 
Andrew Ruthven, Wellington, New Zealand
andrew at etc.gen.nz         |
Catalyst Cloud:           | This space intentionally left blank
 https://catalystcloud.nz |

More information about the pkg-request-tracker-maintainers mailing list