Re: Support for ckeditor3 in Debian

To: Debian Security Team <team@security.debian.org>, Mike Gabriel <sunweaver@debian.org>, debian@jugra.de
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Support for ckeditor3 in Debian
From: Sylvain Beucler <beuc@beuc.net>
Date: Tue, 10 May 2022 12:31:46 +0200
Message-id: <[🔎] 8c9d472b-ee18-5a9d-a114-e0a36d5f7173@beuc.net>
In-reply-to: <[🔎] YngXVC+XYt1xcPZk@eldamar.lan>
References: <[🔎] cb270bc4-8dd7-c5e0-29d2-0cf62d438829@beuc.net> <[🔎] YngXVC+XYt1xcPZk@eldamar.lan>

Hello Salvatore,

On 08/05/2022 21:17, Salvatore Bonaccorso wrote:

On Fri, May 06, 2022 at 09:23:27PM +0200, Sylvain Beucler wrote:

Hello Security Team,

I'm currently checking 'ckeditor' (v4), an HTML editor for web applications,
currently v4), for vulnerabilities to fix.
(I may send a separate e-mail about this later)

I noted that 'ckeditor3' (re-introduced as a dependency to horde in 2016)
did not reference any vulnerabilities. A quick check showed that it contains
vulnerable code for at least CVE-2021-33829 and CVE-2021-37695.
https://security-tracker.debian.org/tracker/source-package/ckeditor3

Do you think we should we tag 'ckeditor3' with confirmed CVEs from
'ckeditor'? Or mark it as end-of-life?


Thanks for spotting this.

Do we know something about php-horde-editor's compatibility with
ckeditor version 4? I assume it's still incompatible and we either
would need to use the embedded copy or ckeditor3 in the archive.
There as only one upstream version following the introduction of
ckeditor3.


It seems the situation didn't change.

php-horde-editor used to depend on ckeditor4 in jessie but this causedissues and was reverted to ckeditor3:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769031

AFAICS upstream is still using 3.6.6:
https://github.com/horde/Editor/tree/master/js/ckeditor

Now, php-horde-editor is the only rdepends of ckeditor3.

IMHO we need to do a re-evaluation of the current CVEs for ckeditor to
see which affect ckeditor3 as well and in partiular try to get a
picture how those known to affect ckeditor3 impact php-horde-editor.
Some might be for instance negligible in context of php-horde-editor
specifically.

Just an idea, and not necessarily right now already the security team
view: Depending on this outcome we might declare it as unsupported in
general, and only to be considered if an issue impacts
php-horde-editor.

And I wonder if it should be a goal to try to get rid of ckeditor3
again for the bookworm release, which we still would be in time.
Removing does not seem to be feasible right now, as the php-horde
framework depends with the php-horde-core, php-horde-imp and
php-horde-gollem in some form from the editor.

Inputs, Ideas?

This sounds sensible to me, but since I'm no Horde expert I'm addingMike and Juri in Cc so they can provide their thoughts on a way forward.


Cheers!
Sylvain Beucler
Debian LTS Team

Reply to:

Follow-Ups:
- Re: Support for ckeditor3 in Debian
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

References:
- Support for ckeditor3 in Debian
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: Support for ckeditor3 in Debian
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Support for ckeditor3 in Debian
Next by Date: Re: Support for ckeditor3 in Debian
Previous by thread: Re: Support for ckeditor3 in Debian
Next by thread: Re: Support for ckeditor3 in Debian
Index(es):
- Date
- Thread