JavaScript Project with vulnerabilities

I checken again a bigger open source JS project for vulnerable packages with npm audit and got:

41 vulnerabilities (1 low, 12 moderate, 26 high, 2 critical)

This vulnerabilities stayed for months or more than a year or two nearly unchanged yet. That’s a desaster for an open source project, developed currently only by professional and payed developers.

There are fixes available for all this vulnerabilities within updated JS packages, but nobody seemed to care on fixing that.

Research on Patches not in LibreOffice Master but in Branch

I made a research on patches which were commited to a branch of LibreOffice but didn’t made it upstream. Thus I made a diff of the patch titles in this branch and the LibreOffice core master. I evaluated the branch distro/co-24.04 (https://github.com/LibreOffice/core/tree/distro/collabora/co-24.04) against the current state of the LibreOffice main branch (master). Thus I got a list of more than 6900 patch titles, which were not committed to the main branch of the LibreOffice project. I created a new file (from the current state of today) with those patch titles from the branch, which didn’t made it to the master: https://amantke.de/wp-content/uploads/2024/08/title-of-patches-in-co-24-not-in-lo-master.txt

I have not researched yet why this patched didn’t make it to the upstream project. But it’s worth to get at least through those patches since Oktober 2020, when Collabora decided to fork LibreOffice Online and moved it away to Github. I already found out in the past that patches for the LibreOffice Kit (LOK) wasn’t committed to the master branch and it needs some reminder to fix that.

Brother MFC-7320 And OpenSUSE Leap 15.4

I used this combined printer, scanner and fax machine with openSUSE for some years now. But it is always a lot of effort to get it working with a fresh Linux environment, e.g. after a hardware change. There are the packages and tools from Brother, which you could download from their website, but trat doesn’t make the complete and successful setup of the printer and scanner functionality. It is necessary that you install also some 32-bit packages:

zypper in -f glibc-32bit libusb-0_1-4-32bit libusb-1_0-0-32bit

Solved Vulnerabilities

I worked on the project Free Online Office, a collaborative online office based on LibreOffice technology, to solve vulnerabilities of the used JavaScript packages. I updated all used JavaScript packages to new versions. The command ’npm audit‘ reports no vulnerabilities now.

This is a big difference to the starting point, where there was and is the following report:

57 vulnerabilities (1 low, 20 moderate, 34 high, 2 critical)

I’ll create a new Docker image from the updated source code and publish it on the Docker hub during the next days. You can get it from there with:

docker pull freeonlineoffice/online:nightly

Free Online Office Nightly On ProxMox

I created a Linux Container on my ProxMox server using Debian 11 and installed and run Docker inside of it. Then I pulled the current Free Online Office (nightly build) from hub.docker.io:

docker pull freeonlineoffice/online:nightly

I started this Docker container with:

docker run -t -d -p 192.168.10.15:9980:9980 -e "username=admin" -e "password=S3cRet" freeonlineoffice/online:nightly

The IP in the docker command depends on the IP address of the Linux Container on your ProxMox server. You should give the container a fixed IP address. I used the IP address (double escaped) for the aliasgroup entry for my first run too.

Once I started the container I run ‚docker ps‘ to see, if the container is running. Then I checked with curl from my remote machine, if everything works.

curl -k https://192.168.10.15:9980

If you don’t get an error message in return everything seemed to work. I could open a browser on my remote machine and type call the URL:

https://192.168.10.15:9980/browser/dist/admin/admin.html

This shows the admin console of Free Online Office build on LibreOffice technology.

Worked Further On LibreOffice Online Code And Docker Image

The Javascript packages in the former git repository of LibreOffice Online and ist fork were not up to date. Thus I hat to work on update them. This and the code update took a bunch of my spare time.

I had also to work on the configuration of the shrinkwrap/shrinkpack tooling. The former configuration and especially the shrinkwrap.json.in file blocked the build process of the docker file. The naming of the shrinkpacked files changed.

Once this was fixed the browser part of LibreOffice was build sucessfully. And finally I was able to build a first lool docker container and start it.

I made a first test and could copy the loolwsd.xml from the container and also view the container log.

Updated The LibreOffice Online Code And JavaScript Modules

I worked further on the update of the LibreOffice Online source code during the last days. I brought it on par with its fork first. In parallel I worked on the JavaScript modules and were able to move them to newer versions. This fixes also some vulnerabilities, from critical to mid category. The npm tool doesn’t complain about vulnerabillities in the JavaScript area of the source code anymore yet.

Update JavaScript Modules Of LOOL

I had a look at the ‚zoo‘ of JavaScript modules which are living in the browser part of LibreOffice Online and found a lot of outdated versions there. This modules need an update to newer versions. I’m working currently on this task step by step.

I also got the message in the shell about vulnarabilities in the modules, some of them classified high and one critical. I fixed a bunch of them with an npm command, thus there is no critical vulnarability left. The high classified dimished from 15 to five.

Next Step: Work On Docker File

I worked on the changes in the source code to create an up to day docker file of LibreOffice Online today. I had to adapt scripts to build the online version from source to LibreOffice Online for that and run it. Because the naming and the variable names of former scripts were changed with the fork I had to rework them.

I’m currently running the build process a second time and hope it will create a first version of a new LibreOffice Online docker container from source. Keep your fingers cross 😉

Work On Revival Of LibreOffice Online

I worked during the last two weeks on a revival of the LibreOffice Online project. This project / branch is a version of LibreOffice which runs in a browser and supports collaborative editing.

I fetched the commits, which has been commited to a fork of the LibreOffice Online (LOOL) branch since October 2020. But there had been some renamings of file names and strings, which increases the effort. I had to adapt those commits to the original file names and strings. There were also changes in the license header of some files. I had to revert the commit, which inserted those changes.

And then I got another issue with an hardware defect and I had to migrate my environment to another hardware. And yet I got everything up and running. The first screenshot shows LibreOffice Online Writer with a text document.

LibreOffice Online Writer Document in the Browser

And the next screenshot shows the Admin console of LibreOffice Online with some statistics. It shows also that there is currently one user working with one document.

LibreOffice Online Admin Console in the Browser