Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51D4FA87.7060706@redhat.com>
Date: Wed, 03 Jul 2013 22:31:03 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...re.org>,
        Salvatore Bonaccorso <carnil@...ian.org>,
        Mark Panaghiston <markp@...pyworm.com>, hello@...pyworm.com
Subject: Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/27/2013 10:57 AM, Steven M. Christey wrote:
> 
> Kurt,
> 
> Your CVE assignment posts from [1] and [2] appear to be
> inconsistent, and there are some questions about affected versions,
> so I wanted to get some clarity about which CVEs go with which
> issues.
> 
> 1) CVE-2013-1942 - fixed in 2.2.20. Commit:
> e8ca190f7f972a6a421cb95f09e138720e40ed6d
> 
> This one doesn't seem to have any issues.

My understanding of this one is that it now filters out \\ < > = which
could be previously used to insert content into the parameters passed
to the SWF file resulting in XSS.

> 
> 2) CVE-2013-2022 - based on [1] CVE-2013-2022 is listed after a
> section that talks about an XSS fixed in 2.3.0 (which also includes
> the CVE-2013-1942 assignment).   However, in [2] you say
> "CVE-2013-2022 is for jPlayer 2.2.20 XSS" but
> http://www.jplayer.org/2.3.0/release-notes/ says that CVE-2013-2022
> is fixed in 2.2.23.  (Maybe when you said 2.2.20, this also covered
> other unfixed versions UNTIL 2.2.23).

that was probably the case, I typically assume when I assign a CVE
that the next release will assign it (because usually people do fix
things quickly =). I was going off of
http://www.jplayer.org/latest/release-notes/ when I assigned these


> 3) CVE-2013-2023 - in [1] you assign CVE-2013-2023 to the security
> fix that quotes the jPlayer changelog entry for 2.2.23 - which, as
> just mentioned in the previous bullet, you already described as
> being associated with CVE-2013-2022.  In [2], you also state that 
> CVE-2013-2023 is for jPlayer 2.2.23 XSS.
> 
> 4) There is no mention of issues that are FIXED in 2.3.0 based on
> upstream changelog, but
> http://www.jplayer.org/2.4.0/release-notes/ lists fixes in both
> 2.3.1 and 2.3.2.



> 5) According to jPlayer release notes, we have:
> 
> [2.3.1] Security Fix: The Flash SWF had a minor security
> vulnerability that enabled XSS (Cross Site Scripting). Reported by
> Eugene Dokukin. Security reference CVE-2013-2023.
> 
> [2.3.2] Security Fix: Closed Flash SWF security vulnerability that 
> enabled XSS (Cross Site Scripting). Reported by Eugene Dokukin.
> Security reference CVE-2013-2023. The jPlayer noConflict option is
> now restricted to strings that contain the term jQuery. For
> example: lib.jQuery or myjQueryRocks.
> 
> [2.2.20] Security Fix: The Flash SWF had a security vulnerability
> that enabled XSS (Cross Site Scripting). Reported by Malte Batram.
> Security reference CVE-2013-1942.
> 
> [2.2.23] Security Fix: The Flash SWF had a minor security
> vulnerability that enabled XSS (Cross Site Scripting). Reported by
> Eugene Dokukin. Security reference CVE-2013-2022.
> 
> I'm of the mindset to use the CVE assignments as provided by
> jQuery upstream, but it may be good to get full clarity down to the
> individual commits.

Yeah, partly what happened is I was specifically asked for a cve for
jplayer by the ownCloud guys, I looked at the changelog, saw a bunch
more and assigned them as best I could.

> 
> [1] http://marc.info/?l=oss-security&m=136726705917858&w=2
> 
> [2] http://marc.info/?l=oss-security&m=136773622321563&w=2


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR1PqGAAoJEBYNRVNeJnmT7LkP/12lDuC26SCngF1M8jAoMLdd
lyLnjlIxgtJSh1/01JzdTlLUjLoNXCslQKuDuvv9VXPNNhec3CTVF5Gpyqufwnnh
96KaUK8Bb20uBjLRISwoEnS416vZK8WG0RDpDj0jZeBL/cbhzRbJxFvOozM62FWG
iHnhRGOHIUm5J+j1DK50eDaSi+gNCCNsYxrYbXzyO34EcpBb48OTDWHK0LC/jelL
FvtpiDDwP7pYOMme63e5TRN5WBCwH9VcFeLFaCa8Cfabu6k4qy0IqwUU5wYDvg6C
Z5zIROkVSvD1O4zWAdfZqwhpJ0bGKHdFRwQ2TphOiW2aHwOjKy58Brtrfa3qCvrB
7CNqEc9KykxkYwwsoACC6iUnW5CLxOF9Nvm0pWGEB+PZErfYDuS7o3vvDFkb5nNg
pnq+icz4M4U3OxRmA1g3EiZEsCwGQzL5pOzZS9IsoofYMuZd5oUuT0N9kZV330Cj
JVUvIDwNx5iUb/gpvfh3UXKD6EA2myRmVL5adbEghKh0U4UVg9Dqb20asr/fbQsE
YbT2fJTdG/VMPQUA5HXXOpkPlfafDSr016TKD3OvWrhi+P9hrNKJd2A7J7zNf6Tn
EM4nvCBMU02mx/aCRPdgagcPCTbjhFVC16yDcTrXaPwI/INxVdCxfnikRDxjXXdb
KzQofUuEeBFRyhRySuHR
=Cocf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.