Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 03 Jul 2013 22:31:03 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/27/2013 10:57 AM, Steven M. Christey wrote:

Kurt,

Your CVE assignment posts from [1] and [2] appear to be
inconsistent, and there are some questions about affected versions,
so I wanted to get some clarity about which CVEs go with which
issues.

1) CVE-2013-1942 - fixed in 2.2.20. Commit:
e8ca190f7f972a6a421cb95f09e138720e40ed6d

This one doesn't seem to have any issues.

My understanding of this one is that it now filters out \\ < > = which
could be previously used to insert content into the parameters passed
to the SWF file resulting in XSS.


2) CVE-2013-2022 - based on [1] CVE-2013-2022 is listed after a
section that talks about an XSS fixed in 2.3.0 (which also includes
the CVE-2013-1942 assignment).   However, in [2] you say
"CVE-2013-2022 is for jPlayer 2.2.20 XSS" but
http://www.jplayer.org/2.3.0/release-notes/ says that CVE-2013-2022
is fixed in 2.2.23.  (Maybe when you said 2.2.20, this also covered
other unfixed versions UNTIL 2.2.23).

that was probably the case, I typically assume when I assign a CVE
that the next release will assign it (because usually people do fix
things quickly =). I was going off of
http://www.jplayer.org/latest/release-notes/ when I assigned these


3) CVE-2013-2023 - in [1] you assign CVE-2013-2023 to the security
fix that quotes the jPlayer changelog entry for 2.2.23 - which, as
just mentioned in the previous bullet, you already described as
being associated with CVE-2013-2022.  In [2], you also state that 
CVE-2013-2023 is for jPlayer 2.2.23 XSS.

4) There is no mention of issues that are FIXED in 2.3.0 based on
upstream changelog, but
http://www.jplayer.org/2.4.0/release-notes/ lists fixes in both
2.3.1 and 2.3.2.



5) According to jPlayer release notes, we have:

[2.3.1] Security Fix: The Flash SWF had a minor security
vulnerability that enabled XSS (Cross Site Scripting). Reported by
Eugene Dokukin. Security reference CVE-2013-2023.

[2.3.2] Security Fix: Closed Flash SWF security vulnerability that 
enabled XSS (Cross Site Scripting). Reported by Eugene Dokukin.
Security reference CVE-2013-2023. The jPlayer noConflict option is
now restricted to strings that contain the term jQuery. For
example: lib.jQuery or myjQueryRocks.

[2.2.20] Security Fix: The Flash SWF had a security vulnerability
that enabled XSS (Cross Site Scripting). Reported by Malte Batram.
Security reference CVE-2013-1942.

[2.2.23] Security Fix: The Flash SWF had a minor security
vulnerability that enabled XSS (Cross Site Scripting). Reported by
Eugene Dokukin. Security reference CVE-2013-2022.

I'm of the mindset to use the CVE assignments as provided by
jQuery upstream, but it may be good to get full clarity down to the
individual commits.

Yeah, partly what happened is I was specifically asked for a cve for
jplayer by the ownCloud guys, I looked at the changelog, saw a bunch
more and assigned them as best I could.


[1] http://marc.info/?l=oss-security&m=136726705917858&w=2

[2] http://marc.info/?l=oss-security&m=136773622321563&w=2


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR1PqGAAoJEBYNRVNeJnmT7LkP/12lDuC26SCngF1M8jAoMLdd
lyLnjlIxgtJSh1/01JzdTlLUjLoNXCslQKuDuvv9VXPNNhec3CTVF5Gpyqufwnnh
96KaUK8Bb20uBjLRISwoEnS416vZK8WG0RDpDj0jZeBL/cbhzRbJxFvOozM62FWG
iHnhRGOHIUm5J+j1DK50eDaSi+gNCCNsYxrYbXzyO34EcpBb48OTDWHK0LC/jelL
FvtpiDDwP7pYOMme63e5TRN5WBCwH9VcFeLFaCa8Cfabu6k4qy0IqwUU5wYDvg6C
Z5zIROkVSvD1O4zWAdfZqwhpJ0bGKHdFRwQ2TphOiW2aHwOjKy58Brtrfa3qCvrB
7CNqEc9KykxkYwwsoACC6iUnW5CLxOF9Nvm0pWGEB+PZErfYDuS7o3vvDFkb5nNg
pnq+icz4M4U3OxRmA1g3EiZEsCwGQzL5pOzZS9IsoofYMuZd5oUuT0N9kZV330Cj
JVUvIDwNx5iUb/gpvfh3UXKD6EA2myRmVL5adbEghKh0U4UVg9Dqb20asr/fbQsE
YbT2fJTdG/VMPQUA5HXXOpkPlfafDSr016TKD3OvWrhi+P9hrNKJd2A7J7zNf6Tn
EM4nvCBMU02mx/aCRPdgagcPCTbjhFVC16yDcTrXaPwI/INxVdCxfnikRDxjXXdb
KzQofUuEeBFRyhRySuHR
=Cocf
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • Re: Re: CVE-2013-1942 jPlayer 2.2.19 XSS Kurt Seifried (Jul 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]