Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ovqbvdsvupbr2dse76qem7ukiyidoqdynmm4rn7ah5kqiagugg@xbgvxewonj4p>
Date: Mon, 10 Mar 2025 15:30:30 +0200
From: Valtteri Vuorikoski <vuori@...com.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-1937+more: Numerous memory-safety issues in Firefox &
 Thunderbird

Last week Mozilla published security advisories for Firefox and Thunderbird
which are overall rated "high" for the latest versions (136) and "critical" for
the currently-supported ESR releases. However the only issue ranked
critical only affects Android, looks like desktop versions top out at high.

The advisories list a large number of memory-safety issues affecting both
products. For Thunderbird, it appears that all issues are related to browser
functionality; I don't see any related specifically to the e-mail handling side.

Mozilla advisories: <https://www.mozilla.org/en-US/security/advisories/> (the March 4 list)

Debian has shipped updates for bookworm for both FF and TB. DSAs:

FF: <https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/>
TB: <https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/>

High/critical issues from both for 128-based ESR versions from the Mozilla
advisories, excluding Windows-only:

CVE-2024-43097: Overflow when growing an SkRegion's RunArray

Reporter
    Google Android
Impact
    critical

Description

In resizeToAtLeast of SkRegion.cpp, there was a possible out of bounds write due
to an integer overflow


CVE-2025-1931: Use-after-free in WebTransportChild

Reporter
    sherkito
Impact
    high

Description

It was possible to cause a use-after-free in the content process side of a
WebTransport connection, leading to a potentially exploitable crash.


CVE-2025-1932: Inconsistent comparator in XSLT sorting led to out-of-bounds access

Reporter
    Ivan Fratric of Google Project Zero
Impact
    high

Description

An inconsistent comparator in xslt/txNodeSorter could have resulted in
potentially exploitable out-of-bounds access. Only affected version 122 and
later.


CVE-2025-1933: JIT corruption of WASM i32 return values on 64-bit CPUs

Reporter
    Xiangwei Zhang and kkdong of Tencent Security YUNDING LAB
Impact
    high

Description

On 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up
bits from left over memory. This can potentially cause them to be treated as a
different type.


CVE-2025-1937: Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8

Reporter
    the Mozilla Fuzzing Team, Andrew McCreight
Impact
    high

Description

Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20,
Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these could
have been exploited to run arbitrary code.


CVE-2025-1938: Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8

Reporter
    Julien Wajsberg, the Mozilla Fuzzing Team
Impact
    high

Description

Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 128.7,
and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort some of these could have been exploited
to run arbitrary code.  References


 -Valtteri
 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.