
oss-sec mailing list archives
Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird
From: Moritz Mühlenhoff <jmm () inutil org>
Date: Tue, 11 Mar 2025 21:25:47 +0000
On Mon, Mar 10, 2025 at 06:06:55PM -0500, Jacob Bachmeyer wrote:
On 3/10/25 08:30, Valtteri Vuorikoski wrote:[...] However the only issue ranked critical only affects Android, looks like desktop versions top out at high.My understanding is that the issue was *reported* by the Android project, but it affects *ALL* builds, including desktop.
The timeline basically looks like this: - CVE-2024-43768, CVE-2024-43767 and CVE-2024-43097 were fixed in the December Android update and are in Skia, a 2G graphics library which is also bundled by Firefox/Thunderbird - These CVEs appeared in the CVE feed on 2025-01-02 and when triaging incoming security issues for Debian, I noticed that while Firefox was fixed via some rebase to a newer version of Skia, these fixes were missing in Firefox ESR 128, which hadn't seen the respective Skia rebase (since these fixes were not identified as security-relevant) - I reported these to the Mozilla security team on 2025-01-09 - On 2025-02-03 they confirmed that CVE-2024-43768 and CVE-2024-43767 are in code which isn't exercised in Firefox - On 2025-03-04 the Firefox/Thunderbird 128.8 releases were published which include a fix for CVE-2024-43097 Cheers, Moritz
Current thread:
- CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Valtteri Vuorikoski (Mar 10)
- Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Jacob Bachmeyer (Mar 10)
- Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Moritz Mühlenhoff (Mar 11)
- Re: CVE-2025-1937+more: Numerous memory-safety issues in Firefox & Thunderbird Jacob Bachmeyer (Mar 10)