CVE-2020-6797: 
NixOS vulnerability analysis and mitigation

CVE-2020-6797 is a security vulnerability discovered in Mozilla Firefox and Thunderbird that affects their extension system. The vulnerability was disclosed on February 11, 2020, and affects Firefox versions prior to 73.0, Firefox ESR versions before 68.5, and Thunderbird versions before 68.5. The issue specifically impacts Mac OSX systems, where extensions with downloads.open permission could potentially launch arbitrary applications on the user's computer (Mozilla Advisory, NVD).

The vulnerability stems from the handling of .fileloc extension files by Mozilla applications on macOS systems. When an extension with downloads.open permission downloads a file with the .fileloc extension, it could trigger the launch of arbitrary applications on the user's system. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The impact of this vulnerability is considered moderate. While it allows for the execution of arbitrary applications, the attacker is restricted in their capabilities. They cannot download non-quarantined files or supply command line arguments to the applications being launched, which limits the potential impact. The vulnerability only affects Mac OSX systems, with other operating systems being unaffected (Mozilla Advisory).

The vulnerability was patched in Firefox 73.0, Firefox ESR 68.5, and Thunderbird 68.5. Users are advised to upgrade to these versions or later to mitigate the vulnerability. The fix involved adding .fileloc to the list of dangerous extensions and implementing proper security checks for these files on macOS systems (Gentoo Advisory, Mozilla Advisory).