CVE-2023-25732: 
NixOS vulnerability analysis and mitigation

CVE-2023-25732 is a security vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird affecting versions prior to Firefox 110, Firefox ESR 102.8, and Thunderbird 102.8. The vulnerability was identified when encoding data from an inputStream in xpcom, where the size of the input being encoded was not correctly calculated (Mozilla Advisory, NVD).

The vulnerability occurs in the EncodeInputStream() function within xpcom/io/base64.cpp. The bug manifests when the while loop doesn't adjust aCount to account for processed input, causing it to use the original value and potentially empty the entire stream contents even if that exceeds aCount bytes. This could lead to an out-of-bounds memory write when the stream is longer than aCount or when a dynamic stream becomes longer during execution (Mozilla Bug).

The vulnerability has been rated as having a moderate impact. It could potentially lead to an out-of-bounds memory write, which could result in memory corruption. The CVSS v3.1 base score is 8.8 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability was patched in Firefox 110, Firefox ESR 102.8, and Thunderbird 102.8. The fix involves properly respecting the aCount parameter in EncodeInputStream and improving the handling of streams shorter than aCount bytes. Users are advised to upgrade to these versions or later to receive the security fix (Mozilla Advisory).