CVE-2023-25738: 
NixOS vulnerability analysis and mitigation

CVE-2023-25738 is a high-severity vulnerability affecting Firefox, Firefox ESR, and Thunderbird on Windows systems. The vulnerability was discovered by Mark and disclosed in February 2023. The issue affects Firefox versions before 110, Thunderbird versions before 102.8, and Firefox ESR versions before 102.8. The vulnerability stems from improper validation of members in the DEVMODEW struct set by printer device drivers (Mozilla Advisory, NVD).

The vulnerability occurs when members of the DEVMODEW struct set by the printer device driver aren't properly validated, which could result in invalid values. These invalid values could cause the browser to attempt out-of-bounds access to related variables. The issue has a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability could cause the browser to crash when attempting to print on Windows systems. The issue specifically affects Windows users when interacting with certain printer device drivers. The bug is limited to Windows operating systems; other operating systems are unaffected (Mozilla Advisory).

The vulnerability was fixed in Firefox 110, Firefox ESR 102.8, and Thunderbird 102.8. The fix involved implementing proper validation of the DEVMODEW struct values and clearing the default DEVMODEW storage on failure to prevent subsequent reuse of uninitialized data. As a temporary workaround before updating, users experiencing crashes could switch to using generic printer drivers (Mozilla Bug).