CVE-2023-29543: 
NixOS vulnerability analysis and mitigation

CVE-2023-29543 is a security vulnerability discovered in Mozilla Firefox that affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112. The vulnerability was disclosed on April 11, 2023, and was reported by security researcher Lukas Bernhard (Mozilla Advisory, NVD).

The vulnerability is a use-after-free issue that occurs in the debugging APIs of Firefox. Specifically, the issue arises when iterating over a global object's debugger vector, which can be mutated during garbage collection. The vulnerability occurs because a garbage collection operation can delete debuggers in the vector while a ranged for loop is still attempting to iterate over them, leading to memory corruption (Mozilla Advisory, Bugzilla). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow an attacker to cause memory corruption and potentially execute arbitrary code through a use-after-free condition in the global object's debugger vector (Mozilla Advisory, NVD).

The vulnerability was fixed in Firefox 112, Firefox for Android 112, and Focus for Android 112. The fix involved disallowing garbage collection while iterating over the global object's debugger vector and requiring no garbage collection when providing references to the realm's debugger vector (Mozilla Advisory, Ubuntu Security).