CVE-2023-4050: 
NixOS vulnerability analysis and mitigation

CVE-2023-4050 is a high-severity vulnerability discovered in Mozilla Firefox and Firefox ESR that was disclosed on August 1, 2023. The vulnerability occurs when an untrusted input stream is copied to a stack buffer without checking its size, which could result in a stack buffer overflow. This security flaw affects Firefox versions prior to 116, Firefox ESR versions prior to 102.14, and Firefox ESR versions prior to 115.1 (Mozilla Advisory, NVD).

The vulnerability exists in the StorageManager component where a stack buffer overflow condition occurs during the deserialization of an untrusted input stream. The issue stems from the NSSCipherStrategy::DeserializeKey function, which fails to properly validate the size of incoming data before copying it to a stack buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to a potentially exploitable crash which might result in a sandbox escape. While the immediate impact is a crash of the application, the potential for sandbox escape makes this vulnerability particularly concerning as it could allow an attacker to break out of Firefox's security containment (Mozilla Advisory).

The vulnerability has been fixed in Firefox 116, Firefox ESR 102.14, and Firefox ESR 115.1. Users are strongly advised to update to these or later versions. The fix involves making the CypherStrategy::DeserializeKey function fallible and implementing proper size validation before buffer operations (Mozilla Advisory, Debian Advisory).