CVE-2023-6204: 
NixOS vulnerability analysis and mitigation

CVE-2023-6204 is a high-impact vulnerability discovered in Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. The vulnerability was disclosed on November 21, 2023, and was discovered by JSec of Hayyim Security. The issue affects the WebGL2 blitFramebuffer functionality in these Mozilla products (Mozilla Advisory).

The vulnerability is an out-of-bounds read vulnerability in the WebGL2 blitFramebuffer functionality. On specific systems with certain graphics settings and drivers, it was possible to force an out-of-bounds read operation that could leak memory data into images created on the canvas element. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows attackers to perform an out-of-bounds read operation, potentially leading to information disclosure by leaking memory data into canvas element images. This could expose sensitive information from the browser's memory (Mozilla Advisory).

The vulnerability has been fixed in Firefox 120, Firefox ESR 115.5.0, and Thunderbird 115.5. Users are advised to upgrade to these versions or later to mitigate the risk. The fix has been backported to various distributions, including Debian 10 (buster) and 11 (bullseye) (Debian Advisory).