CVE-2024-0741: 
NixOS vulnerability analysis and mitigation

CVE-2024-0741 is a high-severity vulnerability discovered in ANGLE (Almost Native Graphics Layer Engine) that affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7. The vulnerability was disclosed on January 23, 2024, and was reported by security researcher Renan Rios (Mozilla Advisory).

The vulnerability is classified as an out-of-bounds write issue (CWE-787) in ANGLE that could allow an attacker to corrupt memory. The vulnerability has a CVSS v3.1 base score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD). The issue stems from a validation bypass in the ANGLE Translator component, specifically in the VariablePacker::checkExpandedVariablesWithinPackingLimits function, which could lead to a heap buffer overflow in VariablePacker::fillColumns (Mozilla Bug).

The vulnerability could allow an attacker to corrupt memory, potentially leading to an exploitable crash. In Thunderbird, while the vulnerability exists, it cannot be exploited through email as scripting is disabled when reading mail, but it remains a potential risk in browser or browser-like contexts (Mozilla Advisory).

The vulnerability has been fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7. Users are recommended to upgrade to these versions or later to mitigate the risk. Debian has also released security updates for affected packages in various distributions (Debian LTS, Debian LTS).