CVE-2024-1552: 
NixOS vulnerability analysis and mitigation

CVE-2024-1552 is a security vulnerability affecting Mozilla products that involves incorrect code generation leading to unexpected numeric conversions and potential undefined behavior. The vulnerability specifically affects 32-bit ARM devices in Firefox versions before 123, Firefox ESR versions before 115.8, and Thunderbird versions before 115.8. This issue was discovered by Gary Kwong and publicly disclosed on February 20, 2024 (Mozilla Advisory).

The vulnerability stems from a bug in the code generation process where a ScratchFloat32Scope was incorrectly used instead of a ScratchDoubleScope. This resulted in the convertFloat32ToDouble function expecting a destination register to be a double, but instead using a float32 scratch register. The issue manifests specifically in the ARM architecture's handling of floating-point register operations, where incorrect code generation could lead to unexpected numeric conversions (Mozilla Bug). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability's impact is considered low due to its limited scope affecting only 32-bit ARM devices. While the bug could potentially lead to undefined behavior through unexpected numeric conversions, security researchers have assessed that exploitation is unlikely. The issue primarily affects the numeric conversion process in the JavaScript engine's code generation phase (Mozilla Advisory).

The vulnerability has been fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. Users are advised to update their Mozilla products to these versions or later. The fix involves using ScratchDoubleScope instead of ScratchFloat32Scope in the affected code (Mozilla Advisory, Debian Advisory).