User:Csfore/MFSA Reporting

From Gentoo Wiki
Jump to:navigation Jump to:search
Note
Even though this page is in the user namespace, corrections and additions are much appreciated! This is simply wiki policy, this page can be moved to the main wiki as soon as it achieves critical mass more.
Important
This page is listed under Userspace collaboration, but for any improvements regarding the actual process of reporting MFSAs, please suggest them under the Talk page or ping me in the #gentoo-security IRC channel! For grammar or extra clarification, feel free to make changes.

Just a place to document the process I use in case I have a prolonged absence or someone wishes to report them before I can get to them.

gentoo-mfsa

This is a tool I wrote in Python that parses Mozilla's YAML files for MFSAs for a copy/paste style format for bugs. It still has work to be done on it but it's semi-reliable currently.

Link

Cloning the Foundation Security Advisories

The repository containing the YAML files for MFSAs is stored here.

And simply clone it with Git:

In this repository lies a directory named announce, this is where the YAML files are contained. gentoo-mfsa by default looks for this directory in $PWD but the location can be changed with the -d flag.

Running gentoo-mfsa

Running the program is simple enough:

user $./gentoo-mfsa <List of MFSA IDs>

<MFSA IDs is the format XX, where 'XX' is the number of the MFSA so MFSA2024-11 will be 11

It is possible to alter the year as well if needed with the flag -y.

For example, to get the output for MFSA2025-{01,02,05}, run:

user $./gentoo-mfsa 01 02 05
============================
Firefox 134
============================
CVE-2025-0245:

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed.


CVE-2025-0247:

Memory safety bugs present in Firefox 133 and Thunderbird 133. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.


============================
All products
============================
CVE-2025-0237:

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks.


CVE-2025-0238:

Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash.


CVE-2025-0239:

When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site.


CVE-2025-0240:

Parsing a JavaScript module as JSON could under some circumstances cause cross-compartment access, which may result in a use-after-free.


CVE-2025-0241:

When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash.


CVE-2025-0242:

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.


CVE-2025-0243:

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.


Firefox 134: https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/
Firefox ESR 128.6: https://www.mozilla.org/en-US/security/advisories/mfsa2025-02/
Thunderbird 128.6: https://www.mozilla.org/en-US/security/advisories/mfsa2025-05/

======================
Bug details
======================
Aliases:
CVE-2025-0245,CVE-2025-0247,CVE-2025-0237,CVE-2025-0238,CVE-2025-0239,CVE-2025-0240,CVE-2025-0241,CVE-2025-0242,CVE-2025-0243,MFSA2025-01,MFSA2025-02,MFSA2025-05

URL:
https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/

MFSA report generated!
Copy the CVE and descriptions below the product and report them in their appropriate bugs.
Please put the all product CVEs in the tracker.
Important
gentoo-mfsa is not perfect software and may misreport some MFSAs. Currently it checks for keywords in the CVE description to filter CVEs out for other operating systems, but sometimes they do not contain these keywords. Double-check the CVEs that are put in the bug description!

With this information it is now possible to submit the bugs for the Mozilla products!

Opening the bugs

Tracker

The Tracker bug will typically have the CVEs that affect either all or more than one product.

The general format for the main tracker summary is:

[Tracker] Mozilla Foundation Security Advisory for [DATE]
CVE-1234-01:
...


Firefox 134: https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/

Firefox ESR 128.6: https://www.mozilla.org/en-US/security/advisories/mfsa2025-02/

Thunderbird 128.6: https://www.mozilla.org/en-US/security/advisories/mfsa2025-05/

Product-specific bugs

The product-specific bugs will be the simplest bugs most of the time with a typical security bug looking like the following:

www-client/firefox{-bin,}: multiple vulnerabilities
**No CVEs for solely this Mozilla product**

Please refer to the tracker for the full list of CVEs that affect all Mozilla products.
Retrieved from "https://wiki.gentoo.org/index.php?title=User:Csfore/MFSA_Reporting&oldid=1332278"