Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 953020 (CVE-2025-3028, CVE-2025-3029, CVE-2025-3030, CVE-2025-3031, CVE-2025-3032, CVE-2025-3034, MFSA2025-20, MFSA2025-22, MFSA2025-23, MFSA2025-24) - [Tracker] Mozilla Foundation Security Advisory for April 1, 2025
Summary: [Tracker] Mozilla Foundation Security Advisory for April 1, 2025
Status: CONFIRMED
Alias: CVE-2025-3028, CVE-2025-3029, CVE-2025-3030, CVE-2025-3031, CVE-2025-3032, CVE-2025-3034, MFSA2025-20, MFSA2025-22, MFSA2025-23, MFSA2025-24
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard:
Keywords: Tracker
Depends on: CVE-2025-3035 953022 953023
Blocks:
  Show dependency tree
 
Reported: 2025-04-01 17:47 UTC by Christopher Fore
Modified: 2025-04-01 17:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2025-04-01 17:47:31 UTC 
CVE-2025-3028:

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free.


CVE-2025-3029:

A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack.


CVE-2025-3030:

Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.


CVE-2025-3031:

An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function.


CVE-2025-3032:

Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks.


CVE-2025-3034:

Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.


Thunderbird ESR 128.9: https://www.mozilla.org/en-US/security/advisories/mfsa2025-24/
Thunderbird 137: https://www.mozilla.org/en-US/security/advisories/mfsa2025-23/
Firefox ESR 128.9: https://www.mozilla.org/en-US/security/advisories/mfsa2025-22/
Firefox 137: https://www.mozilla.org/en-US/security/advisories/mfsa2025-20/