Advisories » MGASA-2025-0195

Updated nss & firefox packages fix security vulnerabilities

Publication date: 25 Jun 2025
Modification date: 25 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-5262 , CVE-2025-5263 , CVE-2025-5264 , CVE-2025-5266 , CVE-2025-5267 , CVE-2025-5268 , CVE-2025-5269

Description

CVE-2025-5283: A double-free could have occurred in
vpx_codec_enc_init_multi after a failed allocation when initializing the
encoder for WebRTC. This could have caused memory corruption and a
potentially exploitable crash.
CVE-2025-5263: Error handling for script execution was incorrectly
isolated from web content, which could have allowed cross-origin leak
attacks.
CVE-2025-5264: Due to insufficient escaping of the newline character in
the “Copy as cURL” feature, an attacker could trick a user into using
this command, potentially leading to local code execution on the user's
system.
CVE-2025-5266: Script elements loading cross-origin resources generated
load and error events which leaked information enabling XS-Leaks
attacks.
CVE-2025-5267: A clickjacking vulnerability could have been used to
trick a user into leaking saved payment card details to a malicious
page.
CVE-2025-5268: Memory safety bugs present in Firefox 138, Thunderbird
138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs
showed evidence of memory corruption and we presume that with enough
effort some of these could have been exploited to run arbitrary code.
CVE-2025-5269: Memory safety bug present in Firefox ESR 128.10, and
Thunderbird 128.10. This bug showed evidence of memory corruption and we
presume that with enough effort this could have been exploited to run
arbitrary code.
We can't ship this update to armv7hl architecture, we are investigating
the issue and will try to update firefox for armv7hl as soon as posible.

References

SRPMS

9/core