Bug 2170383 (CVE-2023-25732)

Summary: CVE-2023-25732 Mozilla: Out of bounds memory write from EncodeInputStream
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erack, jhorak, nobody, stransky, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firefox 102.8, thunderbird 102.8 Doc Type: If docs needed, set a value
Doc Text:
The Mozilla Foundation Security Advisory describes this flaw as: When encoding data from an `inputStream` in `xpcom` the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-20 18:33:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2167578, 2167579, 2167580, 2167581, 2167582, 2167583, 2167584, 2167585, 2167586, 2167587, 2167588, 2167672, 2167673, 2167674, 2167675, 2167676, 2167677, 2167678, 2167679, 2167680, 2167681, 2167682    
Bug Blocks: 2167576    

Description Dhananjay Arunesh 2023-02-16 09:09:51 UTC 
When encoding data from an `inputStream` in `xpcom` the size of the input being encoded was not correctly calculated potentially leading to an out of bounds memory write.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/#CVE-2023-25732
Comment 1 errata-xmlrpc 2023-02-20 08:16:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0806 https://access.redhat.com/errata/RHSA-2023:0806
Comment 2 errata-xmlrpc 2023-02-20 08:18:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0805 https://access.redhat.com/errata/RHSA-2023:0805
Comment 3 errata-xmlrpc 2023-02-20 08:23:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0809 https://access.redhat.com/errata/RHSA-2023:0809
Comment 4 errata-xmlrpc 2023-02-20 08:25:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0810 https://access.redhat.com/errata/RHSA-2023:0810
Comment 5 errata-xmlrpc 2023-02-20 08:25:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0807 https://access.redhat.com/errata/RHSA-2023:0807
Comment 6 errata-xmlrpc 2023-02-20 08:26:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:0811 https://access.redhat.com/errata/RHSA-2023:0811
Comment 7 errata-xmlrpc 2023-02-20 08:27:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0808 https://access.redhat.com/errata/RHSA-2023:0808
Comment 8 errata-xmlrpc 2023-02-20 08:27:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:0812 https://access.redhat.com/errata/RHSA-2023:0812
Comment 9 errata-xmlrpc 2023-02-20 12:12:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0818 https://access.redhat.com/errata/RHSA-2023:0818
Comment 10 errata-xmlrpc 2023-02-20 12:12:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:0819 https://access.redhat.com/errata/RHSA-2023:0819
Comment 11 errata-xmlrpc 2023-02-20 12:16:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0822 https://access.redhat.com/errata/RHSA-2023:0822
Comment 12 errata-xmlrpc 2023-02-20 12:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:0817 https://access.redhat.com/errata/RHSA-2023:0817
Comment 13 errata-xmlrpc 2023-02-20 12:17:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0824 https://access.redhat.com/errata/RHSA-2023:0824
Comment 14 errata-xmlrpc 2023-02-20 12:17:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0820 https://access.redhat.com/errata/RHSA-2023:0820
Comment 15 errata-xmlrpc 2023-02-20 12:17:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0821 https://access.redhat.com/errata/RHSA-2023:0821
Comment 16 errata-xmlrpc 2023-02-20 12:18:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0823 https://access.redhat.com/errata/RHSA-2023:0823
Comment 17 Product Security DevOps Team 2023-02-20 18:33:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-25732