SB2025072732 - Debian update for thunderbird

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Buffer Over-read (CVE-ID: CVE-2025-8027)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists on 64-bit systems due to IonMonkey-JIT JavaScript engine write only 32 bits of the 64-bit return value space on the stack, however read the entire 64 bits. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.

2) Incorrect calculation (CVE-ID: CVE-2025-8028)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a WASM br_table instruction with a lot of entries can lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. A remote attacker can execute arbitrary code on the target system.

Note, the vulnerability affects ARM64 systems only. 

3) Code Injection (CVE-ID: CVE-2025-8029)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code passed via URL.

The vulnerability exists due to Firefox executes javascript: URLs when used in object and embed tags. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code via objects or embed tags.

4) Code Injection (CVE-ID: CVE-2025-8030)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the “Copy as cURL” feature. A remote attacker can trick the victim into copying a specially crafted URL and execute unexpected code on the system.

5) Information disclosure (CVE-ID: CVE-2025-8031)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrect stripping in CSP reports. The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.

6) Protection Mechanism Failure (CVE-ID: CVE-2025-8032)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect propagation of the source document when loading an XSLT document. A remote attacker can bypass CSP restrictions. 

7) NULL pointer dereference (CVE-ID: CVE-2025-8033)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the JavaScript engine when handling closed generators. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser. 

8) Buffer overflow (CVE-ID: CVE-2025-8034)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

9) Buffer overflow (CVE-ID: CVE-2025-8035)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://lists.debian.org/debian-security-announce/2025/msg00130.html