| Name | CVE-2023-6856 |
| Description | The WebGL `DrawElementsInstanced` method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox escape. This vulnerability affects Firefox ESR < 115.6, Thunderbird < 115.6, and Firefox < 121. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3697-1, DLA-3698-1, DSA-5581-1, DSA-5582-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| firefox (PTS) | sid | 125.0.2-1 | fixed |
| firefox-esr (PTS) | jessie, jessie (lts) | 68.9.0esr-1~deb8u2 | vulnerable |
| stretch (security), stretch (lts), stretch | 91.11.0esr-1~deb9u1 | vulnerable | |
| buster | 91.12.0esr-1~deb10u1 | vulnerable | |
| buster (security) | 115.10.0esr-1~deb10u1 | fixed | |
| bullseye | 115.7.0esr-1~deb11u1 | fixed | |
| bullseye (security) | 115.10.0esr-1~deb11u1 | fixed | |
| bookworm | 115.7.0esr-1~deb12u1 | fixed | |
| bookworm (security) | 115.10.0esr-1~deb12u1 | fixed | |
| trixie | 115.8.0esr-1 | fixed | |
| sid | 115.10.0esr-1 | fixed | |
| thunderbird (PTS) | jessie, jessie (lts) | 1:68.9.0-1~deb8u2 | vulnerable |
| stretch (security), stretch (lts), stretch | 1:91.10.0-1~deb9u1 | vulnerable | |
| buster | 1:91.12.0-1~deb10u1 | vulnerable | |
| buster (security) | 1:115.10.1-1~deb10u1 | fixed | |
| bullseye | 1:115.7.0-1~deb11u1 | fixed | |
| bullseye (security) | 1:115.10.1-1~deb11u1 | fixed | |
| bookworm | 1:115.7.0-1~deb12u1 | fixed | |
| bookworm (security) | 1:115.10.1-1~deb12u1 | fixed | |
| sid | 1:115.10.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| firefox | source | (unstable) | 121.0-1 | |||
| firefox-esr | source | jessie | (unfixed) | end-of-life | ||
| firefox-esr | source | stretch | (unfixed) | end-of-life | ||
| firefox-esr | source | buster | 115.6.0esr-1~deb10u1 | DLA-3697-1 | ||
| firefox-esr | source | bullseye | 115.6.0esr-1~deb11u1 | DSA-5581-1 | ||
| firefox-esr | source | bookworm | 115.6.0esr-1~deb12u1 | DSA-5581-1 | ||
| firefox-esr | source | (unstable) | 115.6.0esr-1 | |||
| thunderbird | source | jessie | (unfixed) | end-of-life | ||
| thunderbird | source | stretch | (unfixed) | end-of-life | ||
| thunderbird | source | buster | 1:115.6.0-1~deb10u1 | DLA-3698-1 | ||
| thunderbird | source | bullseye | 1:115.6.0-1~deb11u1 | DSA-5582-1 | ||
| thunderbird | source | bookworm | 1:115.6.0-1~deb12u1 | DSA-5582-1 | ||
| thunderbird | source | (unstable) | 1:115.6.0-1 |
https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6856
https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6856
https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6856