CVE-2025-1936
Publication date 4 March 2025
Last updated 5 March 2025
Ubuntu priority
jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| firefox | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| mozjs102 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Ignored | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Not in release | |
| mozjs115 | 24.10 oracular | Ignored |
| 24.04 LTS noble | Ignored | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| mozjs38 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| mozjs52 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored | |
| 18.04 LTS bionic | Ignored | |
| mozjs68 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Ignored | |
| mozjs78 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Not in release | |
| mozjs91 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored | |
| 20.04 LTS focal | Not in release | |
| thunderbird | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
Notes
mdeslaur
mozjs* contain a copy of the SpiderMonkey JavaScript engine. It is not feasible to backport security fixes to the mozjs* packages, as such, marking them as ignored. starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap starting with Ubuntu 24.04, the thunderbird package is just a script that installs the Thunderbird snap
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-1936
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/#CVE-2025-1936
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/#CVE-2025-1936
- https://bugzilla.mozilla.org/show_bug.cgi?id=1940027
- https://www.mozilla.org/security/advisories/mfsa2025-14/
- https://www.mozilla.org/security/advisories/mfsa2025-16/
- https://www.mozilla.org/security/advisories/mfsa2025-17/
- https://www.mozilla.org/security/advisories/mfsa2025-18/