CVE-2023-37576: 
NixOS vulnerability analysis and mitigation

Multiple use-after-free vulnerabilities exist in the VCD get_vartoken realloc functionality of GTKWave 3.3.115. A specially crafted .vcd file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the use-after-free when triggered via the vcd2vzt conversion utility (Talos).

The vulnerability exists in the VCD get_vartoken realloc functionality where a use-after-free condition occurs during variable name parsing. When processing VCD files, the get_vartoken function may reallocate the yytext buffer when it reaches T_MAX_STR size, but fails to update the varsplit pointer which can then point to freed memory. This leads to potential out-of-bounds memory operations and NULL byte writes to freed memory locations. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos).

The vulnerability can lead to arbitrary code execution when a malicious .vcd file is processed. An attacker can potentially achieve code execution through carefully crafted VCD files that trigger the use-after-free condition. The high CVSS score reflects the severe potential impact, with possible complete compromise of system confidentiality, integrity, and availability (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are recommended to upgrade to this version or later. Multiple distributions have released security updates to address this vulnerability, including Debian which has released fixes in versions 3.3.104+really3.3.118-0+deb11u1 for bullseye and 3.3.118-0.1~deb12u1 for bookworm (Debian LTS).