CVE-2023-5174: 
NixOS vulnerability analysis and mitigation

CVE-2023-5174 is a double-free vulnerability in Firefox's Windows process spawning mechanism, discovered in September 2023. The vulnerability affects Firefox versions prior to 118, Firefox ESR versions before 115.3, and Thunderbird versions before 115.3. This security flaw specifically impacts Firefox running on Windows systems when used in non-standard configurations, such as when using the 'runas' command (Mozilla Advisory, NVD).

The vulnerability occurs in BrokerServicesBase::SpawnTarget() when Windows fails to duplicate a handle during process creation. In this scenario, the sandbox code inadvertently frees a pointer twice, resulting in a use-after-free condition. The issue specifically arises in the non-job path of the code execution, where if AddTargetPeerInternal() fails due to a DuplicateHandle() error, it leads to a double-delete of the target pointer. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could result in a potentially exploitable crash when triggered. While the impact is rated as 'moderate' by Mozilla, the CVSS score suggests potential for high impact on affected systems. The bug specifically affects Firefox on Windows when run in non-standard configurations, while other operating systems remain unaffected (Mozilla Advisory).

The vulnerability has been fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Users are advised to update to these or later versions to mitigate the risk. The fix involves ensuring proper termination of the child process when SpawnTarget fails and there is no job, rather than using SpawnCleanup (Mozilla Advisory).