CVE-2023-37577

2024-01-0815:15:18

Debian Security Bug Tracker

security-tracker.debian.org

vulnerabilities

use-after-free

gtkwave

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

Low

EPSS

0.001

Percentile

23.1%

JSON

Multiple use-after-free vulnerabilities exist in the VCD get_vartoken realloc functionality of GTKWave 3.3.115. A specially crafted .vcd file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the use-after-free when triggered via the vcd2lxt2 conversion utility.

OSVersionArchitecturePackageVersionFilename
Debian12allgtkwave< 3.3.118-0.1~deb12u1gtkwave_3.3.118-0.1~deb12u1_all.deb
Debian11allgtkwave< 3.3.104+really3.3.118-0+deb11u1gtkwave_3.3.104+really3.3.118-0+deb11u1_all.deb
Debian999allgtkwave< 3.3.118-0.1gtkwave_3.3.118-0.1_all.deb
Debian13allgtkwave< 3.3.118-0.1gtkwave_3.3.118-0.1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	gtkwave	< 3.3.118-0.1~deb12u1	gtkwave_3.3.118-0.1~deb12u1_all.deb
Debian	11	all	gtkwave	< 3.3.104+really3.3.118-0+deb11u1	gtkwave_3.3.104+really3.3.118-0+deb11u1_all.deb
Debian	999	all	gtkwave	< 3.3.118-0.1	gtkwave_3.3.118-0.1_all.deb
Debian	13	all	gtkwave	< 3.3.118-0.1	gtkwave_3.3.118-0.1_all.deb