CVE-2023-32650: 
NixOS vulnerability analysis and mitigation

An integer overflow vulnerability (CVE-2023-32650) was discovered in GTKWave version 3.3.115 when compiled as a 32-bit binary. The vulnerability specifically affects the FSTBLGEOM parsing maxhandle functionality. The issue was discovered by Claudio Bozzato of Cisco Talos and was publicly disclosed on January 8, 2024 (Talos Report).

The vulnerability occurs in the FSTBLGEOM parsing maxhandle functionality where an integer overflow can occur during memory allocation. When processing a specially crafted .fst file, the multiplication of xc->maxhandle by 4 in 32-bit mode can wrap around, leading to a malloc(0) call or allocation of insufficient memory. This results in subsequent out-of-bounds writes on the heap. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) by NIST NVD (NVD).

If successfully exploited, this vulnerability can lead to memory corruption when processing a malicious .fst file. Due to the multi-threaded nature of GTKWave, an attacker could potentially leverage this issue to execute arbitrary code. The vulnerability requires user interaction as the victim needs to open a malicious file to trigger the exploit (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this or later versions. The fix has been incorporated into various distribution releases, including Debian 10 (buster) version 3.3.98+really3.3.118-0+deb10u1 (Debian LTS).