CVE-2023-34087: 
NixOS vulnerability analysis and mitigation

An improper array index validation vulnerability exists in the EVCD var len parsing functionality of GTKWave 3.3.115. The vulnerability, identified as CVE-2023-34087, was discovered by Claudio Bozzato of Cisco Talos and publicly disclosed on January 8, 2024. The vulnerability affects GTKWave version 3.3.115, a wave viewer commonly used to analyze FPGA simulations and logic analyzer captures (Talos).

The vulnerability exists in the evcd_main function used to parse .evcd files when using the evcd2vcd utility. The issue stems from improper validation of array indices when processing the var len parsing functionality. When a specially crafted .evcd file is processed, the value of node->val2.i is arbitrarily set from the file and used to index the bin_fixbuff array, leading to a potential out-of-bounds write. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos).

If successfully exploited, this vulnerability can lead to arbitrary code execution on the target system. The vulnerability allows an attacker to corrupt memory through multiple write operations, potentially leading to code execution with the privileges of the user running the GTKWave application (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this or later versions. The fix is available from the official GTKWave source repository. Multiple Linux distributions have also released security updates to address this vulnerability, including Debian which has released fixes for multiple versions (Talos, Debian LTS).