CVE-2023-34436: 
NixOS vulnerability analysis and mitigation

An out-of-bounds write vulnerability exists in the LXT2 num_time_table_entries functionality of GTKWave 3.3.115. The vulnerability, identified as CVE-2023-34436, was discovered by Claudio Bozzato of Cisco Talos and publicly disclosed on January 8, 2024. The vulnerability affects GTKWave version 3.3.115, a wave viewer commonly used to analyze FPGA simulations and logic analyzer captures (Talos Intelligence).

The vulnerability is caused by an out-of-bounds write in the LXT2 num_time_table_entries functionality. The issue occurs when processing a specially crafted .lxt2 file where num_time_table_entries is extracted as a byte value (0-255), but the time_table array in the lxt2_rd_trace structure is fixed at 64 elements (LXT2_RD_GRANULE_SIZE). Since there are no checks restricting the write to time_table within its bounds, this can lead to heap buffer overflow. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos Intelligence).

If successfully exploited, this vulnerability can lead to arbitrary code execution. The attack requires user interaction, as a victim would need to open a malicious .lxt2 file to trigger the vulnerability. GTKWave sets up mime types for its supported extensions, meaning that simply double-clicking on a wave file received by email could cause the gtkwave program to execute and load a potentially malicious file (Talos Intelligence).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this or later versions. The fix has been incorporated into various Linux distributions, including Debian which has released security updates for multiple versions: DLA-3785-1 for Debian 10 (buster), DSA-5653-1 for Debian 11 (bullseye) and Debian 12 (bookworm) (Debian Security, Debian LTS).