CVE-2023-35004: 
NixOS vulnerability analysis and mitigation

An integer overflow vulnerability exists in the VZT longest_len value allocation functionality of GTKWave 3.3.115. The vulnerability, identified as CVE-2023-35004, was discovered by Claudio Bozzato of Cisco Talos and disclosed on January 8, 2024. A specially crafted .vzt file can lead to arbitrary code execution when opened by a victim (Talos).

The vulnerability occurs in the VZT longest_len value allocation functionality where an integer overflow can lead to a buffer overflow condition. When processing a specially crafted .vzt file, the longest_len variable can be manipulated to become 0xffffffff, causing a size operation overflow and resulting in malloc(0) being called. This allocates an extremely small buffer, leading to subsequent out-of-bounds writes in the heap. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD, Talos).

The successful exploitation of this vulnerability could lead to arbitrary code execution on the targeted system. The vulnerability requires user interaction, specifically opening a malicious .vzt file. GTKWave sets up mime types for its supported extensions, meaning a victim only needs to double-click on a wave file received by email to trigger the exploitation (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. Multiple distributions have also released security updates to address this vulnerability, including Debian which has released updates for both Debian 10 (Buster) and Debian 11 (Bullseye) (Debian LTS).