CVE-2023-35057: 
NixOS vulnerability analysis and mitigation

An integer overflow vulnerability (CVE-2023-35057) was discovered in GTKWave version 3.3.115, specifically affecting the LXT2 lxt2_rd_trace value elements allocation functionality. The vulnerability was discovered by Claudio Bozzato of Cisco Talos and publicly disclosed on January 8, 2024. GTKWave, a wave viewer used for analyzing FPGA simulations and logic analyzer captures, is affected when processing specially crafted .lxt2 files (Talos Report).

The vulnerability exists in the LXT2 file parsing functionality within lxt2_read.c. When processing LXT2 files, an integer overflow can occur during the allocation of value elements. The issue arises when lt->len[i] is set to 0xffffffff, causing a size operation overflow that results in calloc(0, 1) being called. This can be triggered by setting msb to 0x80000000 and lsb to 0x7ffffffe. The vulnerability has been assigned a CVSS v3.1 score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and is classified as CWE-190 (Integer Overflow or Wraparound) (Talos Report).

The vulnerability can lead to memory corruption when processing maliciously crafted .lxt2 files. Due to GTKWave's multi-threaded nature, an attacker could potentially execute arbitrary code. The vulnerability is particularly concerning as GTKWave sets up mime types for its supported extensions, meaning a victim only needs to double-click on a malicious wave file received by email to trigger the vulnerability (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. The fix was released on December 31, 2023, and is available from the official GTKWave source forge repository (Talos Report, Debian LTS).