CVE-2023-35704: 
NixOS vulnerability analysis and mitigation

Multiple stack-based buffer overflow vulnerabilities exist in the FST LEB128 varint functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the fstReaderVarint32WithSkip function (Talos Report, NVD).

The vulnerability exists in the fstReaderVarint32WithSkip function where a 5-byte buffer is allocated on the stack, and a do-while loop reads each byte from the input file and stores it in the buffer. The loop's stop condition is controlled by the MSB of the byte read from the file, which is fully under attacker control. This design flaw allows an attacker to write beyond the bounds of the stack variable buffer, potentially leading to arbitrary code execution. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos Report).

If successfully exploited, this vulnerability can lead to arbitrary code execution on the target system. The vulnerability requires user interaction, specifically opening a malicious .fst file. GTKWave sets up mime types for its supported extensions, meaning that simply double-clicking on a wave file received by email could trigger the vulnerability (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. The fix has been incorporated into various Linux distributions, including Debian 10 (buster) as version 3.3.98+really3.3.118-0+deb10u1 (Debian LTS).