CVE-2023-35955: 
NixOS vulnerability analysis and mitigation

Multiple heap-based buffer overflow vulnerabilities exist in the fstReaderIterBlocks2 VCDATA parsing functionality of GTKWave 3.3.115. A specially-crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the decompression function LZ4_decompress_safe_partial (Talos).

The vulnerability exists in the parsing of .fst files, specifically in the VCDATA section handling. When processing FST_BL_VCDATA blocks, the code uses a chain_table to extract offsets and lengths for each VC element. The vulnerability allows for semi-arbitrary offsets and lengths by controlling chain_cmem, which can lead to heap-based buffer overflow conditions. The issue has been assigned a CVSS v3.1 Base Score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, Talos).

The vulnerability can lead to arbitrary code execution when a victim opens a malicious .fst file. GTKWave sets up mime types for its supported extensions, meaning that simply double-clicking on a wave file received by email is sufficient to trigger the vulnerability (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. The fix is available from the official GTKWave repository (Talos). Debian has also released security updates for affected versions in their distributions (Debian LTS).