CVE-2023-35956: 
NixOS vulnerability analysis and mitigation

Multiple heap-based buffer overflow vulnerabilities exist in the fstReaderIterBlocks2 VCDATA parsing functionality of GTKWave 3.3.115. A specially-crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the decompression function fastlz_decompress (Talos Report, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue resides in the parsing of VCDATA blocks within the fstReaderIterBlocks2 function, where a heap-based buffer overflow can occur during the decompression of specially crafted .fst files. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (Talos Report, NVD).

The vulnerability allows an attacker to achieve arbitrary code execution on the target system. Since GTKWave sets up mime types for its supported extensions, simply double-clicking on a malicious wave file received by email is sufficient to trigger the vulnerability (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. Multiple Linux distributions have also released security updates to address this vulnerability, including Debian which has released updates for both its stable and LTS versions (Debian LTS).