CVE-2023-35959: 
NixOS vulnerability analysis and mitigation

Multiple OS command injection vulnerabilities exist in the decompression functionality of GTKWave 3.3.115. A specially crafted wave file can lead to arbitrary command execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns .ghw decompression (Talos).

The vulnerability exists in the decompression functionality when GTKWave opens a file with .ghw, .ghw.gz or .ghw.bz2 extensions. When processing these files, the application calls ghw_main() which in turn calls ghw_open(). If the file starts with a gzip or bzip2 magic header, ghw_openz() is called, passing the filename as an argument. The function concatenates the decompression command with the input file name and passes it to popen, which executes it as a shell command. As the filename is not sanitized and popen is used, this leads to a command injection via the input file name. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos).

If exploited, this vulnerability allows arbitrary command execution on the target system. The attacker would need to craft a malicious wave file and have the victim open it. Since GTKWave sets up mime types for its supported extensions, simply double-clicking on a wave file received by email is sufficient to trigger the vulnerability (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. The fixed version is available from the official source (Talos, Debian LTS).