CVE-2023-35960: 
NixOS vulnerability analysis and mitigation

Multiple OS command injection vulnerabilities exist in the decompression functionality of GTKWave 3.3.115. A specially crafted wave file can lead to arbitrary command execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns legacy decompression in vcd_main. The issue was discovered by Claudio Bozzato of Cisco Talos and was fixed in version 3.3.118 (Talos Report).

The vulnerability exists in the decompression functionality when GTKWave opens VCD files in legacy mode. Inside vcd_main(), if the input file name ends with .gz or .zip, a command is built by concatenating the WAVE_DECOMPRESSOR string to the input file name and passed to popen, which executes the string as a shell command. As the filename is not sanitized and popen is used, this leads to a command injection via the input file name. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos Report).

The vulnerability allows arbitrary command execution through specially crafted wave files. An attacker could exploit this by creating a malicious file that, when opened by a victim, would execute arbitrary commands on the system. GTKWave sets up mime types for its supported extensions, making it possible for a victim to trigger the vulnerability by simply double-clicking on a wave file received by email (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118, which is available from https://sourceforge.net/projects/gtkwave/files/gtkwave-3.3.118/. Users are advised to upgrade to this version or later to mitigate the vulnerability (Talos Report).