CVE-2023-35963: 
NixOS vulnerability analysis and mitigation

Multiple OS command injection vulnerabilities exist in the decompression functionality of GTKWave 3.3.115. A specially crafted wave file can lead to arbitrary command execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns decompression in the vcd2lxt2 utility (Talos, NVD).

The vulnerability exists in the vcd2lxt2 vcd_main decompression functionality. When vcd2lxt2 opens a file, it calls vcd_main() in vcd2lxt2.c to parse the input file. If the input file name ends with .gz, a command is built by concatenating the WAVE_DECOMPRESSOR string to the input file name and passed to popen, which executes the string as a shell command. As the filename is not sanitized and popen is used, this leads to a command injection via the input file name. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos).

If exploited, this vulnerability allows arbitrary command execution on the target system. The attacker can achieve this by crafting a malicious wave file that, when opened by a victim, would trigger the command injection vulnerability (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. The fix is available from the official source at https://sourceforge.net/projects/gtkwave/files/gtkwave-3.3.118/. Debian has also released security updates for affected versions in their distributions (Talos, Debian Security).