CVE-2023-35964: 
NixOS vulnerability analysis and mitigation

CVE-2023-35964 is a command injection vulnerability discovered in the decompression functionality of GTKWave version 3.3.115. The vulnerability specifically affects the vcd2lxt utility when processing compressed wave files. This security flaw was identified and reported by Claudio Bozzato of Cisco Talos, with the public disclosure occurring on January 8, 2024 (Talos Report).

The vulnerability exists in the vcd_main() function of the vcd2lxt utility. When processing files with a .gz extension, the code concatenates the WAVE_DECOMPRESSOR string with the input filename without proper sanitization and passes it to popen(), which executes the resulting string as a shell command. This implementation leads to OS command injection possibilities through specially crafted filenames. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos Report).

If successfully exploited, this vulnerability allows an attacker to execute arbitrary commands on the target system with the privileges of the user running GTKWave. The attack requires user interaction, as the victim needs to open a maliciously crafted wave file to trigger the vulnerability (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this or a later version. The fix has been incorporated into various Linux distributions, including Debian which has released security updates for affected versions (Debian LTS).