CVE-2023-35969: 
NixOS vulnerability analysis and mitigation

Multiple heap-based buffer overflow vulnerabilities exist in the fstReaderIterBlocks2 chain_table parsing functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability concerns the chain_table of FST_BL_VCDATA and FST_BL_VCDATA_DYN_ALIAS section types (Talos Report).

The vulnerability exists in the fstReaderIterBlocks2 function where the chain_table buffer size is controlled by vc_maxhandle without proper bounds checking. The loop in the function writes out-of-bounds on the heap, which can lead to arbitrary code execution. The issue affects both legacy and FST_BL_VCDATA_DYN_ALIAS2 formats, with the main difference being that a 64-bit varint is read in the latter case versus a 32-bit varint in the legacy format. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos Report).

The vulnerability allows an attacker to achieve arbitrary code execution through a specially crafted .fst file. Since GTKWave sets up mime types for its supported extensions, simply double-clicking on a malicious wave file received by email is sufficient to trigger the vulnerability (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later (Talos Report).