CVE-2023-35970: 
NixOS vulnerability analysis and mitigation

Multiple heap-based buffer overflow vulnerabilities exist in the fstReaderIterBlocks2 chain_table parsing functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the chain_table of the FST_BL_VCDATA_DYN_ALIAS2 section type (Talos).

The vulnerability exists in the chain_table parsing functionality where there are no checks to ensure that the idx variable stays within the bounds of chain_table buffer in the loop. The chain_table size is controlled by vc_maxhandle, and the lack of bounds checking allows writing out-of-bounds in the heap. The issue affects the FST_BL_VCDATA_DYN_ALIAS2 section type, where a 64-bit varint is read instead of a 32-bit varint in the legacy format. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos).

The vulnerability can lead to arbitrary code execution when a specially crafted .fst file is opened. Since GTKWave sets up mime types for its supported extensions, simply double-clicking on a malicious wave file received by email is sufficient to trigger the vulnerability (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are recommended to upgrade to this version or later. Multiple distributions have also released security updates, including Debian which has patched the vulnerability in version 3.3.104+really3.3.118-0+deb11u1 for bullseye and 3.3.118-0.1~deb12u1 for bookworm (Debian Security).