CVE-2023-35996: 
NixOS vulnerability analysis and mitigation

Multiple improper array index validation vulnerabilities exist in the fstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the tdelta indexing when signal_lens is 0 (NIST NVD, Talos Report).

The vulnerability exists in the fstReaderIterBlocks2 function where tdelta indexing is improperly validated when signal_lens is 0. The issue allows an attacker to perform out-of-bounds write operations on the heap through manipulation of the tdelta value, which is used to index into the tc_head array without proper bounds checking. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The weakness has been classified as CWE-129 (Improper Validation of Array Index) (Talos Report).

The vulnerability can lead to arbitrary code execution when a specially crafted .fst file is opened. Since GTKWave sets up mime types for its supported extensions, simply double-clicking on a malicious wave file received by email is sufficient to trigger the vulnerability (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. Multiple Linux distributions have also released security updates to address this vulnerability, including Debian which has released fixes for both bullseye and bookworm distributions (Debian LTS).