CVE-2023-35997: 
NixOS vulnerability analysis and mitigation

Multiple improper array index validation vulnerabilities exist in the fstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the tdelta indexing when signal_lens is 2 or more (Talos).

The vulnerability exists in the fstReaderIterBlocks2 function where tdelta is used to index into the tc_head array without proper bounds checking. When signal_lens for the current index is 2 or larger, the code reads a varint from the input file and uses it to calculate tdelta, which is then used as an offset into tc_head array without validation. This can lead to out-of-bounds write on the heap. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos).

The vulnerability can lead to arbitrary code execution when a victim opens a specially crafted malicious .fst file. The attack requires local access and user interaction, but does not require privileges. Due to GTKWave's file association settings, simply double-clicking on a wave file received by email is sufficient to trigger the vulnerability (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users should upgrade to this version or later. The fix has been backported to various Linux distributions including Debian 10 (buster) as version 3.3.98+really3.3.118-0+deb10u1 (Debian LTS).