CVE-2023-36746: 
NixOS vulnerability analysis and mitigation

Multiple heap-based buffer overflow vulnerabilities exist in the fstReaderIterBlocks2 fstWritex len functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to memory corruption. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the handling of len in fstWritex when parsing the time table (Talos Report).

The vulnerability is classified as a heap-based buffer overflow with a CVSS v3.1 Base Score of 7.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) according to NIST, while Talos rates it at 7.0 HIGH (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue is categorized under CWE-787 (Out-of-bounds Write) by NIST and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) by Talos (NVD).

The vulnerability can lead to memory corruption when processing specially crafted .fst files. Due to GTKWave's mime type associations, simply double-clicking on a malicious wave file received by email is sufficient to trigger the vulnerability. The multi-threaded nature of GTKWave means that an attacker may potentially execute arbitrary code through this vulnerability (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are recommended to upgrade to this version or later. The fix has been incorporated into various Linux distributions, including Debian 10 (buster) as version 3.3.98+really3.3.118-0+deb10u1 (Debian LTS).