CVE-2023-36861: 
NixOS vulnerability analysis and mitigation

An out-of-bounds write vulnerability (CVE-2023-36861) was discovered in GTKWave version 3.3.115, specifically affecting the VZT LZMA_read_varint functionality. The vulnerability was discovered by Claudio Bozzato of Cisco Talos and publicly disclosed on January 8, 2024. GTKWave, a wave viewer commonly used for analyzing FPGA simulations and logic analyzer captures, is affected across its Linux, Windows, and MacOS implementations (Talos Report).

The vulnerability exists in the LZMA_read_varint function where a fixed-size buffer of 16 bytes is allocated on the stack. The function contains a loop that extracts one byte from the file and continues until it encounters a character with the MSB set to 1. Due to the absence of bounds checking, this loop can write beyond the buffer's limits, resulting in a stack buffer overflow. The issue affects both the vzt2vcd file conversion utility and the GUI portion of GTKWave. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos Report).

If successfully exploited, this vulnerability can lead to arbitrary code execution on the target system. The vulnerability is particularly concerning as GTKWave automatically associates with supported file extensions, meaning that simply double-clicking a malicious wave file received via email could trigger the execution of malicious code (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118, which was released on December 31, 2023. Users are strongly advised to upgrade to this or later versions. The fix is available from the official GTKWave repository (Talos Report). Various Linux distributions have also released security updates to address this vulnerability, including Debian which has patched multiple versions (Debian LTS).