CVE-2023-36915: 
NixOS vulnerability analysis and mitigation

Multiple integer overflow vulnerabilities exist in the FST fstReaderIterBlocks2 chain_table allocation functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. The vulnerability was discovered in July 2023 and publicly disclosed on January 8, 2024 (Talos).

The vulnerability exists in the allocation of the chain_table array in the fstReaderIterBlocks2 function. The issue occurs when processing the vc_maxhandle value, which can be controlled by an attacker. By manipulating this value, an attacker can cause an integer overflow in the calculation of buffer sizes for calloc, potentially leading to the allocation of a very small buffer while writing a larger amount of data. The vulnerability has a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD, Talos).

The vulnerability can lead to arbitrary code execution on the targeted system. An attacker can exploit this to write out-of-bounds data in the heap with arbitrary contents, potentially leading to complete system compromise (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. The fix was released on December 31, 2023 (Talos, Debian LTS).