CVE-2023-37416: 
NixOS vulnerability analysis and mitigation

Multiple out-of-bounds write vulnerabilities exist in the VCD parse_valuechange portdump functionality of GTKWave 3.3.115. The vulnerability (CVE-2023-37416) specifically concerns the out-of-bounds write when triggered via the GUI's legacy VCD parsing code. A specially crafted .vcd file can lead to arbitrary code execution, requiring a victim to open a malicious file to trigger these vulnerabilities (Talos Report).

The vulnerability exists in GTKWave's VCD parsing functionality, specifically in the GUI's legacy VCD parsing code. The issue arises from an incorrect buffer size check that allows a NULL byte out-of-bounds write in the heap. The vulnerability has a CVSS 3.1 Base Score of 7.8 HIGH with a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (Talos Report, NVD).

If successfully exploited, this vulnerability could lead to arbitrary code execution on the targeted system. The vulnerability requires user interaction, as the victim needs to open a specially crafted malicious .vcd file (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Various Linux distributions have released security updates to address this vulnerability, including Debian which has released patches for multiple versions: version 3.3.104+really3.3.118-0+deb11u1 for bullseye and version 3.3.118-0.1~deb12u1 for bookworm (Debian Security, Debian LTS).