CVE-2023-37417: 
NixOS vulnerability analysis and mitigation

Multiple out-of-bounds write vulnerabilities exist in the VCD parse_valuechange portdump functionality of GTKWave 3.3.115. This vulnerability specifically concerns the out-of-bounds write when triggered via the GUI's interactive VCD parsing code. A specially crafted .vcd file can lead to arbitrary code execution, where a victim would need to open a malicious file to trigger these vulnerabilities (NVD, Talos).

The vulnerability exists in GTKWave's VCD parsing functionality, specifically in the GUI's interactive parsing code. The issue arises from an incorrect buffer size check that allows a NULL byte out-of-bounds write in the heap. The vulnerability has been assigned a CVSS 3.1 Base Score of 7.8 HIGH with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (Talos, NVD).

The successful exploitation of this vulnerability could lead to arbitrary code execution on the targeted system. This means an attacker could potentially execute malicious code with the privileges of the user running GTKWave (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are recommended to upgrade to this version or later to mitigate the vulnerability (Debian LTS).