CVE-2023-37419: 
NixOS vulnerability analysis and mitigation

Multiple out-of-bounds write vulnerabilities exist in the VCD parse_valuechange portdump functionality of GTKWave 3.3.115. The vulnerability (CVE-2023-37419) specifically concerns the out-of-bounds write when triggered via the vcd2lxt2 conversion utility. A specially crafted .vcd file can lead to arbitrary code execution, requiring a victim to open a malicious file to trigger these vulnerabilities (Talos Report, NVD).

The vulnerability exists in the vcd2lxt2 conversion utility's parse_valuechange function. The issue occurs due to an incorrect buffer size check when copying data. The code only reallocates if vector has a size smaller than vsize, whereas it should check for yylen_cache <= v->size. This allows the strcpy operation to write one NULL byte out-of-bounds in the heap. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos Report).

The vulnerability can lead to arbitrary code execution on the targeted system through careful heap manipulation. Since the vulnerability allows for an out-of-bounds write in the heap, an attacker can potentially control program execution by corrupting heap metadata or other sensitive data structures (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. Multiple distributions have released security updates, including Debian which has released fixes in version 3.3.104+really3.3.118-0+deb11u1 for bullseye and 3.3.118-0.1~deb12u1 for bookworm (Debian Advisory, DSA-5653-1).