CVE-2023-37447: 
NixOS vulnerability analysis and mitigation

Multiple out-of-bounds read vulnerabilities exist in the VCD var definition section functionality of GTKWave 3.3.115. The vulnerability, identified as CVE-2023-37447, was discovered by Claudio Bozzato of Cisco Talos and publicly disclosed on January 8, 2024. A specially crafted .vcd file can lead to arbitrary code execution when triggered via the vcd2lxt conversion utility. The vulnerability specifically affects the GTKWave software, which is a wave viewer used for analyzing FPGA simulations and logic analyzer captures (Talos).

The vulnerability is classified as an out-of-bounds write vulnerability with a CVSS v3.1 Base Score of 7.8 (HIGH) and vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue occurs in the VCD parsing code of the vcd2lxt conversion utility. The vulnerability stems from the software allowing '$var' definitions to occur after '$enddefinitions', which can lead to an out-of-bounds read that can be exploited into an out-of-bounds write (NVD, Talos).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the targeted system. The vulnerability requires user interaction, as a victim would need to open a malicious file to trigger these vulnerabilities (NVD).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are recommended to upgrade to this version or later. The fix has been included in various distribution updates, including Debian 10 (buster) version 3.3.98+really3.3.118-0+deb10u1 (Debian LTS).