CVE-2023-37921: 
NixOS vulnerability analysis and mitigation

Multiple arbitrary write vulnerabilities exist in the VCD sorted bsearch functionality of GTKWave 3.3.115. The vulnerability (CVE-2023-37921) can lead to arbitrary code execution when a victim opens a specially crafted .vcd file. This vulnerability specifically concerns the arbitrary write when triggered via the vcd2vzt conversion utility (Talos).

The vulnerability has a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue occurs in the bsearch_vcd functionality where the code fails to check if the sorted buffer is initialized before calling bsearch, leading to an arbitrary read which could be turned into an arbitrary write. The vulnerability is triggered when processing VCD files and affects the vcd2vzt conversion utility (NVD, Talos).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the targeted system. The vulnerability requires user interaction, as the victim needs to open a malicious file to trigger the vulnerability (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. Multiple distributions have released security updates to address this vulnerability, including Debian which has released updates for various versions (Debian LTS).