CVE-2023-38622: 
NixOS vulnerability analysis and mitigation

Multiple integer overflow vulnerabilities exist in the VZT facgeometry parsing functionality of GTKWave 3.3.115. The vulnerability specifically concerns the integer overflow when allocating the len array. A victim would need to open a malicious .vzt file to trigger these vulnerabilities (Talos).

The vulnerability is tracked as CVE-2023-38622 and has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue occurs in the VZT facgeometry parsing functionality where the size of the buffers is calculated by multiplying numfacs by 4. When numfacs is bigger than 0x40000000, this multiplication will wrap-around in 32-bit mode, leading to calling malloc with a smaller size. The vulnerability is classified as CWE-190: Integer Overflow or Wraparound (Talos).

The vulnerability can lead to arbitrary code execution. After the buffer allocation with the wrapped-around size, there's a loop over numfacs which writes to all allocated buffers, leading to multiple out-of-bounds writes on heap. By carefully manipulating heap allocations, these out-of-bounds writes can be used to overwrite pointers inside lt, which can in turn be used to write to arbitrary locations (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are recommended to upgrade to this version or later. The fix has been included in various distribution updates including Debian 10 (buster) version 3.3.98+really3.3.118-0+deb10u1 (Debian LTS).