CVE-2023-38650: 
NixOS vulnerability analysis and mitigation

Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_block_vch_decode times parsing functionality of GTKWave 3.3.115. The vulnerability specifically concerns integer overflow when num_time_ticks is not zero. A victim would need to open a malicious .vzt file to trigger these vulnerabilities (Talos Report, NVD).

The vulnerability exists in the VZT vzt_rd_block_vch_decode times parsing functionality. When num_time_ticks is not zero, its value is used to allocate the times array, as it represents the number of time values expected in the block. The size calculation for this allocation can overflow in 32-bit mode with any number of num_time_ticks >= 0x20000000. The vulnerability has a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) according to NVD, while Talos rates it at 7.0 HIGH (Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos Report, NVD).

The vulnerability can lead to memory corruption when a specially crafted .vzt file is processed. As the decompression code can run in threads, and GTKWave itself is a multi-threaded application, writing out-of-bounds in the decompression thread may lead to corrupting a thread nearby, potentially resulting in arbitrary code execution (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are recommended to upgrade to this version or later. The fix has been included in various distribution updates, including Debian 10 (buster) version 3.3.98+really3.3.118-0+deb10u1 (Debian LTS).