CVE-2023-38653: 
NixOS vulnerability analysis and mitigation

Multiple integer overflow vulnerabilities exist in the VZT vzt_rd_block_vch_decode dict parsing functionality of GTKWave 3.3.115. A specially crafted .vzt file can lead to memory corruption. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the integer overflow when num_time_ticks is zero (Talos).

The vulnerability exists in the VZT vzt_rd_block_vch_decode dict parsing functionality. When processing .vzt files, the function vzt_rd_init_smp is called to initialize and parse the file structure. The vulnerability occurs during the parsing of compressed block contents, specifically in the calculation of buffer sizes using num_sections and num_dict_entries variables. An integer overflow in these calculations can lead to an overly small allocation of the change_dict buffer, resulting in an out-of-bounds write in heap memory. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) by NIST NVD (NVD).

The vulnerability can lead to memory corruption when processing specially crafted .vzt files. Due to the multi-threaded nature of GTKWave and the decompression code, writing out-of-bounds in the decompression thread may corrupt memory in nearby threads, potentially leading to arbitrary code execution (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are recommended to upgrade to this version or later. The fix has been included in various distribution updates, including Debian 10 (buster) version 3.3.98+really3.3.118-0+deb10u1 (Debian LTS).