CVE-2023-38657: 
NixOS vulnerability analysis and mitigation

An out-of-bounds write vulnerability exists in the LXT2 zlib block decompression functionality of GTKWave 3.3.115. A specially crafted .lxt2 file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger this vulnerability. The vulnerability was discovered by Claudio Bozzato of Cisco Talos and was assigned CVE-2023-38657 (Talos Report).

The vulnerability exists in the LXT2 zlib block decompression functionality where the pnt buffer is allocated using b->uncompressed_siz, which is never checked to be equal to unclen. This allows a smaller b->uncompressed_siz value to be specified while unclen can reflect the actual size of the decompressed buffer. The vulnerability allows a large amount of data to decompress in a small pnt buffer, which results in writing out-of-bounds in the heap. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos Report).

The vulnerability can lead to arbitrary code execution when a victim opens a malicious .lxt2 file. GTKWave sets up mime types for its supported extensions, meaning that simply double-clicking on a wave file received by email is sufficient to trigger the vulnerability (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this version or later. The fix is available from the official GTKWave source (Talos Report).

Multiple Linux distributions have released security updates to address this vulnerability, including Debian which has released security updates DLA-3785-1 and DSA-5653-1 (Debian Advisory).