CVE-2023-39234: 
NixOS vulnerability analysis and mitigation

Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_process_block autosort functionality of GTKWave 3.3.115. A specially crafted .vzt file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities. This vulnerability specifically concerns the out-of-bounds write when looping over lt->numrealfacs (Talos).

The vulnerability exists in the VZT vzt_rd_process_block autosort functionality where the autosort array can be written out-of-bounds in the heap while looping over lt->numrealfacs. The issue stems from the change_msk calculation based on change_dict, which is arbitrarily controlled by values inside blocks. This allows controlling the i2 variable, leading to out-of-bounds writes at specific code locations. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos).

If successfully exploited, this vulnerability can lead to arbitrary code execution on the target system. The attack requires user interaction, specifically opening a malicious .vzt file. GTKWave sets up mime types for its supported extensions, meaning a victim only needs to double-click on a wave file received by email to trigger the vulnerability (Talos).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are advised to upgrade to this or later versions. The fix has been backported to various distributions, including Debian 10 (buster) as version 3.3.98+really3.3.118-0+deb10u1 (Debian LTS).