CVE-2023-39235: 
NixOS vulnerability analysis and mitigation

Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_process_block autosort functionality of GTKWave 3.3.115. The vulnerability, tracked as CVE-2023-39235, was discovered by Claudio Bozzato of Cisco Talos and publicly disclosed on January 8, 2024. A specially crafted .vzt file can lead to arbitrary code execution when opened by a victim (Talos Report).

The vulnerability specifically concerns an out-of-bounds write when looping over lt->num_time_ticks. The issue occurs in the autosort functionality where the function can return the number position of the most significant bit in change_msk, which is controlled by file contents. This leads to writing out-of-bounds in the heap at multiple locations. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Talos Report).

If successfully exploited, this vulnerability can lead to arbitrary code execution on the target system. The attack requires user interaction, as a victim would need to open a malicious .vzt file to trigger the vulnerability (Talos Report).

The vulnerability has been fixed in GTKWave version 3.3.118. Users are recommended to upgrade to this version or later. The fix has been included in various distribution updates, including Debian 10 (buster) version 3.3.98+really3.3.118-0+deb10u1, Debian 11 (bullseye) version 3.3.104+really3.3.118-0+deb11u1, and Debian 12 (bookworm) version 3.3.118-0.1~deb12u1 (Debian Advisory, DSA-5653-1).