CVE-2023-35960

Vulnerability

GTKWave 3.3.115 contains an OS command injection vulnerability in the legacy decompression functionality within vcd_main. When opening a wave file, GTKWave uses popen to invoke external decompression programs (e.g., gzip, bzip2, zip) on the input file name without proper sanitization. A specially crafted file name can inject arbitrary commands. This affects all platforms (Linux, Windows, macOS) and is triggered when a user opens a malicious wave file, such as by double-clicking on it due to registered MIME types [1].

Exploitation

An attacker must craft a wave file with a file name containing shell metacharacters and command injection payloads. The victim must open this file using GTKWave (e.g., via the GUI or command line). No authentication or special privileges are required; the attack is local and relies on user interaction. The injection occurs during the decompression step, where the file name is passed to popen [1].

Impact

Successful exploitation allows arbitrary command execution with the privileges of the user running GTKWave. This can lead to full compromise of confidentiality, integrity, and availability, including data exfiltration, installation of malware, or further system compromise [1].

Mitigation

As of the publication date (2024-01-08), no official patch has been released for GTKWave 3.3.115. Users are advised to avoid opening wave files from untrusted sources and to consider using alternative wave viewers until a fix is available. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing [1].