CVE-2023-35961

Vulnerability

An OS command injection vulnerability exists in the decompression functionality of GTKWave version 3.3.115, specifically within the vcd_recorder_main function. When a specially crafted wave file with a malicious file name is decompressed using external programs via popen, arbitrary commands can be injected. The affected version is 3.3.115. [1]

Exploitation

An attacker must convince a victim to open a malicious wave file (e.g., via email attachment or file sharing). GTKWave sets MIME types for supported extensions, so double-clicking can automatically trigger loading. The file name contains injected OS commands, which are executed during decompression without proper sanitization. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the victim. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. [1]

Mitigation

As of the publication date (2024-01-08), no patch or updated version has been released by the vendor. Users are advised to avoid opening untrusted wave files in GTKWave 3.3.115 or to apply input validation on file names if possible. No workaround has been provided by the vendor. [1]