CVE-2023-39235

Vulnerability

GTKWave 3.3.115 contains multiple out-of-bounds write vulnerabilities in the vzt_rd_process_block autosort functionality of the VZT (Verilog Zipped Trace) file parser. The issue occurs when looping over lt->num_time_ticks without proper bounds checking (CWE-129). A specially crafted .vzt file can cause a write past the allocated buffer. Both the GUI and command-line utilities (like vzt2vcd) that parse VZT files are affected [1].

Exploitation

An attacker must convince a victim to open a malicious .vzt file, which can be delivered via email or other means, as GTKWave registers mime types for its supported extensions. No additional authentication or privileges are required. The victim simply needs to double-click the file or load it through the application. The code path is reachable without special configuration [1].

Impact

Successful exploitation results in arbitrary code execution in the context of the GTKWave process. The attacker can achieve full compromise of confidentiality, integrity, and availability (CVSS 7.8). The out-of-bounds write can overwrite critical data structures, leading to control of the instruction pointer [1].

Mitigation

As of the advisory date (2024-01-08), no patched version has been released. Users should avoid opening untrusted .vzt files and consider using alternative wave viewer tools if possible. The vulnerability is not listed in the CISA KEV catalog. Check GTKWave's official site for future updates [1].