CVE-2023-39444

Vulnerability

Multiple out-of-bounds write vulnerabilities exist in the LXT2 parsing functionality of GTKWave version 3.3.115. These vulnerabilities are specifically triggered during the string copy loop when processing a specially-crafted .lxt2 file. The flaw resides in the process_lxt() function in lxt2_read.c which calls lxt2_rd_get_fac_geometry() to retrieve geometry data from the file [1]. This vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Exploitation

An attacker would need to craft a malicious .lxt2 file that exploits the out-of-bounds write during the string copy loop [1]. The victim must open this file using GTKWave 3.3.115, which can occur through various means, such as double-clicking a wave file received via email, as GTKWave sets up mime types for its supported extensions [1]. No additional authentication or privileges are required beyond the victim's ability to open the file.

Impact

Successful exploitation leads to arbitrary code execution on the victim's machine with the privileges of the user running GTKWave. This compromises the confidentiality, integrity, and availability of the system (CVSSv3 score 7.8: High/High/High) [1]. The out-of-bounds write allows the attacker to overwrite critical memory regions, potentially achieving full control of the application.

Mitigation

The vendor GTKWave has not yet released a fixed version addressing this vulnerability as of the publication date [1]. Users should avoid opening untrusted .lxt2 files until a patch is available. No workaround or mitigation is provided in the available references. This CVE is not listed in the KEV catalog at the time of writing.