PT-2024-12755 · Gtkwave · Gtkwave

Claudio Bozzato

Published

2024-01-08

Updated

2024-04-09

CVE-2023-38657

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions GTKWave version 3.3.115

Description A specially crafted .lxt2 file can lead to arbitrary code execution due to an out-of-bounds write vulnerability in the LXT2 zlib block decompression functionality. A victim would need to open a malicious file to trigger this issue. The LXT2 zlib block decompression functionality is the vulnerable component, and the arbitrary code execution is the potential outcome of exploiting this vulnerability.

Recommendations For GTKWave version 3.3.115, consider avoiding the use of the LXT2 zlib block decompression functionality until a patch is available. As a temporary workaround, restrict the opening of .lxt2 files from untrusted sources to minimize the risk of exploitation.

Exploit

Fix

Memory Corruption

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-119

Related Identifiers

CVE-2023-38657

DLA-3785-1

DSA-5653-1

Affected Products

Gtkwave

PT-2024-12755 · Gtkwave · Gtkwave

CVE-2023-38657

Weakness Enumeration

Related Identifiers

Affected Products

References · 12