CVE-2023-49991: 
NixOS vulnerability analysis and mitigation

CVE-2023-49991 affects eSpeak-ng version 1.52-dev, a text-to-speech program. The vulnerability was discovered in November 2023 and involves a Stack Buffer Underflow in the CountVowelPosition function within synthdata.c (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) (NVD).

The vulnerability is characterized as a stack-buffer-underflow that occurs in the CountVowelPosition function within synthdata.c. The issue was identified through AddressSanitizer testing, which detected a READ operation of size 8 that triggered the buffer underflow. The CVSS v3.1 vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, indicating local access vector, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability has been assessed with low impacts across confidentiality, integrity, and availability. The exploitation of this vulnerability could potentially lead to denial of service or arbitrary code execution in affected systems (Ubuntu Security).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has released fixes across multiple versions: 23.10 (1.51+dfsg-11ubuntu0.1), 22.04 LTS (1.50+dfsg-10ubuntu0.1), 20.04 LTS (1.50+dfsg-6ubuntu0.1), and 18.04 LTS (1.49.2+dfsg-1ubuntu0.1~esm1). Fedora has also released updates for versions 38 and 39 with version 1.51.1-6 (Ubuntu Security, Fedora Update).