CVE-2023-49992: 
NixOS vulnerability analysis and mitigation

Espeak-ng version 1.52-dev contains a Stack Buffer Overflow vulnerability (CVE-2023-49992) in the RemoveEnding function within dictionary.c. The vulnerability was discovered and disclosed on December 12, 2023, affecting the text-to-speech synthesizer software (NVD).

The vulnerability is classified as a stack buffer overflow with a CVSS v3.1 Base Score of 5.3 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The issue specifically occurs in the RemoveEnding function within the dictionary.c file, where improper memory management can lead to a buffer overflow condition (NVD, GitHub Issue).

The vulnerability can potentially lead to denial of service conditions or arbitrary code execution when exploited. The impact affects confidentiality, integrity, and availability, each rated as Low according to the CVSS scoring (Ubuntu Security).

Multiple Linux distributions have released patches to address this vulnerability. Ubuntu has released fixes across multiple versions: 23.10 (1.51+dfsg-11ubuntu0.1), 22.04 LTS (1.50+dfsg-10ubuntu0.1), 20.04 LTS (1.50+dfsg-6ubuntu0.1), and 18.04 LTS (1.49.2+dfsg-1ubuntu0.1~esm1). Fedora has also released updates for versions 38 and 39 with version 1.51.1-6 (Ubuntu Security, Fedora Update).