CVE-2023-49993: 
NixOS vulnerability analysis and mitigation

Espeak-ng version 1.52-dev contains a buffer overflow vulnerability in the ReadClause function located in readclause.c. The vulnerability was discovered and reported on November 13, 2023, and received the identifier CVE-2023-49993. The issue affects multiple versions of the espeak-ng text-to-speech software, including version 1.52-dev and earlier releases (GitHub Issue, NVD).

The vulnerability is classified as a global buffer overflow that occurs in the ReadClause function within readclause.c. According to the AddressSanitizer output, the overflow happens at line 668 of readclause.c, involving a WRITE operation of size 4 at a specific memory address. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The issue is categorized under CWE-120 (Buffer Copy without Checking Size of Input) (GitHub Issue, NVD).

The buffer overflow vulnerability can lead to potential security implications including information disclosure, integrity compromise, and availability issues. The CVSS scoring indicates that successful exploitation could result in low-level impacts to confidentiality, integrity, and availability of the affected system (NVD).

Fixed versions have been released for various distributions. Fedora has addressed the vulnerability in espeak-ng version 1.51.1-6 for both Fedora 38 and 39. Debian has fixed the issue in version 1.51+dfsg-10+deb12u2 for bookworm and 1.52.0+dfsg-4 for sid and trixie releases (Fedora Update, Debian Tracker).