Bug#1059060: espeak-ng: CVE-2023-49990 CVE-2023-49991 CVE-2023-49992 CVE-2023-49993 CVE-2023-49994

[Moritz Mühlenhoff]

Source: espeak-ng
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for espeak-ng.

CVE-2023-49990[0]:
| Espeak-ng 1.52-dev was discovered to contain a buffer-overflow via
| the function SetUpPhonemeTable at synthdata.c.

https://github.com/espeak-ng/espeak-ng/issues/1824

CVE-2023-49991[1]:
| Espeak-ng 1.52-dev was discovered to contain a Stack Buffer
| Underflow via the function CountVowelPosition at synthdata.c.

https://github.com/espeak-ng/espeak-ng/issues/1825

CVE-2023-49992[2]:
| Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow
| via the function RemoveEnding at dictionary.c.

https://github.com/espeak-ng/espeak-ng/issues/1827

CVE-2023-49993[3]:
| Espeak-ng 1.52-dev was discovered to contain a Buffer Overflow via
| the function ReadClause at readclause.c.

https://github.com/espeak-ng/espeak-ng/issues/1826

CVE-2023-49994[4]:
| Espeak-ng 1.52-dev was discovered to contain a Floating Point
| Exception via the function PeaksToHarmspect at wavegen.c.

https://github.com/espeak-ng/espeak-ng/issues/1823

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49990
    https://www.cve.org/CVERecord?id=CVE-2023-49990
[1] https://security-tracker.debian.org/tracker/CVE-2023-49991
    https://www.cve.org/CVERecord?id=CVE-2023-49991
[2] https://security-tracker.debian.org/tracker/CVE-2023-49992
    https://www.cve.org/CVERecord?id=CVE-2023-49992
[3] https://security-tracker.debian.org/tracker/CVE-2023-49993
    https://www.cve.org/CVERecord?id=CVE-2023-49993
[4] https://security-tracker.debian.org/tracker/CVE-2023-49994
    https://www.cve.org/CVERecord?id=CVE-2023-49994

Please adjust the affected versions in the BTS as needed.