In BeyondTrust Privilege Management for Windows (aka PMfW) through 5.7, a SYSTEM installation causes Cryptbase.dll to be loaded from the user-writable location %WINDIR%\Temp.

"If you are looking for a solution that allows you to quickly and easily eliminate admin rights, I have no hesitation recommending \[Privilege Management for Windows & Mac\] to any organization."

Application Support Manager, Seyfarth Shaw LLP

Seyfarth Shaw provides advisory, litigation, and transactional legal services to clients worldwide.

We've got a team of six engineers who manage the entire desktop and mobile estate, so we needed something that was really going to empower them to get the job done in as quick and efficient way as we can. Using Privilege Management for Windows and Mac really opened doors to allow us to do that.

Ryan Powell, University of Derby, Operations & Response Centre Manager

The University of Derby is a public university located in Derby, England with over 30,000 students.

BeyondTrust provides a powerful platform that allows us to streamline and standardize application control and privileged management across our entire organization. Our people are smarter and better protected, and that's great news for our business.

Dan Bartlett, Senior Consultant, Ramboll

Ramboll is a global engineering, architecture and consultancy company founded in Denmark in 1945.

**Ready for the Next Step?**

**Watch a Demo of Privilege Management for Windows & Mac**

Learn how to quickly and efficiently eliminate admin rights and enforce least privilege across Windows and macOS, while maintaining user productivity.

*   Enforce least privilege across the Windows & macOS environment
*   Protect endpoints with advanced application controls
*   Review user behavior and session analytics

CVE-2020-28369: Privilege Management for Windows and Mac | BeyondTrust

In GL.iNET GL-AR300M routers with firmware 3.216 it is possible to inject arbitrary shell commands through the OpenVPN client file upload functionality.

**Inspiring a Smarter Lifestyle for Families and Enterprises Across the World.**

GL.iNet is a leading developer of OpenWrt Wi-Fi and IoT Network Solutions. We build Wi-Fi routers, IoT gateways and remote device management platforms for a wide range of scenarios. We believe all successful businesses build upon a strong and secure foundation, which is why our engineers are passionate about understanding your needs and utilizing their expertise to tailor reliable and secure network architecture that solve your problems.

**Explore GL.iNet Products in Different Fields**

Our engineers work hard to create top-of-the-line manufacturing solutions for your customized needs

**Cellular Connectivity**

Multi-protocols IoT Gateways that provides LTE connectivity for IoT sensor devices

LEARN MORE

**GoodCloud**

Device Management, data collection, processing and visualization of your IoT project

LEARN MORE

**Site-to-Site**

Remote access to your internal business network securely

LEARN MORE

**White Label Service**

Customize networking devices and software on demand

LEARN MORE

**RV Connectivity**

Unmatched Connectivity on Your RV Adventures with Our Multi-WAN Router

LEARN MORE

**WiFi 6 & 5G NR Network**

Unleash the Power of WiFi 6 & 5G NR Technology

LEARN MORE

**VPN on Routers**

The Best Commercial VPN Service Providers in 2023

LEARN MORE

**In the news**

We are proud that others have found our products as interesting and exciting as we do.

CVE-2023-46456: Homepage

In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to inject arbitrary shell commands through a crafted package name in the package information functionality.

**CVE-2023-46454: Remote Command Execution**

**Affected Products and Versions**: GL.iNet GL-AR300M routers with firmware v4.3.7  
**CVSSv3.1 Score:** 7.2 (High)  
**CVSSv3.1 Attack Vector:** AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
**Discoverer:** Michele ‘cyberaz0r’ Di Bonaventura  
**Exploit:** GitHub

**Executive Summary**

In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to inject arbitrary shell commands through a crafted package name in the package information functionality.

Update GL.iNet GL-AR300M router firmware to the latest version.

**Reference**

https://nvd.nist.gov/vuln/detail/CVE-2023-46454

**CVE-2023-46455: Arbitrary File Write**

**Affected Products and Versions**: GL.iNet GL-AR300M routers with firmware v4.3.7  
**CVSSv3.1 Score:** 7.2 (High)  
**CVSSv3.1 Attack Vector:** AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
**Discoverer:** Michele ‘cyberaz0r’ Di Bonaventura  
**Exploit:** GitHub

**Executive Summary**

In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to write arbitrary files through a path traversal attack in the OpenVPN client file upload functionality.

Update GL.iNet GL-AR300M router firmware to the latest version.

**Reference**

https://nvd.nist.gov/vuln/detail/CVE-2023-46455

**CVE-2023-46456: Remote Command Execution**

**Affected Products and Versions**: GL.iNet GL-AR300M routers with firmware v3.216  
**CVSSv3.1 Score:** 7.2 (High)  
**CVSSv3.1 Attack Vector:** AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
**Discoverer:** Michele ‘cyberaz0r’ Di Bonaventura  
**Exploit:** GitHub

**Executive Summary**

In GL.iNET GL-AR300M routers with firmware v3.216, it is possible to inject arbitrary shell commands through the OpenVPN client file upload functionality.

Update GL.iNet GL-AR300M router firmware to the latest version.

**Reference**

https://nvd.nist.gov/vuln/detail/CVE-2023-46456

CVE-2023-46454: cyberaz0r Security Blog | GL.iNet Multiple Vulnerabilities

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

\[Date Prev\]\[Date Next\]\[Thread Prev\]\[Thread Next\]\[Date Index\]\[Thread Index\]

**From**:

Ziqiao Kong

**Subject**:

Segment fault in tic

**Date**:

Sun, 23 Apr 2023 22:32:39 +0200

Hello,

Our fuzzer finds a segment fault for tic.

Steps to reproduce:

\`\`\`
wget -c 
"https://invisible-island.net/archives/ncurses/current/ncurses-6.4-20230418.tgz";
tar xf ncurses-6.4-20230418.tgz
cd ncurses-6.4-20230418
./configure --enable-debug && make -j
./progs/tic -x -s /work/tmpfs/poc
\`\`\`

Backtrace from gdb:

\`\`\`
Program received signal SIGSEGV, Segmentation fault.
0x00007f48380af97d in ?? () from /lib/x86\_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007f48380af97d in ?? () from /lib/x86\_64-linux-gnu/libc.so.6
#1  0x0000557b0635df11 in \_nc\_wrap\_entry ()
#2  0x0000557b063584d0 in \_nc\_parse\_entry ()
#3  0x0000557b06354ee4 in \_nc\_read\_entry\_source ()
#4  0x0000557b0633b4d6 in main ()
(gdb)
\`\`\`

Environment:

\`\`\`
\[afl++ 72a1b4591f81\] /ncurses-6.4-20230418 # uname -a
Linux 72a1b4591f81 5.4.0-147-generic #164-Ubuntu SMP Tue Mar 21
14:23:17 UTC 2023 x86\_64 x86\_64 x86\_64 GNU/Linux
\[afl++ 72a1b4591f81\] /ncurses-6.4-20230418 # cat /etc/issue
Ubuntu 22.04.2 LTS \\n \\l

\[afl++ 72a1b4591f81\] /ncurses-6.4-20230418 # gcc --version
gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

\[afl++ 72a1b4591f81\] /ncurses-6.4-20230418 # g++ --version
g++ (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

\[afl++ 72a1b4591f81\] /ncurses-6.4-20230418 # ld --version
GNU ld (GNU Binutils for Ubuntu) 2.38
Copyright (C) 2022 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) a later version.
This program has absolutely no warranty.
\[afl++ 72a1b4591f81\] /ncurses-6.4-20230418 #
\`\`\`

Attached below is the poc file.

Thanks in advance!

Bests,
Ziqiao

 **poc.tar.xz**  
_Description:_ application/xz

*   **Segment fault in tic**, _Ziqiao Kong_ **<=**
    *   **Re: Segment fault in tic**, _Thomas Dickey_, 2023/04/23
    *   **Re: Segment fault in tic**, _Thomas Dickey_, 2023/04/23
        *   **Re: Segment fault in tic**, _Thomas Dickey_, 2023/04/23
            *   **Re: Segment fault in tic**, _Thomas Dickey_, 2023/04/23
            *   **Re: Segment fault in tic**, _Ziqiao Kong_, 2023/04/23
            *   **Re: Segment fault in tic**, _Ziqiao Kong_, 2023/04/23
            *   **Re: Segment fault in tic**, _Thomas Dickey_, 2023/04/24

*   Prev by Date: **no patch tonight**
*   Next by Date: **Re: Segment fault in tic**
*   Previous by thread: **no patch tonight**
*   Next by thread: **Re: Segment fault in tic**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2023-50495: Segment fault in tic

quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption.
QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. 
Quiche versions greater than 0.19.0 address this problem.

**Impact**

quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption.

QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH\_CHALLENGE frame responds by sending a PATH\_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH\_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH\_RESPONSE frames can only be sent at the slower rate than they are received, leading to storage of path validation data in an unbounded queue.

**Patches**

Quiche versions greater than 0.19.0 address this problem.

**References**

CVE-2023-6193  
RFC 9000 Section 8.2

CVE-2023-6193: Unbounded queuing of path validation messages in cloudflare-quiche

Espeak-ng 1.52-dev was discovered to contain a buffer-overflow via the function SetUpPhonemeTable at synthdata.c.

**System info**  
Ubuntu x86\_64, clang 12.0  
version: espeak-ng(1.52-dev)

**Command line**  
./espeak-ng -f poc -w /dev/null

**Poc**  
poc:poc

**AddressSanitizer output**  
\==4070074==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000fd06cc at pc 0x0000005555f3 bp 0x7ffcdce1ca70 sp 0x7ffcdce1ca68  
READ of size 4 at 0x000000fd06cc thread T0  
#0 0x5555f2 in SetUpPhonemeTable /src/espeak-ng/src/libespeak-ng/synthdata.c:338:43  
#1 0x5552d5 in SelectPhonemeTable /src/espeak-ng/src/libespeak-ng/synthdata.c:360:2  
#2 0x57eae8 in TranslateWord2 /src/espeak-ng/src/libespeak-ng/translate.c:570:4  
#3 0x5797d6 in TranslateClause /src/espeak-ng/src/libespeak-ng/translate.c:1607:6  
#4 0x56fe0b in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1560:2  
#5 0x543527 in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:489:9  
#6 0x544552 in sync\_espeak\_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29  
#7 0x544552 in espeak\_ng\_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10  
#8 0x51fa9e in espeak\_Synth /src/espeak-ng/src/libespeak-ng/espeak\_api.c:90:32  
#9 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3  
#10 0x7f1ab886e082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16  
#11 0x41d64d in \_start (/src/espeak-ng/src/espeak-ng+0x41d64d)

0x000000fd06cc is located 140 bytes to the right of global variable 'phoneme\_tab\_list' defined in 'src/libespeak-ng/synthdata.c:61:18' (0xfcea20) of size 7200  
SUMMARY: AddressSanitizer: global-buffer-overflow /src/espeak-ng/src/libespeak-ng/synthdata.c:338:43 in SetUpPhonemeTable

Shadow bytes around the buggy address:  
0x0000801f2080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f2090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f20a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f20b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f20c0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9  
\=>0x0000801f20d0: f9 f9 f9 f9 f9 f9 f9 f9 f9\[f9\]f9 f9 f9 f9 f9 f9  
0x0000801f20e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
0x0000801f20f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
0x0000801f2100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
0x0000801f2110: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
0x0000801f2120: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4070074==ABORTING

CVE-2023-49990: global-buffer-overflow exists in the function SetUpPhonemeTable in synthdata.c · Issue #1824 · espeak-ng/espeak-ng

Espeak-ng 1.52-dev was discovered to contain a Buffer Overflow via the function ReadClause at readclause.c.

**System info**  
Ubuntu x86\_64, clang 12.0  
version: espeak-ng(1.52-dev)

**Command line**  
./espeak-ng -f poc -w /dev/null

**Poc**  
poc:poc

**AddressSanitizer output**  
\==4070638==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000fe1cb0 at pc 0x0000005389ce bp 0x7ffd05945410 sp 0x7ffd05945408  
WRITE of size 4 at 0x000000fe1cb0 thread T0  
#0 0x5389cd in ReadClause /src/espeak-ng/src/libespeak-ng/readclause.c:668:30  
#1 0x571b2d in TranslateClause /src/espeak-ng/src/libespeak-ng/translate.c:984:15  
#2 0x56fe0b in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1560:2  
#3 0x543527 in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:489:9  
#4 0x544552 in sync\_espeak\_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29  
#5 0x544552 in espeak\_ng\_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10  
#6 0x51fa9e in espeak\_Synth /src/espeak-ng/src/libespeak-ng/espeak\_api.c:90:32  
#7 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3  
#8 0x7f79f766d082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16  
#9 0x41d64d in \_start (/src/espeak-ng/src/espeak-ng+0x41d64d)

0x000000fe1cb0 is located 48 bytes to the left of global variable 'option\_linelength' defined in 'src/libespeak-ng/translate.c:99:5' (0xfe1ce0) of size 4  
0x000000fe1cb0 is located 0 bytes to the right of global variable 'option\_punctlist' defined in 'src/libespeak-ng/translate.c:96:9' (0xfe1bc0) of size 240  
SUMMARY: AddressSanitizer: global-buffer-overflow /src/espeak-ng/src/libespeak-ng/readclause.c:668:30 in ReadClause

Shadow bytes around the buggy address:  
0x0000801f4340: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9  
0x0000801f4350: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9  
0x0000801f4360: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9  
0x0000801f4370: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00  
0x0000801f4380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0000801f4390: 00 00 00 00 00 00\[f9\]f9 f9 f9 f9 f9 04 f9 f9 f9  
0x0000801f43a0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00  
0x0000801f43b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0000801f43c0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 04 f9  
0x0000801f43d0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00  
0x0000801f43e0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4070638==ABORTING

CVE-2023-49993: global-buffer-overflow exists in the function ReadClause in readclause.c · Issue #1826 · espeak-ng/espeak-ng

Espeak-ng 1.52-dev was discovered to contain a Floating Point Exception via the function PeaksToHarmspect at wavegen.c.

**System info**  
Ubuntu x86\_64, clang 12.0  
version: espeak-ng(1.52-dev)

**Command line**  
./espeak-ng -f poc -w /dev/null

**Poc**  
poc:poc

**AddressSanitizer output**  
\==4069818==ERROR: AddressSanitizer: FPE on unknown address 0x0000005aeced (pc 0x0000005aeced bp 0x000000fe792a sp 0x7fff82149c60 T0)  
#0 0x5aeced in PeaksToHarmspect /src/espeak-ng/src/libespeak-ng/wavegen.c:456:87  
#1 0x5b3639 in Wavegen /src/espeak-ng/src/libespeak-ng/wavegen.c:723:13  
#2 0x5b3639 in WavegenFill2 /src/espeak-ng/src/libespeak-ng/wavegen.c:1331:13  
#3 0x5b3639 in WavegenFill /src/espeak-ng/src/libespeak-ng/wavegen.c:1420:13  
#4 0x54317c in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:461:3  
#5 0x544552 in sync\_espeak\_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29  
#6 0x544552 in espeak\_ng\_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10  
#7 0x51fa9e in espeak\_Synth /src/espeak-ng/src/libespeak-ng/espeak\_api.c:90:32  
#8 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3  
#9 0x7fd834ba0082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16  
#10 0x41d64d in \_start (/src/espeak-ng/src/espeak-ng+0x41d64d)

AddressSanitizer can not provide additional info.  
SUMMARY: AddressSanitizer: FPE /src/espeak-ng/src/libespeak-ng/wavegen.c:456:87 in PeaksToHarmspect  
\==4069818==ABORTING

CVE-2023-49994: Floating Point Exception exists in the function PeaksToHarmspect in wavegen.c · Issue #1823 · espeak-ng/espeak-ng

Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow via the function RemoveEnding at dictionary.c.

**System info**  
Ubuntu x86\_64, clang 12.0  
version: espeak-ng(1.52-dev)

**Command line**  
./espeak-ng -f poc -w /dev/null

**Poc**  
poc:poc

**AddressSanitizer output**  
\==4070654==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffce78764a0 at pc 0x00000049796a bp 0x7ffce78758d0 sp 0x7ffce7875098  
WRITE of size 393 at 0x7ffce78764a0 thread T0  
#0 0x497969 in \_\_asan\_memcpy (/src/espeak-ng/src/espeak-ng+0x497969)  
#1 0x51c13e in RemoveEnding /src/espeak-ng/src/libespeak-ng/dictionary.c:2902:3  
#2 0x5853f2 in TranslateWord3 /src/espeak-ng/src/libespeak-ng/translateword.c:444:17  
#3 0x570911 in TranslateWord /src/espeak-ng/src/libespeak-ng/translate.c:150:14  
#4 0x57c9ca in TranslateWord2 /src/espeak-ng/src/libespeak-ng/translate.c:404:11  
#5 0x57951f in TranslateClause /src/espeak-ng/src/libespeak-ng/translate.c:1594:17  
#6 0x56fe0b in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1560:2  
#7 0x5430bc in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:455:2  
#8 0x544552 in sync\_espeak\_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29  
#9 0x544552 in espeak\_ng\_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10  
#10 0x51fa9e in espeak\_Synth /src/espeak-ng/src/libespeak-ng/espeak\_api.c:90:32  
#11 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3  
#12 0x7f9c6597c082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16  
#13 0x41d64d in \_start (/src/espeak-ng/src/espeak-ng+0x41d64d)

Address 0x7ffce78764a0 is located in stack of thread T0 at offset 2368 in frame  
#0 0x58082f in TranslateWord3 /src/espeak-ng/src/libespeak-ng/translateword.c:59

This frame has 25 object(s):  
\[32, 232) 'ph\_buf.i.i' (line 1191)  
\[304, 308) 'c.i' (line 1122)  
\[320, 324) 'wc.i' (line 1048)  
\[336, 416) 'word\_buf.i' (line 1053)  
\[448, 456) 'word1' (line 62)  
\[480, 488) 'dictionary\_flags' (line 68)  
\[512, 520) 'dictionary\_flags2' (line 69)  
\[544, 552) 'wordx' (line 74)  
\[576, 776) 'phonemes' (line 75)  
\[848, 1048) 'phonemes2' (line 76)  
\[1120, 1320) 'prefix\_phonemes' (line 77)  
\[1392, 1592) 'unpron\_phonemes' (line 78)  
\[1664, 1864) 'end\_phonemes' (line 79)  
\[1936, 2136) 'end\_phonemes2' (line 80)  
\[2208, 2368) 'word\_copy' (line 81)  
\[2432, 2592) 'word\_copy2' (line 82) <== Memory access at offset 2368 partially underflows this variable

\[2656, 2721) 'prefix\_chars' (line 84) <== Memory access at offset 2368 partially underflows this variable  
\[2768, 2772) 'c\_temp' (line 87)  
\[2784, 2788) 'first\_char' (line 88)  
\[2800, 2804) 'last\_char' (line 89)  
\[2816, 2912) 'wtab\_null' (line 99)  
\[2944, 2948) 'wc' (line 322)  
\[2960, 3160) 'end\_phonemes2410' (line 343)  
\[3232, 3240) 'wordpf' (line 401)  
\[3264, 3276) 'prefix\_phonemes2' (line 402)  
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork  
(longjmp and C++ exceptions _are_ supported)  
SUMMARY: AddressSanitizer: stack-buffer-overflow (/src/espeak-ng/src/espeak-ng+0x497969) in \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x10001cf06c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10001cf06c50: 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 00  
0x10001cf06c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10001cf06c70: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2  
0x10001cf06c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x10001cf06c90: 00 00 00 00\[f2\]f2 f2 f2 f2 f2 f2 f2 00 00 00 00  
0x10001cf06ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10001cf06cb0: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00  
0x10001cf06cc0: 01 f2 f2 f2 f2 f2 04 f2 04 f2 04 f2 00 00 00 00  
0x10001cf06cd0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f8 f2 f8 f8  
0x10001cf06ce0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6

Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4070654==ABORTING

CVE-2023-49992: stack-buffer-overflow exists in the function RemoveEnding in dictionary.c · Issue #1827 · espeak-ng/espeak-ng

Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Underflow via the function CountVowelPosition at synthdata.c.

**System info**  
Ubuntu x86\_64, clang 12.0  
version: espeak-ng(1.52-dev)

**Command line**  
./espeak-ng -f poc -w /dev/null

**Poc**  
poc:poc

**AddressSanitizer output**  
\==4070186==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffd7a6c0e80 at pc 0x00000055a66a bp 0x7ffd7a6c0b70 sp 0x7ffd7a6c0b68  
READ of size 8 at 0x7ffd7a6c0e80 thread T0  
#0 0x55a669 in CountVowelPosition /src/espeak-ng/src/libespeak-ng/synthdata.c:449:14  
#1 0x55a669 in InterpretCondition /src/espeak-ng/src/libespeak-ng/synthdata.c:626:12  
#2 0x55a669 in InterpretPhoneme /src/espeak-ng/src/libespeak-ng/synthdata.c:832:14  
#3 0x55ab57 in InterpretPhoneme2 /src/espeak-ng/src/libespeak-ng/synthdata.c:979:2  
#4 0x5fc032 in CalcLengths /src/espeak-ng/src/libespeak-ng/setlengths.c:680:5  
#5 0x56fe4e in SpeakNextClause /src/espeak-ng/src/libespeak-ng/synthesize.c:1563:2  
#6 0x543527 in Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:489:9  
#7 0x544552 in sync\_espeak\_Synth /src/espeak-ng/src/libespeak-ng/speech.c:571:29  
#8 0x544552 in espeak\_ng\_Synthesize /src/espeak-ng/src/libespeak-ng/speech.c:669:10  
#9 0x51fa9e in espeak\_Synth /src/espeak-ng/src/libespeak-ng/espeak\_api.c:90:32  
#10 0x4cde94 in main /src/espeak-ng/src/espeak-ng.c:779:3  
#11 0x7fe8046c2082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16  
#12 0x41d64d in \_start (/src/espeak-ng/src/espeak-ng+0x41d64d)

Address 0x7ffd7a6c0e80 is located in stack of thread T0 at offset 0 in frame  
#0 0x55a92f in InterpretPhoneme2 /src/espeak-ng/src/libespeak-ng/synthdata.c:964

This frame has 1 object(s):  
\[32, 192) 'plist' (line 967)  
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork  
(longjmp and C++ exceptions _are_ supported)  
SUMMARY: AddressSanitizer: stack-buffer-underflow /src/espeak-ng/src/libespeak-ng/synthdata.c:449:14 in CountVowelPosition

Shadow bytes around the buggy address:  
0x10002f4d0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d01a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1  
0x10002f4d01b0: f8 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 f3 f3  
0x10002f4d01c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x10002f4d01d0:\[f1\]f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d01e0: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3  
0x10002f4d01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d0200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d0210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x10002f4d0220: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==4070186==ABORTING

Source

CVE