Bug 917153 (CVE-2023-5868, CVE-2023-5869, CVE-2023-5870)

Summary:	<dev-db/postgresql-{11.22,12.17,13.13,14.10,15.5}: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Patrick Lauer <patrick>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/
Whiteboard:	B2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	917154
Bug Blocks:

Description Patrick Lauer gentoo-dev

2023-11-11 08:21:02 UTC

Changelog says:

CVE-2023-5868: Memory disclosure in aggregate function calls

CVSS v3 Base Score: 4.3

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.

The PostgreSQL project thanks Jingzhou Fu for reporting this problem.
CVE-2023-5869: Buffer overrun from integer overflow in array modification

CVSS v3 Base Score: 8.8

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.

The PostgreSQL project thanks Pedro Gallegos for reporting this problem.
CVE-2023-5870: Role pg_cancel_backend can signal certain superuser processes

CVSS v3 Base Score: 2.2

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.

The PostgreSQL project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem.

Comment 1 Larry the Git Cow gentoo-dev

2024-08-07 08:29:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7240eff2e6b5c1e8d1af9a65cfa3c6c31e355595

commit 7240eff2e6b5c1e8d1af9a65cfa3c6c31e355595
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-08-07 08:28:46 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-07 08:29:00 +0000

    [ GLSA 202408-06 ] PostgreSQL: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/903193
    Bug: https://bugs.gentoo.org/912251
    Bug: https://bugs.gentoo.org/917153
    Bug: https://bugs.gentoo.org/924110
    Bug: https://bugs.gentoo.org/931849
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202408-06.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)