Changelog says: CVE-2023-5868: Memory disclosure in aggregate function calls CVSS v3 Base Score: 4.3 Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old. Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes. The PostgreSQL project thanks Jingzhou Fu for reporting this problem. CVE-2023-5869: Buffer overrun from integer overflow in array modification CVSS v3 Base Score: 8.8 Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old. While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others. The PostgreSQL project thanks Pedro Gallegos for reporting this problem. CVE-2023-5870: Role pg_cancel_backend can signal certain superuser processes CVSS v3 Base Score: 2.2 Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old. Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker. The PostgreSQL project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7240eff2e6b5c1e8d1af9a65cfa3c6c31e355595 commit 7240eff2e6b5c1e8d1af9a65cfa3c6c31e355595 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-07 08:28:46 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-07 08:29:00 +0000 [ GLSA 202408-06 ] PostgreSQL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/903193 Bug: https://bugs.gentoo.org/912251 Bug: https://bugs.gentoo.org/917153 Bug: https://bugs.gentoo.org/924110 Bug: https://bugs.gentoo.org/931849 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-06.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
