917153 – (CVE-2023-5868, CVE-2023-5869, CVE-2023-5870) <dev-db/postgresql-{11.22,12.17,13.13,14.10,15.5}: multiple vulnerabilities

Bug 917153 (CVE-2023-5868, CVE-2023-5869, CVE-2023-5870) - <dev-db/postgresql-{11.22,12.17,13.13,14.10,15.5}: multiple vulnerabilities

Summary: <dev-db/postgresql-{11.22,12.17,13.13,14.10,15.5}: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2023-5868, CVE-2023-5869, CVE-2023-5870

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.postgresql.org/about/news...
Whiteboard:	B2 [glsa?]
Keywords:

Depends on:	917154
Blocks:
	Show dependency tree

Reported:	2023-11-11 08:21 UTC by Patrick Lauer
Modified:	2024-04-05 10:57 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Lauer gentoo-dev

2023-11-11 08:21:02 UTC

Changelog says:

CVE-2023-5868: Memory disclosure in aggregate function calls

CVSS v3 Base Score: 4.3

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.

The PostgreSQL project thanks Jingzhou Fu for reporting this problem.
CVE-2023-5869: Buffer overrun from integer overflow in array modification

CVSS v3 Base Score: 8.8

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.

The PostgreSQL project thanks Pedro Gallegos for reporting this problem.
CVE-2023-5870: Role pg_cancel_backend can signal certain superuser processes

CVSS v3 Base Score: 2.2

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.

The PostgreSQL project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem.