FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

postgresql-server -- Memory disclosure in aggregate function calls

Affected packages
postgresql-server < 16.1
postgresql-server < 15.5
postgresql-server < 14.10
postgresql-server < 13.13
postgresql-server < 12.17
postgresql-server < 11.22

Details

VuXML ID 31f45d06-7f0e-11ee-94b4-6cc21735f730
Discovery 2023-11-09
Entry 2023-11-09

PostgreSQL Project reports:

Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.

References

CVE Name CVE-2023-5868
URL https://www.postgresql.org/support/security/CVE-2023-5868/