FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

postgresql-server -- Memory disclosure in aggregate function calls

Affected packages
postgresql-server < 16.1
postgresql-server < 15.5
postgresql-server < 14.10
postgresql-server < 13.13
postgresql-server < 12.17
postgresql-server < 11.22


VuXML ID 31f45d06-7f0e-11ee-94b4-6cc21735f730
Discovery 2023-11-09
Entry 2023-11-09

PostgreSQL Project reports:

Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.


CVE Name CVE-2023-5868