1216962 – (CVE-2023-5868) VUL-0: CVE-2023-5868: postgresql12,postgresql13,postgresql14,postgresql15,postgresql16: incorrect handling of unknown-type arguments in DISTINCT

Bug 1216962 (CVE-2023-5868) - VUL-0: CVE-2023-5868: postgresql12,postgresql13,postgresql14,postgresql15,postgresql16: incorrect handling of unknown-type arguments in DISTINCT

Summary: VUL-0: CVE-2023-5868: postgresql12,postgresql13,postgresql14,postgresql15,pos...

Status:	RESOLVED FIXED

Alias:	CVE-2023-5868

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/384364/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-5868:7.5:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-08 13:36 UTC by SMASH SMASH
Modified:	2024-07-08 12:57 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-08 13:36:14 UTC

Fix handling of unknown-type arguments in DISTINCT "any" aggregate  functions (Tom Lane)

This error led to a text-type value being interpreted as an unknown-type  value (that is, a zero-terminated string) at runtime. This could result in
disclosure of server memory following the text value.

The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868)

Comment 2 Maintenance Automation 2023-11-13 12:45:54 UTC

SUSE-SU-2023:4418-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216022, 1216734, 1216960, 1216961, 1216962
CVE References: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql14-14.10-3.33.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql14-14.10-3.33.1
SUSE Linux Enterprise Server 12 SP5 (src): postgresql14-14.10-3.33.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql14-14.10-3.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 3 Maintenance Automation 2023-11-13 16:30:11 UTC

SUSE-SU-2023:4425-1: An update that solves three vulnerabilities, contains one feature and has six security fixes can now be installed.

Category: security (important)
Bug References: 1122892, 1179231, 1206796, 1209208, 1216022, 1216734, 1216960, 1216961, 1216962
CVE References: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870
Jira References: PED-5586
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql16-16.1-3.7.1, postgresql-16-4.23.3, postgresql15-15.5-3.19.2
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql16-16.1-3.7.1, postgresql-16-4.23.3, postgresql15-15.5-3.19.2
SUSE Linux Enterprise Server 12 SP5 (src): postgresql16-16.1-3.7.1, postgresql-16-4.23.3, postgresql15-15.5-3.19.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql16-16.1-3.7.1, postgresql-16-4.23.3, postgresql15-15.5-3.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 Maintenance Automation 2023-11-14 12:30:06 UTC

SUSE-SU-2023:4434-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216022, 1216734, 1216960, 1216961, 1216962
CVE References: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql13-13.13-3.43.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql13-13.13-3.43.1
SUSE Linux Enterprise Server 12 SP5 (src): postgresql13-13.13-3.43.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql13-13.13-3.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Maintenance Automation 2023-11-14 12:30:09 UTC

SUSE-SU-2023:4433-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216022, 1216734, 1216960, 1216961, 1216962
CVE References: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql12-12.17-3.49.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql12-12.17-3.49.1
SUSE Linux Enterprise Server 12 SP5 (src): postgresql12-12.17-3.49.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql12-12.17-3.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Maintenance Automation 2023-11-16 08:30:03 UTC

SUSE-SU-2023:4455-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216022, 1216734, 1216960, 1216961, 1216962
CVE References: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870
Sources used:
openSUSE Leap 15.4 (src): postgresql13-13.13-150200.5.50.1
openSUSE Leap 15.5 (src): postgresql13-13.13-150200.5.50.1
Legacy Module 15-SP4 (src): postgresql13-13.13-150200.5.50.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): postgresql13-13.13-150200.5.50.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): postgresql13-13.13-150200.5.50.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postgresql13-13.13-150200.5.50.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): postgresql13-13.13-150200.5.50.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postgresql13-13.13-150200.5.50.1
Galera for Ericsson 15 SP5 (src): postgresql13-13.13-150200.5.50.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): postgresql13-13.13-150200.5.50.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postgresql13-13.13-150200.5.50.1
SUSE Enterprise Storage 7.1 (src): postgresql13-13.13-150200.5.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Maintenance Automation 2023-11-16 08:30:06 UTC

SUSE-SU-2023:4454-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216022, 1216734, 1216960, 1216961, 1216962
CVE References: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870
Sources used:
openSUSE Leap 15.4 (src): postgresql12-12.17-150200.8.54.1
openSUSE Leap 15.5 (src): postgresql12-12.17-150200.8.54.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): postgresql12-12.17-150200.8.54.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): postgresql12-12.17-150200.8.54.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postgresql12-12.17-150200.8.54.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): postgresql12-12.17-150200.8.54.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postgresql12-12.17-150200.8.54.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): postgresql12-12.17-150200.8.54.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postgresql12-12.17-150200.8.54.1
SUSE Enterprise Storage 7.1 (src): postgresql12-12.17-150200.8.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Maintenance Automation 2023-11-20 12:30:07 UTC

SUSE-SU-2023:4479-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216022, 1216734, 1216960, 1216961, 1216962
CVE References: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870
Sources used:
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postgresql14-14.10-150200.5.36.1
SUSE Enterprise Storage 7.1 (src): postgresql14-14.10-150200.5.36.1
openSUSE Leap 15.4 (src): postgresql14-14.10-150200.5.36.1
openSUSE Leap 15.5 (src): postgresql14-14.10-150200.5.36.1
Basesystem Module 15-SP4 (src): postgresql14-14.10-150200.5.36.1
Legacy Module 15-SP5 (src): postgresql14-14.10-150200.5.36.1
SUSE Package Hub 15 15-SP4 (src): postgresql14-14.10-150200.5.36.1
SUSE Package Hub 15 15-SP5 (src): postgresql14-14.10-150200.5.36.1
Server Applications Module 15-SP4 (src): postgresql14-14.10-150200.5.36.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): postgresql14-14.10-150200.5.36.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): postgresql14-14.10-150200.5.36.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postgresql14-14.10-150200.5.36.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): postgresql14-14.10-150200.5.36.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postgresql14-14.10-150200.5.36.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): postgresql14-14.10-150200.5.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Maintenance Automation 2023-11-21 08:30:03 UTC

SUSE-SU-2023:4495-1: An update that solves three vulnerabilities, contains one feature and has six security fixes can now be installed.

Category: security (important)
Bug References: 1122892, 1179231, 1206796, 1209208, 1216022, 1216734, 1216960, 1216961, 1216962
CVE References: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870
Jira References: PED-5586
Sources used:
openSUSE Leap 15.3 (src): postgresql-16-150300.10.18.3
openSUSE Leap 15.4 (src): postgresql-16-150400.4.9.2, postgresql16-mini-16.1-150200.5.7.1, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
openSUSE Leap 15.5 (src): postgresql-16-150500.10.3.2, postgresql16-mini-16.1-150200.5.7.1, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
Basesystem Module 15-SP4 (src): postgresql-16-150400.4.9.2, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
Basesystem Module 15-SP5 (src): postgresql-16-150500.10.3.2, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
Legacy Module 15-SP4 (src): postgresql-16-150400.4.9.2
Legacy Module 15-SP5 (src): postgresql-16-150500.10.3.2
SUSE Package Hub 15 15-SP4 (src): postgresql-16-150400.4.9.2, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
SUSE Package Hub 15 15-SP5 (src): postgresql-16-150500.10.3.2, postgresql16-16.1-150200.5.7.1
Server Applications Module 15-SP4 (src): postgresql-16-150400.4.9.2, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
Server Applications Module 15-SP5 (src): postgresql-16-150500.10.3.2, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): postgresql16-16.1-150200.5.7.1, postgresql-16-150200.4.24.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1, postgresql-16-150300.10.18.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1, postgresql-16-150300.10.18.3
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): postgresql16-16.1-150200.5.7.1, postgresql-16-150200.4.24.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1, postgresql-16-150300.10.18.3
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): postgresql16-16.1-150200.5.7.1, postgresql-16-150200.4.24.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1, postgresql-16-150300.10.18.3
SUSE Enterprise Storage 7.1 (src): postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1, postgresql-16-150300.10.18.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Maintenance Automation 2024-01-15 20:30:01 UTC

SUSE-SU-2024:0106-1: An update that solves three vulnerabilities, contains one feature and has six security fixes can now be installed.

Category: security (important)
Bug References: 1122892, 1179231, 1206796, 1209208, 1216022, 1216734, 1216960, 1216961, 1216962
CVE References: CVE-2023-5868, CVE-2023-5869, CVE-2023-5870
Jira References: PED-5586
Sources used:
Basesystem Module 15-SP4 (src): postgresql-16-150400.4.9.2, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
Basesystem Module 15-SP5 (src): postgresql16-16.1-150200.5.7.1, postgresql15-15.5-150200.5.19.1, postgresql-16-150500.10.3.2
Legacy Module 15-SP4 (src): postgresql-16-150400.4.9.2
Legacy Module 15-SP5 (src): postgresql-16-150500.10.3.2
SUSE Package Hub 15 15-SP4 (src): postgresql-16-150400.4.9.2, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
Server Applications Module 15-SP4 (src): postgresql-16-150400.4.9.2, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1
Server Applications Module 15-SP5 (src): postgresql16-16.1-150200.5.7.1, postgresql15-15.5-150200.5.19.1, postgresql-16-150500.10.3.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postgresql-16-150300.10.18.3, postgresql15-15.5-150200.5.19.1, postgresql16-16.1-150200.5.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 OBSbugzilla Bot 2024-02-08 17:55:04 UTC

This is an autogenerated message for OBS integration:
This bug (1216962) was mentioned in
https://build.opensuse.org/request/show/1145273 Factory / postgresql12

Comment 12 Andrea Mattiazzo 2024-07-08 12:57:37 UTC

All done, closing.