postgresql-16.1

[Bruce Dubbs]

New minor version.

[Douglas R. Reno]

Bug Fixes and Improvements

This update fixes over 55 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 16. Some of these issues may also affect other supported versions of PostgreSQL.

• Fix issue where GiST indexes had an incorrect behavior during a "page split" operation that could lead to incorrect results in subsequent index searches. Please reindex GiST indexes after installing this update.
• Fix issue where B-tree indexes would incorrectly de-duplicate interval columns. Please reindex any B-tree index that includes an interval column after installing this update.
• Provide more efficient indexing of date, timestamptz, and timestamp values in BRIN indexes when using a minmax_multi opsclass. While not required, we recommend reindexing BRIN indexes that include these data types after installing this update.
• Fix for bulk table insertion into partitioned tables.
• Fix for hash-partitioned tables with multiple partition keys during step generation and runtime pruning that could lead to crashes in some cases.
• Throw the correct error if pgrowlocks() is applied to a partitioned table
• Fix inconsistent rechecking of concurrently-updated rows during MERGE when using READ COMMITTED mode.
• Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints.
• Fix over-allocation of a constructed tsvector.
• Fix ALTER SUBSCRIPTION to apply changes in the run_as_owner option.
• Several fixes for COPY FROM,
• Several fixes for handling torn reads with pg_control.
• Fix "could not find pathkey item to sort" errors occurring while planning aggregate functions with ORDER BY or DISTINCT options.
• When track_io_timing is enabled, include the time taken by relation extension operations as write time.
• Track the dependencies of cached CALL statements, and re-plan them when needed.
• Treat out-of-memory failures as FATAL while reading WAL.
• Fix pg_dump to dump the new run_as_owner option of subscriptions.
• Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables.
• Add logic to pg_upgrade to check for use of obsolete data types abstime, reltime, and tinterval.
• Fix vacuumdb to have multiple -N switches actually exclude tables in multiple schemas.
• amcheck will no longer report interrupted page deletion as corruption.
• Fix btree_gin indexes on interval columns to properly return data when using the < and <= operators.

Security Fixes

CVE-2023-5868: Memory disclosure in aggregate function calls

CVSS v3 Base Score: 4.3

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.

CVE-2023-5869: Buffer overrun from integer overflow in array modification

CVSS v3 Base Score: 8.8

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.

CVE-2023-5870: Role pg_cancel_backend can signal certain superuser processes

CVSS v3 Base Score: 2.2

Supported, Vulnerable Versions: 11 - 16. The security team typically does not test unsupported versions, but this problem is quite old.

Documentation says the pg_cancel_backend role cannot signal "a backend owned by a superuser". On the contrary, it can signal background workers, including the logical replication launcher. It can signal autovacuum workers and the autovacuum launcher. Signaling autovacuum workers and those two launchers provides no meaningful exploit, so exploiting this vulnerability requires a non-core extension with a less-resilient background worker. For example, a non-core background worker that does not auto-restart would experience a denial of service with respect to that particular background worker.

[Douglas R. Reno]

Fixed at 1eb083a4bacf53b10c164263132463eb4f56051f

SA-12.0-041 issued