CVE-2023-47118

Name	CVE-2023-47118
Description	ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of T64 codec that crashes the ClickHouse server process. This attack does not require authentication. Note that this exploit can also be triggered via HTTP protocol, however, the attacker will need a valid credential as the HTTP authentication take places first. This issue has been fixed in version 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and 23.3.16.7-lts.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1059261

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
clickhouse (PTS)	buster	18.16.1+ds-4	vulnerable
	buster (security)	18.16.1+ds-4+deb10u1	vulnerable
	bullseye	18.16.1+ds-7.2+deb11u1	vulnerable
	bookworm	18.16.1+ds-7.3	vulnerable
	sid	18.16.1+ds-7.4	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
clickhouse	source	(unstable)	(unfixed)			1059261

Notes

[bookworm] - clickhouse <no-dsa> (Minor issue)
[bullseye] - clickhouse <no-dsa> (Minor issue)
[buster] - clickhouse <no-dsa> (Minor issue)
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v