import OL postgresql-10.23-3.0.1.module+el8.9.0+90108+1bfb5b17

2023-12-21 12:14:22 +03:00 · 2023-12-21 12:14:22 +03:00 · f9279fcfb3
commit f9279fcfb3
parent 52521430de
3 changed files with 628 additions and 1 deletions
--- a/SOURCES/1001-Fixed-postgresql-service-network-binding-issue.patch
+++ b/SOURCES/1001-Fixed-postgresql-service-network-binding-issue.patch
@ -0,0 +1,38 @@
 From df5ba865eb8a42147d23100b37322921ad98248a Mon Sep 17 00:00:00 2001
 From: sagar sagar <sagar.sagar@oracle.com>
 Date: Thu, 11 May 2023 15:49:37 +0530
 Subject: [PATCH] Fixed postgresql service network binding issue during bootup
 During the bootup, the postgresql service requires port bind to network
 address to assign configured in /var/lib/pgsql/data/postgresql.conf but the
 service is not able to do if the network service has not yet assigned an IP
 address to the network interface.
 By using "network-online.target" parameter in
 /usr/lib/systemd/system/postgresql.service we are postponing the postgresql
 service to run until we have not got the IP address assinged.
 For more info :-
 https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
 Orabug: 35103668
 Signed-off-by: sagar sagar <sagar.sagar@oracle.com>
 ---
 postgresql-setup-8.7/postgresql.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/postgresql-setup-8.7/postgresql.service.in b/postgresql-setup-8.7/postgresql.service.in
 index c73c42a..893e6fa 100644
 --- a/postgresql-setup-8.7/postgresql.service.in
 +++ b/postgresql-setup-8.7/postgresql.service.in
@@ -6,7 +6,7 @@
 [Unit]
 Description=PostgreSQL database server
 -After=network.target
 +After=network-online.target
 [Service]
 Type=notify
 -- 
 2.31.1
--- a/SOURCES/postgresql-10.23-CVE-2023-5869.patch
+++ b/SOURCES/postgresql-10.23-CVE-2023-5869.patch
@ -0,0 +1,576 @@
 From d267cea24ea346c739c85bf7bccbd8e8f59da6b3 Mon Sep 17 00:00:00 2001
 From: Tom Lane <tgl@sss.pgh.pa.us>
 Date: Mon, 6 Nov 2023 10:56:43 -0500
 Subject: [PATCH 1/1] Detect integer overflow while computing new array
 dimensions.
 array_set_element() and related functions allow an array to be
 enlarged by assigning to subscripts outside the current array bounds.
 While these places were careful to check that the new bounds are
 allowable, they neglected to consider the risk of integer overflow
 in computing the new bounds.  In edge cases, we could compute new
 bounds that are invalid but get past the subsequent checks,
 allowing bad things to happen.  Memory stomps that are potentially
 exploitable for arbitrary code execution are possible, and so is
 disclosure of server memory.
 To fix, perform the hazardous computations using overflow-detecting
 arithmetic routines, which fortunately exist in all still-supported
 branches.
 The test cases added for this generate (after patching) errors that
 mention the value of MaxArraySize, which is platform-dependent.
 Rather than introduce multiple expected-files, use psql's VERBOSITY
 parameter to suppress the printing of the message text.  v11 psql
 lacks that parameter, so omit the tests in that branch.
 Our thanks to Pedro Gallegos for reporting this problem.
 Security: CVE-2023-5869
 Sign-Off-By: Tianyue Lan <tianyue.lan@oracle.com>
 ---
 src/backend/utils/adt/arrayfuncs.c   | 85 ++++++++++++++++++++++------
 src/backend/utils/adt/arrayutils.c   |  6 --
 src/include/utils/array.h            |  7 +++
 src/test/regress/expected/arrays.out | 17 ++++++
 src/test/regress/sql/arrays.sql      | 19 +++++++
 src/include/common/int.h | 273 +++++++++++++++++++++++++++++++++++++++
 create mode 100644 src/include/common/int.h
 6 files changed, 383 insertions(+), 24 deletions(-)
 diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c
 index 553c517..7363893 100644
 --- a/src/backend/utils/adt/arrayfuncs.c
 +++ b/src/backend/utils/adt/arrayfuncs.c
@@ -22,6 +22,7 @@
 #include "access/htup_details.h"
 #include "catalog/pg_type.h"
 +#include "common/int.h"
 #include "funcapi.h"
 #include "libpq/pqformat.h"
 #include "utils/array.h"
@@ -2309,22 +2310,38 @@ array_set_element(Datum arraydatum,
 	addedbefore = addedafter = 0;
 	/*
 -	 * Check subscripts
 +	 * Check subscripts.  We assume the existing subscripts passed
 +	 * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without
 +	 * overflow.  But we must beware of other overflows in our calculations of
 +	 * new dim[] values.
 	 */
 	if (ndim == 1)
 	{
 		if (indx[0] < lb[0])
 		{
 -			addedbefore = lb[0] - indx[0];
 -			dim[0] += addedbefore;
 +			/* addedbefore = lb[0] - indx[0]; */
 +			/* dim[0] += addedbefore; */
 +			if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) ||
 +				pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
 +				ereport(ERROR,
 +						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
 +						 errmsg("array size exceeds the maximum allowed (%d)",
 +								(int) MaxArraySize)));
 			lb[0] = indx[0];
 			if (addedbefore > 1)
 				newhasnulls = true; /* will insert nulls */
 		}
 		if (indx[0] >= (dim[0] + lb[0]))
 		{
 -			addedafter = indx[0] - (dim[0] + lb[0]) + 1;
 -			dim[0] += addedafter;
 +			/* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */
 +			/* dim[0] += addedafter; */
 +			if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) ||
 +				pg_add_s32_overflow(addedafter, 1, &addedafter) ||
 +				pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
 +				ereport(ERROR,
 +						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
 +						 errmsg("array size exceeds the maximum allowed (%d)",
 +								(int) MaxArraySize)));
 			if (addedafter > 1)
 				newhasnulls = true; /* will insert nulls */
 		}
@@ -2568,14 +2585,23 @@ array_set_element_expanded(Datum arraydatum,
 	addedbefore = addedafter = 0;
 	/*
 -	 * Check subscripts (this logic matches original array_set_element)
 +	 * Check subscripts (this logic must match array_set_element).  We assume
 +	 * the existing subscripts passed ArrayCheckBounds, so that dim[i] + lb[i]
 +	 * can be computed without overflow.  But we must beware of other
 +	 * overflows in our calculations of new dim[] values.
 	 */
 	if (ndim == 1)
 	{
 		if (indx[0] < lb[0])
 		{
 -			addedbefore = lb[0] - indx[0];
 -			dim[0] += addedbefore;
 +			/* addedbefore = lb[0] - indx[0]; */
 +			/* dim[0] += addedbefore; */
 +			if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) ||
 +				pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
 +				ereport(ERROR,
 +						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
 +						 errmsg("array size exceeds the maximum allowed (%d)",
 +								(int) MaxArraySize)));
 			lb[0] = indx[0];
 			dimschanged = true;
 			if (addedbefore > 1)
@@ -2583,8 +2609,15 @@ array_set_element_expanded(Datum arraydatum,
 		}
 		if (indx[0] >= (dim[0] + lb[0]))
 		{
 -			addedafter = indx[0] - (dim[0] + lb[0]) + 1;
 -			dim[0] += addedafter;
 +			/* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */
 +			/* dim[0] += addedafter; */
 +			if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) ||
 +				pg_add_s32_overflow(addedafter, 1, &addedafter) ||
 +				pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
 +				ereport(ERROR,
 +						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
 +						 errmsg("array size exceeds the maximum allowed (%d)",
 +								(int) MaxArraySize)));
 			dimschanged = true;
 			if (addedafter > 1)
 				newhasnulls = true; /* will insert nulls */
@@ -2866,7 +2899,10 @@ array_set_slice(Datum arraydatum,
 	addedbefore = addedafter = 0;
 	/*
 -	 * Check subscripts
 +	 * Check subscripts.  We assume the existing subscripts passed
 +	 * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without
 +	 * overflow.  But we must beware of other overflows in our calculations of
 +	 * new dim[] values.
 	 */
 	if (ndim == 1)
 	{
@@ -2881,18 +2917,31 @@ array_set_slice(Datum arraydatum,
 					 errmsg("upper bound cannot be less than lower bound")));
 		if (lowerIndx[0] < lb[0])
 		{
 -			if (upperIndx[0] < lb[0] - 1)
 -				newhasnulls = true; /* will insert nulls */
 -			addedbefore = lb[0] - lowerIndx[0];
 -			dim[0] += addedbefore;
 +			/* addedbefore = lb[0] - lowerIndx[0]; */
 +			/* dim[0] += addedbefore; */
 +			if (pg_sub_s32_overflow(lb[0], lowerIndx[0], &addedbefore) ||
 +				pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
 +				ereport(ERROR,
 +						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
 +						 errmsg("array size exceeds the maximum allowed (%d)",
 +								(int) MaxArraySize)));
 			lb[0] = lowerIndx[0];
 +			if (addedbefore > 1)
 +				newhasnulls = true; /* will insert nulls */
 		}
 		if (upperIndx[0] >= (dim[0] + lb[0]))
 		{
 -			if (lowerIndx[0] > (dim[0] + lb[0]))
 +			/* addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; */
 +			/* dim[0] += addedafter; */
 +			if (pg_sub_s32_overflow(upperIndx[0], dim[0] + lb[0], &addedafter) ||
 +				pg_add_s32_overflow(addedafter, 1, &addedafter) ||
 +				pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
 +				ereport(ERROR,
 +						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
 +						 errmsg("array size exceeds the maximum allowed (%d)",
 +								(int) MaxArraySize)));
 +			if (addedafter > 1)
 				newhasnulls = true; /* will insert nulls */
 -			addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1;
 -			dim[0] += addedafter;
 		}
 	}
 	else
 diff --git a/src/backend/utils/adt/arrayutils.c b/src/backend/utils/adt/arrayutils.c
 index f7c6a51..eb5f2a0 100644
 --- a/src/backend/utils/adt/arrayutils.c
 +++ b/src/backend/utils/adt/arrayutils.c
@@ -63,10 +63,6 @@ ArrayGetOffset0(int n, const int *tup, const int *scale)
  * This must do overflow checking, since it is used to validate that a user
  * dimensionality request doesn't overflow what we can handle.
  *
 - * We limit array sizes to at most about a quarter billion elements,
 - * so that it's not necessary to check for overflow in quite so many
 - * places --- for instance when palloc'ing Datum arrays.
 - *
  * The multiplication overflow check only works on machines that have int64
  * arithmetic, but that is nearly all platforms these days, and doing check
  * divides for those that don't seems way too expensive.
@@ -77,8 +73,6 @@ ArrayGetNItems(int ndim, const int *dims)
 	int32		ret;
 	int			i;
 -#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
 -
 	if (ndim <= 0)
 		return 0;
 	ret = 1;
 diff --git a/src/include/utils/array.h b/src/include/utils/array.h
 index 905f6b0..3e4c09d 100644
 --- a/src/include/utils/array.h
 +++ b/src/include/utils/array.h
@@ -65,6 +65,13 @@
 #include "utils/expandeddatum.h"
 +/*
 + * Maximum number of elements in an array.  We limit this to at most about a
 + * quarter billion elements, so that it's not necessary to check for overflow
 + * in quite so many places --- for instance when palloc'ing Datum arrays.
 + */
 +#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
 +
 /*
  * Arrays are varlena objects, so must meet the varlena convention that
  * the first int32 of the object contains the total object size in bytes.
 diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out
 index c730563..e4ec394 100644
 --- a/src/test/regress/expected/arrays.out
 +++ b/src/test/regress/expected/arrays.out
@@ -1347,6 +1347,23 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
 -- then you didn't get an indexscan plan, and something is busted.
 reset enable_seqscan;
 reset enable_bitmapscan;
 +-- test subscript overflow detection
 +-- The normal error message includes a platform-dependent limit,
 +-- so suppress it to avoid needing multiple expected-files.
 +\set VERBOSITY terse
 +insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
 +update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
 +ERROR:  array size exceeds the maximum allowed (134217727)
 +update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
 +ERROR:  array size exceeds the maximum allowed (134217727)
 +-- also exercise the expanded-array case
 +do $$ declare a int[];
 +begin
 +  a := '[-2147483648:-2147483647]={1,2}'::int[];
 +  a[2147483647] := 42;
 +end $$;
 +ERROR:  array size exceeds the maximum allowed (134217727)
 +\set VERBOSITY default
 -- test [not] (like|ilike) (any|all) (...)
 select 'foo' like any (array['%a', '%o']); -- t
  ?column? 
 diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql
 index 25dd4e2..4ad6e55 100644
 --- a/src/test/regress/sql/arrays.sql
 +++ b/src/test/regress/sql/arrays.sql
@@ -407,6 +407,25 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
 reset enable_seqscan;
 reset enable_bitmapscan;
 +-- test subscript overflow detection
 +
 +-- The normal error message includes a platform-dependent limit,
 +-- so suppress it to avoid needing multiple expected-files.
 +\set VERBOSITY terse
 +
 +insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
 +update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
 +update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
 +
 +-- also exercise the expanded-array case
 +do $$ declare a int[];
 +begin
 +  a := '[-2147483648:-2147483647]={1,2}'::int[];
 +  a[2147483647] := 42;
 +end $$;
 +
 +\set VERBOSITY default
 +
 -- test [not] (like|ilike) (any|all) (...)
 select 'foo' like any (array['%a', '%o']); -- t
 select 'foo' like any (array['%a', '%b']); -- f
 diff --git a/src/include/common/int.h b/src/include/common/int.h
 new file mode 100644
 index 0000000..d754798
 --- /dev/null
 +++ b/src/include/common/int.h
@@ -0,0 +1,273 @@
 +/*-------------------------------------------------------------------------
 + *
 + * int.h
 + *	  Routines to perform integer math, while checking for overflows.
 + *
 + * The routines in this file are intended to be well defined C, without
 + * relying on compiler flags like -fwrapv.
 + *
 + * To reduce the overhead of these routines try to use compiler intrinsics
 + * where available. That's not that important for the 16, 32 bit cases, but
 + * the 64 bit cases can be considerably faster with intrinsics. In case no
 + * intrinsics are available 128 bit math is used where available.
 + *
 + * Copyright (c) 2017-2019, PostgreSQL Global Development Group
 + *
 + * src/include/common/int.h
 + *
 + *-------------------------------------------------------------------------
 + */
 +#ifndef COMMON_INT_H
 +#define COMMON_INT_H
 +
 +/*
 + * If a + b overflows, return true, otherwise store the result of a + b into
 + * *result. The content of *result is implementation defined in case of
 + * overflow.
 + */
 +static inline bool
 +pg_add_s16_overflow(int16 a, int16 b, int16 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
 +	return __builtin_add_overflow(a, b, result);
 +#else
 +	int32		res = (int32) a + (int32) b;
 +
 +	if (res > PG_INT16_MAX || res < PG_INT16_MIN)
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = (int16) res;
 +	return false;
 +#endif
 +}
 +
 +/*
 + * If a - b overflows, return true, otherwise store the result of a - b into
 + * *result. The content of *result is implementation defined in case of
 + * overflow.
 + */
 +static inline bool
 +pg_sub_s16_overflow(int16 a, int16 b, int16 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
 +	return __builtin_sub_overflow(a, b, result);
 +#else
 +	int32		res = (int32) a - (int32) b;
 +
 +	if (res > PG_INT16_MAX || res < PG_INT16_MIN)
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = (int16) res;
 +	return false;
 +#endif
 +}
 +
 +/*
 + * If a * b overflows, return true, otherwise store the result of a * b into
 + * *result. The content of *result is implementation defined in case of
 + * overflow.
 + */
 +static inline bool
 +pg_mul_s16_overflow(int16 a, int16 b, int16 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
 +	return __builtin_mul_overflow(a, b, result);
 +#else
 +	int32		res = (int32) a * (int32) b;
 +
 +	if (res > PG_INT16_MAX || res < PG_INT16_MIN)
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = (int16) res;
 +	return false;
 +#endif
 +}
 +
 +/*
 + * If a + b overflows, return true, otherwise store the result of a + b into
 + * *result. The content of *result is implementation defined in case of
 + * overflow.
 + */
 +static inline bool
 +pg_add_s32_overflow(int32 a, int32 b, int32 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
 +	return __builtin_add_overflow(a, b, result);
 +#else
 +	int64		res = (int64) a + (int64) b;
 +
 +	if (res > PG_INT32_MAX || res < PG_INT32_MIN)
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = (int32) res;
 +	return false;
 +#endif
 +}
 +
 +/*
 + * If a - b overflows, return true, otherwise store the result of a - b into
 + * *result. The content of *result is implementation defined in case of
 + * overflow.
 + */
 +static inline bool
 +pg_sub_s32_overflow(int32 a, int32 b, int32 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
 +	return __builtin_sub_overflow(a, b, result);
 +#else
 +	int64		res = (int64) a - (int64) b;
 +
 +	if (res > PG_INT32_MAX || res < PG_INT32_MIN)
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = (int32) res;
 +	return false;
 +#endif
 +}
 +
 +/*
 + * If a * b overflows, return true, otherwise store the result of a * b into
 + * *result. The content of *result is implementation defined in case of
 + * overflow.
 + */
 +static inline bool
 +pg_mul_s32_overflow(int32 a, int32 b, int32 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
 +	return __builtin_mul_overflow(a, b, result);
 +#else
 +	int64		res = (int64) a * (int64) b;
 +
 +	if (res > PG_INT32_MAX || res < PG_INT32_MIN)
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = (int32) res;
 +	return false;
 +#endif
 +}
 +
 +/*
 + * If a + b overflows, return true, otherwise store the result of a + b into
 + * *result. The content of *result is implementation defined in case of
 + * overflow.
 + */
 +static inline bool
 +pg_add_s64_overflow(int64 a, int64 b, int64 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
 +	return __builtin_add_overflow(a, b, result);
 +#elif defined(HAVE_INT128)
 +	int128		res = (int128) a + (int128) b;
 +
 +	if (res > PG_INT64_MAX || res < PG_INT64_MIN)
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = (int64) res;
 +	return false;
 +#else
 +	if ((a > 0 && b > 0 && a > PG_INT64_MAX - b) ||
 +		(a < 0 && b < 0 && a < PG_INT64_MIN - b))
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = a + b;
 +	return false;
 +#endif
 +}
 +
 +/*
 + * If a - b overflows, return true, otherwise store the result of a - b into
 + * *result. The content of *result is implementation defined in case of
 + * overflow.
 + */
 +static inline bool
 +pg_sub_s64_overflow(int64 a, int64 b, int64 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
 +	return __builtin_sub_overflow(a, b, result);
 +#elif defined(HAVE_INT128)
 +	int128		res = (int128) a - (int128) b;
 +
 +	if (res > PG_INT64_MAX || res < PG_INT64_MIN)
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = (int64) res;
 +	return false;
 +#else
 +	if ((a < 0 && b > 0 && a < PG_INT64_MIN + b) ||
 +		(a > 0 && b < 0 && a > PG_INT64_MAX + b))
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = a - b;
 +	return false;
 +#endif
 +}
 +
 +/*
 + * If a * b overflows, return true, otherwise store the result of a * b into
 + * *result. The content of *result is implementation defined in case of
 + * overflow.
 + */
 +static inline bool
 +pg_mul_s64_overflow(int64 a, int64 b, int64 *result)
 +{
 +#if defined(HAVE__BUILTIN_OP_OVERFLOW)
 +	return __builtin_mul_overflow(a, b, result);
 +#elif defined(HAVE_INT128)
 +	int128		res = (int128) a * (int128) b;
 +
 +	if (res > PG_INT64_MAX || res < PG_INT64_MIN)
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = (int64) res;
 +	return false;
 +#else
 +	/*
 +	 * Overflow can only happen if at least one value is outside the range
 +	 * sqrt(min)..sqrt(max) so check that first as the division can be quite a
 +	 * bit more expensive than the multiplication.
 +	 *
 +	 * Multiplying by 0 or 1 can't overflow of course and checking for 0
 +	 * separately avoids any risk of dividing by 0.  Be careful about dividing
 +	 * INT_MIN by -1 also, note reversing the a and b to ensure we're always
 +	 * dividing it by a positive value.
 +	 *
 +	 */
 +	if ((a > PG_INT32_MAX || a < PG_INT32_MIN ||
 +		 b > PG_INT32_MAX || b < PG_INT32_MIN) &&
 +		a != 0 && a != 1 && b != 0 && b != 1 &&
 +		((a > 0 && b > 0 && a > PG_INT64_MAX / b) ||
 +		 (a > 0 && b < 0 && b < PG_INT64_MIN / a) ||
 +		 (a < 0 && b > 0 && a < PG_INT64_MIN / b) ||
 +		 (a < 0 && b < 0 && a < PG_INT64_MAX / b)))
 +	{
 +		*result = 0x5EED;		/* to avoid spurious warnings */
 +		return true;
 +	}
 +	*result = a * b;
 +	return false;
 +#endif
 +}
 +
 +#endif							/* COMMON_INT_H */
 -- 
 2.39.3
--- a/SPECS/postgresql.spec
+++ b/SPECS/postgresql.spec
@ -59,7 +59,7 @@ Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 10
 Version: %{majorversion}.23
-Release: 2%{?dist}
+Release: 3.0.1%{?dist}
 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@ -110,6 +110,10 @@ Patch9: postgresql-server-pg_config.patch
 Patch10: postgresql-10.15-contrib-dblink-expected-out.patch
 Patch11: postgresql-10.23-CVE-2023-2454.patch
 Patch12: postgresql-10.23-CVE-2023-2455.patch
 Patch13: postgresql-10.23-CVE-2023-5869.patch
 #Oracle Patches 
 Patch1001: 1001-Fixed-postgresql-service-network-binding-issue.patch
 BuildRequires: gcc
 BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
@ -371,6 +375,9 @@ benchmarks.
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch1001 -p1
 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.
@ -1175,6 +1182,12 @@ make -C postgresql-setup-%{setup_version} check
 %changelog
 * Mon Dec 18 2023 Lubos Kloucek <lubos.kloucek@oracle.com> - 10.23-3.0.1
 - Resolves: CVE-2023-5869
 * Tue Aug 08 2023 David Sloboda <david.x.sloboda@oracle.com> - 10.23-2.0.1
 - Fixed postgresql port binding issue during bootup [Orabug: 35103668]
 * Wed Jul 19 2023 Dominik Rehák <drehak@redhat.com> - 10.23-2
 - Backport fixes for CVE-2023-2454 and CVE-2023-2455
 - Update postgresql-setup to 8.7 (https://github.com/devexp-db/postgresql-setup/pull/35)