.gitignore

@@ -1,4 +1,4 @@
 SOURCES/postgresql-10.23-US.pdf
 SOURCES/postgresql-10.23.tar.bz2
 SOURCES/postgresql-9.2.24.tar.bz2
-SOURCES/postgresql-setup-8.7.tar.gz
+SOURCES/postgresql-setup-8.6.tar.gz

.postgresql.metadata

@@ -1,4 +1,4 @@
 a416c245ff0815fbde534bc49b0a07ffdd373894 SOURCES/postgresql-10.23-US.pdf
 2df7b4b3751112f3cb543c3ea81e45531bebc7a1 SOURCES/postgresql-10.23.tar.bz2
 63d6966ccdbab6aae1f9754fdb8e341ada1ef653 SOURCES/postgresql-9.2.24.tar.bz2
-fb97095dc9648f9c31d58fcb406831da5e419ddf SOURCES/postgresql-setup-8.7.tar.gz
+9e12ee26bf41d3831f83049b51ae5da76de2ce12 SOURCES/postgresql-setup-8.6.tar.gz

SOURCES/postgresql-10.23-CVE-2023-2454.patch

@@ -1,249 +0,0 @@
-From 681d9e4621aac0a9c71364b6f54f00f6d8c4337f Mon Sep 17 00:00:00 2001
-From 8d525d7b9545884a3e0d79adcd61543f9ae2ae28 Mon Sep 17 00:00:00 2001
-From: Noah Misch <noah@leadboat.com>
-Date: Mon, 8 May 2023 06:14:07 -0700
-Subject: Replace last PushOverrideSearchPath() call with
- set_config_option().
-
-The two methods don't cooperate, so set_config_option("search_path",
-...) has been ineffective under non-empty overrideStack.  This defect
-enabled an attacker having database-level CREATE privilege to execute
-arbitrary code as the bootstrap superuser.  While that particular attack
-requires v13+ for the trusted extension attribute, other attacks are
-feasible in all supported versions.
-
-Standardize on the combination of NewGUCNestLevel() and
-set_config_option("search_path", ...).  It is newer than
-PushOverrideSearchPath(), more-prevalent, and has no known
-disadvantages.  The "override" mechanism remains for now, for
-compatibility with out-of-tree code.  Users should update such code,
-which likely suffers from the same sort of vulnerability closed here.
-Back-patch to v11 (all supported versions).
-
-Alexander Lakhin.  Reported by Alexander Lakhin.
-
-Security: CVE-2023-2454
----
- contrib/seg/Makefile                    |  2 +-
- contrib/seg/expected/security.out       | 32 ++++++++++++++++++
- contrib/seg/sql/security.sql            | 32 ++++++++++++++++++
- src/backend/catalog/namespace.c         |  4 +++
- src/backend/commands/schemacmds.c       | 37 ++++++++++++++------
- src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++
- src/test/regress/sql/namespace.sql      | 24 +++++++++++++
- 7 files changed, 165 insertions(+), 11 deletions(-)
- create mode 100644 contrib/seg/expected/security.out
- create mode 100644 contrib/seg/sql/security.sql
-
-diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c
-index 14e57adee2..73ddb67882 100644
---- a/src/backend/catalog/namespace.c
-+++ b/src/backend/catalog/namespace.c
-@@ -3515,6 +3515,10 @@ OverrideSearchPathMatchesCurrent(OverrideSearchPath *path)
- /*
-  * PushOverrideSearchPath - temporarily override the search path
-  *
-+ * Do not use this function; almost any usage introduces a security
-+ * vulnerability.  It exists for the benefit of legacy code running in
-+ * non-security-sensitive environments.
-+ *
-  * We allow nested overrides, hence the push/pop terminology.  The GUC
-  * search_path variable is ignored while an override is active.
-  *
-diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
-index 48590247f8..b6a71154a8 100644
---- a/src/backend/commands/schemacmds.c
-+++ b/src/backend/commands/schemacmds.c
-@@ -30,6 +30,7 @@
- #include "commands/schemacmds.h"
- #include "miscadmin.h"
- #include "parser/parse_utilcmd.h"
-+#include "parser/scansup.h"
- #include "tcop/utility.h"
- #include "utils/acl.h"
- #include "utils/builtins.h"
-@@ -53,14 +54,16 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
- {
- 	const char *schemaName = stmt->schemaname;
- 	Oid			namespaceId;
--	OverrideSearchPath *overridePath;
- 	List	   *parsetree_list;
- 	ListCell   *parsetree_item;
- 	Oid			owner_uid;
- 	Oid			saved_uid;
- 	int			save_sec_context;
-+	int			save_nestlevel;
-+	char	   *nsp = namespace_search_path;
- 	AclResult	aclresult;
- 	ObjectAddress address;
-+	StringInfoData pathbuf;
- 
- 	GetUserIdAndSecContext(&saved_uid, &save_sec_context);
- 
-@@ -153,14 +156,26 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
- 	CommandCounterIncrement();
- 
- 	/*
--	 * Temporarily make the new namespace be the front of the search path, as
--	 * well as the default creation target namespace.  This will be undone at
--	 * the end of this routine, or upon error.
-+	 * Prepend the new schema to the current search path.
-+	 *
-+	 * We use the equivalent of a function SET option to allow the setting to
-+	 * persist for exactly the duration of the schema creation.  guc.c also
-+	 * takes care of undoing the setting on error.
- 	 */
--	overridePath = GetOverrideSearchPath(CurrentMemoryContext);
--	overridePath->schemas = lcons_oid(namespaceId, overridePath->schemas);
--	/* XXX should we clear overridePath->useTemp? */
--	PushOverrideSearchPath(overridePath);
-+	save_nestlevel = NewGUCNestLevel();
-+
-+	initStringInfo(&pathbuf);
-+	appendStringInfoString(&pathbuf, quote_identifier(schemaName));
-+
-+	while (scanner_isspace(*nsp))
-+		nsp++;
-+
-+	if (*nsp != '\0')
-+		appendStringInfo(&pathbuf, ", %s", nsp);
-+
-+	(void) set_config_option("search_path", pathbuf.data,
-+							 PGC_USERSET, PGC_S_SESSION,
-+							 GUC_ACTION_SAVE, true, 0, false);
- 
- 	/*
- 	 * Report the new schema to possibly interested event triggers.  Note we
-@@ -215,8 +230,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
- 		CommandCounterIncrement();
- 	}
- 
--	/* Reset search path to normal state */
--	PopOverrideSearchPath();
-+	/*
-+	 * Restore the GUC variable search_path we set above.
-+	 */
-+	AtEOXact_GUC(true, save_nestlevel);
- 
- 	/* Reset current user and security context */
- 	SetUserIdAndSecContext(saved_uid, save_sec_context);
-diff --git a/src/test/regress/expected/namespace.out b/src/test/regress/expected/namespace.out
-index 2564d1b080..a62fd8ded0 100644
---- a/src/test/regress/expected/namespace.out
-+++ b/src/test/regress/expected/namespace.out
-@@ -1,6 +1,14 @@
- --
- -- Regression tests for schemas (namespaces)
- --
-+-- set the whitespace-only search_path to test that the
-+-- GUC list syntax is preserved during a schema creation
-+SELECT pg_catalog.set_config('search_path', ' ', false);
-+ set_config 
-+------------
-+  
-+(1 row)
-+
- CREATE SCHEMA test_schema_1
-        CREATE UNIQUE INDEX abc_a_idx ON abc (a)
-        CREATE VIEW abc_view AS
-@@ -9,6 +17,43 @@ CREATE SCHEMA test_schema_1
-               a serial,
-               b int UNIQUE
-        );
-+-- verify that the correct search_path restored on abort
-+SET search_path to public;
-+BEGIN;
-+SET search_path to public, test_schema_1;
-+CREATE SCHEMA test_schema_2
-+       CREATE VIEW abc_view AS SELECT c FROM abc;
-+ERROR:  column "c" does not exist
-+LINE 2:        CREATE VIEW abc_view AS SELECT c FROM abc;
-+                                              ^
-+COMMIT;
-+SHOW search_path;
-+ search_path 
-+-------------
-+ public
-+(1 row)
-+
-+-- verify that the correct search_path preserved
-+-- after creating the schema and on commit
-+BEGIN;
-+SET search_path to public, test_schema_1;
-+CREATE SCHEMA test_schema_2
-+       CREATE VIEW abc_view AS SELECT a FROM abc;
-+SHOW search_path;
-+      search_path      
-+-----------------------
-+ public, test_schema_1
-+(1 row)
-+
-+COMMIT;
-+SHOW search_path;
-+      search_path      
-+-----------------------
-+ public, test_schema_1
-+(1 row)
-+
-+DROP SCHEMA test_schema_2 CASCADE;
-+NOTICE:  drop cascades to view test_schema_2.abc_view
- -- verify that the objects were created
- SELECT COUNT(*) FROM pg_class WHERE relnamespace =
-     (SELECT oid FROM pg_namespace WHERE nspname = 'test_schema_1');
-diff --git a/src/test/regress/sql/namespace.sql b/src/test/regress/sql/namespace.sql
-index 6b12c96193..3474f5ecf4 100644
---- a/src/test/regress/sql/namespace.sql
-+++ b/src/test/regress/sql/namespace.sql
-@@ -2,6 +2,10 @@
- -- Regression tests for schemas (namespaces)
- --
- 
-+-- set the whitespace-only search_path to test that the
-+-- GUC list syntax is preserved during a schema creation
-+SELECT pg_catalog.set_config('search_path', ' ', false);
-+
- CREATE SCHEMA test_schema_1
-        CREATE UNIQUE INDEX abc_a_idx ON abc (a)
- 
-@@ -13,6 +17,26 @@ CREATE SCHEMA test_schema_1
-               b int UNIQUE
-        );
- 
-+-- verify that the correct search_path restored on abort
-+SET search_path to public;
-+BEGIN;
-+SET search_path to public, test_schema_1;
-+CREATE SCHEMA test_schema_2
-+       CREATE VIEW abc_view AS SELECT c FROM abc;
-+COMMIT;
-+SHOW search_path;
-+
-+-- verify that the correct search_path preserved
-+-- after creating the schema and on commit
-+BEGIN;
-+SET search_path to public, test_schema_1;
-+CREATE SCHEMA test_schema_2
-+       CREATE VIEW abc_view AS SELECT a FROM abc;
-+SHOW search_path;
-+COMMIT;
-+SHOW search_path;
-+DROP SCHEMA test_schema_2 CASCADE;
-+
- -- verify that the objects were created
- SELECT COUNT(*) FROM pg_class WHERE relnamespace =
-     (SELECT oid FROM pg_namespace WHERE nspname = 'test_schema_1');
-diff --git a/contrib/sepgsql/expected/ddl.out b/contrib/sepgsql/expected/ddl.out
-index e8da587564..15d2b9c5e7 100644
---- a/contrib/sepgsql/expected/ddl.out
-+++ b/contrib/sepgsql/expected/ddl.out
-@@ -24,7 +24,6 @@ LOG:  SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_reg
- CREATE USER regress_sepgsql_test_user;
- CREATE SCHEMA regtest_schema;
- LOG:  SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
--LOG:  SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="public"
- GRANT ALL ON SCHEMA regtest_schema TO regress_sepgsql_test_user;
- SET search_path = regtest_schema, public;
- CREATE TABLE regtest_table (x serial primary key, y text);
--- 
-2.41.0
-

SOURCES/postgresql-10.23-CVE-2023-2455.patch

@@ -1,114 +0,0 @@
-From ca73753b090c33bc69ce299b4d7fff891a77b8ad Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 8 May 2023 10:12:44 -0400
-Subject: Handle RLS dependencies in inlined set-returning
- functions properly.
-
-If an SRF in the FROM clause references a table having row-level
-security policies, and we inline that SRF into the calling query,
-we neglected to mark the plan as potentially dependent on which
-role is executing it.  This could lead to later executions in the
-same session returning or hiding rows that should have been hidden
-or returned instead.
-
-Our thanks to Wolfgang Walther for reporting this problem.
-
-Stephen Frost and Tom Lane
-
-Security: CVE-2023-2455
----
- src/backend/optimizer/util/clauses.c      |  7 ++++++
- src/test/regress/expected/rowsecurity.out | 27 +++++++++++++++++++++++
- src/test/regress/sql/rowsecurity.sql      | 20 +++++++++++++++++
- 3 files changed, 54 insertions(+)
-
-diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
-index a9c7bc342e..11269fee3e 100644
---- a/src/backend/optimizer/util/clauses.c
-+++ b/src/backend/optimizer/util/clauses.c
-@@ -5205,6 +5205,13 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte)
- 	 */
- 	record_plan_function_dependency(root, func_oid);
- 
-+	/*
-+	 * We must also notice if the inserted query adds a dependency on the
-+	 * calling role due to RLS quals.
-+	 */
-+	if (querytree->hasRowSecurity)
-+		root->glob->dependsOnRole = true;
-+
- 	return querytree;
- 
- 	/* Here if func is not inlinable: release temp memory and return NULL */
-diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out
-index 38f53ed486..e278346420 100644
---- a/src/test/regress/expected/rowsecurity.out
-+++ b/src/test/regress/expected/rowsecurity.out
-@@ -4427,6 +4427,33 @@ SELECT * FROM rls_tbl;
- 
- DROP TABLE rls_tbl;
- RESET SESSION AUTHORIZATION;
-+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
-+create table rls_t (c text);
-+insert into rls_t values ('invisible to bob');
-+alter table rls_t enable row level security;
-+grant select on rls_t to regress_rls_alice, regress_rls_bob;
-+create policy p1 on rls_t for select to regress_rls_alice using (true);
-+create policy p2 on rls_t for select to regress_rls_bob using (false);
-+create function rls_f () returns setof rls_t
-+  stable language sql
-+  as $$ select * from rls_t $$;
-+prepare q as select current_user, * from rls_f();
-+set role regress_rls_alice;
-+execute q;
-+   current_user    |        c         
-+-------------------+------------------
-+ regress_rls_alice | invisible to bob
-+(1 row)
-+
-+set role regress_rls_bob;
-+execute q;
-+ current_user | c 
-+--------------+---
-+(0 rows)
-+
-+RESET ROLE;
-+DROP FUNCTION rls_f();
-+DROP TABLE rls_t;
- --
- -- Clean up objects
- --
-diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql
-index 0fd0cded7d..3d664538a6 100644
---- a/src/test/regress/sql/rowsecurity.sql
-+++ b/src/test/regress/sql/rowsecurity.sql
-@@ -2127,6 +2127,26 @@ SELECT * FROM rls_tbl;
- DROP TABLE rls_tbl;
- RESET SESSION AUTHORIZATION;
- 
-+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
-+create table rls_t (c text);
-+insert into rls_t values ('invisible to bob');
-+alter table rls_t enable row level security;
-+grant select on rls_t to regress_rls_alice, regress_rls_bob;
-+create policy p1 on rls_t for select to regress_rls_alice using (true);
-+create policy p2 on rls_t for select to regress_rls_bob using (false);
-+create function rls_f () returns setof rls_t
-+  stable language sql
-+  as $$ select * from rls_t $$;
-+prepare q as select current_user, * from rls_f();
-+set role regress_rls_alice;
-+execute q;
-+set role regress_rls_bob;
-+execute q;
-+
-+RESET ROLE;
-+DROP FUNCTION rls_f();
-+DROP TABLE rls_t;
-+
- --
- -- Clean up objects
- --
--- 
-2.41.0
-

SOURCES/postgresql-10.23-CVE-2023-5869.patch

@@ -1,576 +0,0 @@
-From d267cea24ea346c739c85bf7bccbd8e8f59da6b3 Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 6 Nov 2023 10:56:43 -0500
-Subject: [PATCH 1/1] Detect integer overflow while computing new array
- dimensions.
-
-array_set_element() and related functions allow an array to be
-enlarged by assigning to subscripts outside the current array bounds.
-While these places were careful to check that the new bounds are
-allowable, they neglected to consider the risk of integer overflow
-in computing the new bounds.  In edge cases, we could compute new
-bounds that are invalid but get past the subsequent checks,
-allowing bad things to happen.  Memory stomps that are potentially
-exploitable for arbitrary code execution are possible, and so is
-disclosure of server memory.
-
-To fix, perform the hazardous computations using overflow-detecting
-arithmetic routines, which fortunately exist in all still-supported
-branches.
-
-The test cases added for this generate (after patching) errors that
-mention the value of MaxArraySize, which is platform-dependent.
-Rather than introduce multiple expected-files, use psql's VERBOSITY
-parameter to suppress the printing of the message text.  v11 psql
-lacks that parameter, so omit the tests in that branch.
-
-Our thanks to Pedro Gallegos for reporting this problem.
-
-Security: CVE-2023-5869
-Sign-Off-By: Tianyue Lan <tianyue.lan@oracle.com>
-
----
- src/backend/utils/adt/arrayfuncs.c   | 85 ++++++++++++++++++++++------
- src/backend/utils/adt/arrayutils.c   |  6 --
- src/include/utils/array.h            |  7 +++
- src/test/regress/expected/arrays.out | 17 ++++++
- src/test/regress/sql/arrays.sql      | 19 +++++++
- src/include/common/int.h | 273 +++++++++++++++++++++++++++++++++++++++
- create mode 100644 src/include/common/int.h
- 6 files changed, 383 insertions(+), 24 deletions(-)
-
-diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c
-index 553c517..7363893 100644
---- a/src/backend/utils/adt/arrayfuncs.c
-+++ b/src/backend/utils/adt/arrayfuncs.c
-@@ -22,6 +22,7 @@
- 
- #include "access/htup_details.h"
- #include "catalog/pg_type.h"
-+#include "common/int.h"
- #include "funcapi.h"
- #include "libpq/pqformat.h"
- #include "utils/array.h"
-@@ -2309,22 +2310,38 @@ array_set_element(Datum arraydatum,
- 	addedbefore = addedafter = 0;
- 
- 	/*
--	 * Check subscripts
-+	 * Check subscripts.  We assume the existing subscripts passed
-+	 * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without
-+	 * overflow.  But we must beware of other overflows in our calculations of
-+	 * new dim[] values.
- 	 */
- 	if (ndim == 1)
- 	{
- 		if (indx[0] < lb[0])
- 		{
--			addedbefore = lb[0] - indx[0];
--			dim[0] += addedbefore;
-+			/* addedbefore = lb[0] - indx[0]; */
-+			/* dim[0] += addedbefore; */
-+			if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) ||
-+				pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
-+				ereport(ERROR,
-+						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
-+						 errmsg("array size exceeds the maximum allowed (%d)",
-+								(int) MaxArraySize)));
- 			lb[0] = indx[0];
- 			if (addedbefore > 1)
- 				newhasnulls = true; /* will insert nulls */
- 		}
- 		if (indx[0] >= (dim[0] + lb[0]))
- 		{
--			addedafter = indx[0] - (dim[0] + lb[0]) + 1;
--			dim[0] += addedafter;
-+			/* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */
-+			/* dim[0] += addedafter; */
-+			if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) ||
-+				pg_add_s32_overflow(addedafter, 1, &addedafter) ||
-+				pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
-+				ereport(ERROR,
-+						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
-+						 errmsg("array size exceeds the maximum allowed (%d)",
-+								(int) MaxArraySize)));
- 			if (addedafter > 1)
- 				newhasnulls = true; /* will insert nulls */
- 		}
-@@ -2568,14 +2585,23 @@ array_set_element_expanded(Datum arraydatum,
- 	addedbefore = addedafter = 0;
- 
- 	/*
--	 * Check subscripts (this logic matches original array_set_element)
-+	 * Check subscripts (this logic must match array_set_element).  We assume
-+	 * the existing subscripts passed ArrayCheckBounds, so that dim[i] + lb[i]
-+	 * can be computed without overflow.  But we must beware of other
-+	 * overflows in our calculations of new dim[] values.
- 	 */
- 	if (ndim == 1)
- 	{
- 		if (indx[0] < lb[0])
- 		{
--			addedbefore = lb[0] - indx[0];
--			dim[0] += addedbefore;
-+			/* addedbefore = lb[0] - indx[0]; */
-+			/* dim[0] += addedbefore; */
-+			if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) ||
-+				pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
-+				ereport(ERROR,
-+						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
-+						 errmsg("array size exceeds the maximum allowed (%d)",
-+								(int) MaxArraySize)));
- 			lb[0] = indx[0];
- 			dimschanged = true;
- 			if (addedbefore > 1)
-@@ -2583,8 +2609,15 @@ array_set_element_expanded(Datum arraydatum,
- 		}
- 		if (indx[0] >= (dim[0] + lb[0]))
- 		{
--			addedafter = indx[0] - (dim[0] + lb[0]) + 1;
--			dim[0] += addedafter;
-+			/* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */
-+			/* dim[0] += addedafter; */
-+			if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) ||
-+				pg_add_s32_overflow(addedafter, 1, &addedafter) ||
-+				pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
-+				ereport(ERROR,
-+						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
-+						 errmsg("array size exceeds the maximum allowed (%d)",
-+								(int) MaxArraySize)));
- 			dimschanged = true;
- 			if (addedafter > 1)
- 				newhasnulls = true; /* will insert nulls */
-@@ -2866,7 +2899,10 @@ array_set_slice(Datum arraydatum,
- 	addedbefore = addedafter = 0;
- 
- 	/*
--	 * Check subscripts
-+	 * Check subscripts.  We assume the existing subscripts passed
-+	 * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without
-+	 * overflow.  But we must beware of other overflows in our calculations of
-+	 * new dim[] values.
- 	 */
- 	if (ndim == 1)
- 	{
-@@ -2881,18 +2917,31 @@ array_set_slice(Datum arraydatum,
- 					 errmsg("upper bound cannot be less than lower bound")));
- 		if (lowerIndx[0] < lb[0])
- 		{
--			if (upperIndx[0] < lb[0] - 1)
--				newhasnulls = true; /* will insert nulls */
--			addedbefore = lb[0] - lowerIndx[0];
--			dim[0] += addedbefore;
-+			/* addedbefore = lb[0] - lowerIndx[0]; */
-+			/* dim[0] += addedbefore; */
-+			if (pg_sub_s32_overflow(lb[0], lowerIndx[0], &addedbefore) ||
-+				pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
-+				ereport(ERROR,
-+						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
-+						 errmsg("array size exceeds the maximum allowed (%d)",
-+								(int) MaxArraySize)));
- 			lb[0] = lowerIndx[0];
-+			if (addedbefore > 1)
-+				newhasnulls = true; /* will insert nulls */
- 		}
- 		if (upperIndx[0] >= (dim[0] + lb[0]))
- 		{
--			if (lowerIndx[0] > (dim[0] + lb[0]))
-+			/* addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; */
-+			/* dim[0] += addedafter; */
-+			if (pg_sub_s32_overflow(upperIndx[0], dim[0] + lb[0], &addedafter) ||
-+				pg_add_s32_overflow(addedafter, 1, &addedafter) ||
-+				pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
-+				ereport(ERROR,
-+						(errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
-+						 errmsg("array size exceeds the maximum allowed (%d)",
-+								(int) MaxArraySize)));
-+			if (addedafter > 1)
- 				newhasnulls = true; /* will insert nulls */
--			addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1;
--			dim[0] += addedafter;
- 		}
- 	}
- 	else
-diff --git a/src/backend/utils/adt/arrayutils.c b/src/backend/utils/adt/arrayutils.c
-index f7c6a51..eb5f2a0 100644
---- a/src/backend/utils/adt/arrayutils.c
-+++ b/src/backend/utils/adt/arrayutils.c
-@@ -63,10 +63,6 @@ ArrayGetOffset0(int n, const int *tup, const int *scale)
-  * This must do overflow checking, since it is used to validate that a user
-  * dimensionality request doesn't overflow what we can handle.
-  *
-- * We limit array sizes to at most about a quarter billion elements,
-- * so that it's not necessary to check for overflow in quite so many
-- * places --- for instance when palloc'ing Datum arrays.
-- *
-  * The multiplication overflow check only works on machines that have int64
-  * arithmetic, but that is nearly all platforms these days, and doing check
-  * divides for those that don't seems way too expensive.
-@@ -77,8 +73,6 @@ ArrayGetNItems(int ndim, const int *dims)
- 	int32		ret;
- 	int			i;
- 
--#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
--
- 	if (ndim <= 0)
- 		return 0;
- 	ret = 1;
-diff --git a/src/include/utils/array.h b/src/include/utils/array.h
-index 905f6b0..3e4c09d 100644
---- a/src/include/utils/array.h
-+++ b/src/include/utils/array.h
-@@ -65,6 +65,13 @@
- #include "utils/expandeddatum.h"
- 
- 
-+/*
-+ * Maximum number of elements in an array.  We limit this to at most about a
-+ * quarter billion elements, so that it's not necessary to check for overflow
-+ * in quite so many places --- for instance when palloc'ing Datum arrays.
-+ */
-+#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
-+
- /*
-  * Arrays are varlena objects, so must meet the varlena convention that
-  * the first int32 of the object contains the total object size in bytes.
-diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out
-index c730563..e4ec394 100644
---- a/src/test/regress/expected/arrays.out
-+++ b/src/test/regress/expected/arrays.out
-@@ -1347,6 +1347,23 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
- -- then you didn't get an indexscan plan, and something is busted.
- reset enable_seqscan;
- reset enable_bitmapscan;
-+-- test subscript overflow detection
-+-- The normal error message includes a platform-dependent limit,
-+-- so suppress it to avoid needing multiple expected-files.
-+\set VERBOSITY terse
-+insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
-+update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
-+ERROR:  array size exceeds the maximum allowed (134217727)
-+update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
-+ERROR:  array size exceeds the maximum allowed (134217727)
-+-- also exercise the expanded-array case
-+do $$ declare a int[];
-+begin
-+  a := '[-2147483648:-2147483647]={1,2}'::int[];
-+  a[2147483647] := 42;
-+end $$;
-+ERROR:  array size exceeds the maximum allowed (134217727)
-+\set VERBOSITY default
- -- test [not] (like|ilike) (any|all) (...)
- select 'foo' like any (array['%a', '%o']); -- t
-  ?column? 
-diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql
-index 25dd4e2..4ad6e55 100644
---- a/src/test/regress/sql/arrays.sql
-+++ b/src/test/regress/sql/arrays.sql
-@@ -407,6 +407,25 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
- reset enable_seqscan;
- reset enable_bitmapscan;
- 
-+-- test subscript overflow detection
-+
-+-- The normal error message includes a platform-dependent limit,
-+-- so suppress it to avoid needing multiple expected-files.
-+\set VERBOSITY terse
-+
-+insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
-+update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
-+update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
-+
-+-- also exercise the expanded-array case
-+do $$ declare a int[];
-+begin
-+  a := '[-2147483648:-2147483647]={1,2}'::int[];
-+  a[2147483647] := 42;
-+end $$;
-+
-+\set VERBOSITY default
-+
- -- test [not] (like|ilike) (any|all) (...)
- select 'foo' like any (array['%a', '%o']); -- t
- select 'foo' like any (array['%a', '%b']); -- f
-
-diff --git a/src/include/common/int.h b/src/include/common/int.h
-new file mode 100644
-index 0000000..d754798
---- /dev/null
-+++ b/src/include/common/int.h
-@@ -0,0 +1,273 @@
-+/*-------------------------------------------------------------------------
-+ *
-+ * int.h
-+ *	  Routines to perform integer math, while checking for overflows.
-+ *
-+ * The routines in this file are intended to be well defined C, without
-+ * relying on compiler flags like -fwrapv.
-+ *
-+ * To reduce the overhead of these routines try to use compiler intrinsics
-+ * where available. That's not that important for the 16, 32 bit cases, but
-+ * the 64 bit cases can be considerably faster with intrinsics. In case no
-+ * intrinsics are available 128 bit math is used where available.
-+ *
-+ * Copyright (c) 2017-2019, PostgreSQL Global Development Group
-+ *
-+ * src/include/common/int.h
-+ *
-+ *-------------------------------------------------------------------------
-+ */
-+#ifndef COMMON_INT_H
-+#define COMMON_INT_H
-+
-+/*
-+ * If a + b overflows, return true, otherwise store the result of a + b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_add_s16_overflow(int16 a, int16 b, int16 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_add_overflow(a, b, result);
-+#else
-+	int32		res = (int32) a + (int32) b;
-+
-+	if (res > PG_INT16_MAX || res < PG_INT16_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int16) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a - b overflows, return true, otherwise store the result of a - b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_sub_s16_overflow(int16 a, int16 b, int16 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_sub_overflow(a, b, result);
-+#else
-+	int32		res = (int32) a - (int32) b;
-+
-+	if (res > PG_INT16_MAX || res < PG_INT16_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int16) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a * b overflows, return true, otherwise store the result of a * b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_mul_s16_overflow(int16 a, int16 b, int16 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_mul_overflow(a, b, result);
-+#else
-+	int32		res = (int32) a * (int32) b;
-+
-+	if (res > PG_INT16_MAX || res < PG_INT16_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int16) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a + b overflows, return true, otherwise store the result of a + b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_add_s32_overflow(int32 a, int32 b, int32 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_add_overflow(a, b, result);
-+#else
-+	int64		res = (int64) a + (int64) b;
-+
-+	if (res > PG_INT32_MAX || res < PG_INT32_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int32) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a - b overflows, return true, otherwise store the result of a - b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_sub_s32_overflow(int32 a, int32 b, int32 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_sub_overflow(a, b, result);
-+#else
-+	int64		res = (int64) a - (int64) b;
-+
-+	if (res > PG_INT32_MAX || res < PG_INT32_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int32) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a * b overflows, return true, otherwise store the result of a * b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_mul_s32_overflow(int32 a, int32 b, int32 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_mul_overflow(a, b, result);
-+#else
-+	int64		res = (int64) a * (int64) b;
-+
-+	if (res > PG_INT32_MAX || res < PG_INT32_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int32) res;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a + b overflows, return true, otherwise store the result of a + b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_add_s64_overflow(int64 a, int64 b, int64 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_add_overflow(a, b, result);
-+#elif defined(HAVE_INT128)
-+	int128		res = (int128) a + (int128) b;
-+
-+	if (res > PG_INT64_MAX || res < PG_INT64_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int64) res;
-+	return false;
-+#else
-+	if ((a > 0 && b > 0 && a > PG_INT64_MAX - b) ||
-+		(a < 0 && b < 0 && a < PG_INT64_MIN - b))
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = a + b;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a - b overflows, return true, otherwise store the result of a - b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_sub_s64_overflow(int64 a, int64 b, int64 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_sub_overflow(a, b, result);
-+#elif defined(HAVE_INT128)
-+	int128		res = (int128) a - (int128) b;
-+
-+	if (res > PG_INT64_MAX || res < PG_INT64_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int64) res;
-+	return false;
-+#else
-+	if ((a < 0 && b > 0 && a < PG_INT64_MIN + b) ||
-+		(a > 0 && b < 0 && a > PG_INT64_MAX + b))
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = a - b;
-+	return false;
-+#endif
-+}
-+
-+/*
-+ * If a * b overflows, return true, otherwise store the result of a * b into
-+ * *result. The content of *result is implementation defined in case of
-+ * overflow.
-+ */
-+static inline bool
-+pg_mul_s64_overflow(int64 a, int64 b, int64 *result)
-+{
-+#if defined(HAVE__BUILTIN_OP_OVERFLOW)
-+	return __builtin_mul_overflow(a, b, result);
-+#elif defined(HAVE_INT128)
-+	int128		res = (int128) a * (int128) b;
-+
-+	if (res > PG_INT64_MAX || res < PG_INT64_MIN)
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = (int64) res;
-+	return false;
-+#else
-+	/*
-+	 * Overflow can only happen if at least one value is outside the range
-+	 * sqrt(min)..sqrt(max) so check that first as the division can be quite a
-+	 * bit more expensive than the multiplication.
-+	 *
-+	 * Multiplying by 0 or 1 can't overflow of course and checking for 0
-+	 * separately avoids any risk of dividing by 0.  Be careful about dividing
-+	 * INT_MIN by -1 also, note reversing the a and b to ensure we're always
-+	 * dividing it by a positive value.
-+	 *
-+	 */
-+	if ((a > PG_INT32_MAX || a < PG_INT32_MIN ||
-+		 b > PG_INT32_MAX || b < PG_INT32_MIN) &&
-+		a != 0 && a != 1 && b != 0 && b != 1 &&
-+		((a > 0 && b > 0 && a > PG_INT64_MAX / b) ||
-+		 (a > 0 && b < 0 && b < PG_INT64_MIN / a) ||
-+		 (a < 0 && b > 0 && a < PG_INT64_MIN / b) ||
-+		 (a < 0 && b < 0 && a < PG_INT64_MAX / b)))
-+	{
-+		*result = 0x5EED;		/* to avoid spurious warnings */
-+		return true;
-+	}
-+	*result = a * b;
-+	return false;
-+#endif
-+}
-+
-+#endif							/* COMMON_INT_H */
--- 
-2.39.3
-

SPECS/postgresql.spec

@@ -59,7 +59,7 @@ Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 10
 Version: %{majorversion}.23
-Release: 3%{?dist}
+Release: 1%{?dist}
 
 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@@ -76,7 +76,7 @@ Url: http://www.postgresql.org/
 %global prev_prefix %{_libdir}/pgsql/postgresql-%{prevmajorversion}
 %global precise_version %{?epoch:%epoch:}%version-%release
 
-%global setup_version 8.7
+%global setup_version 8.6
 
 %global service_name postgresql.service
 Source0: https://ftp.postgresql.org/pub/source/v%{version}/postgresql-%{version}.tar.bz2
@@ -108,9 +108,6 @@ Patch6: postgresql-man.patch
 Patch8: postgresql-no-libs.patch
 Patch9: postgresql-server-pg_config.patch
 Patch10: postgresql-10.15-contrib-dblink-expected-out.patch
-Patch11: postgresql-10.23-CVE-2023-2454.patch
-Patch12: postgresql-10.23-CVE-2023-2455.patch
-Patch13: postgresql-10.23-CVE-2023-5869.patch
 
 BuildRequires: gcc
 BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
@@ -370,9 +367,6 @@ benchmarks.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
 
 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.
@@ -1177,19 +1171,9 @@ make -C postgresql-setup-%{setup_version} check
 
 
 %changelog
-* Mon Dec 18 2023 Lubos Kloucek <lubos.kloucek@oracle.com> - 10.23-3
-- Resolves: CVE-2023-5869
-
-* Tue Aug 08 2023 David Sloboda <david.x.sloboda@oracle.com> - 10.23-2.0.1
-- Fixed postgresql port binding issue during bootup [Orabug: 35103668]
-
-* Wed Jul 19 2023 Dominik Rehák <drehak@redhat.com> - 10.23-2
-- Backport fixes for CVE-2023-2454 and CVE-2023-2455
-- Update postgresql-setup to 8.7 (https://github.com/devexp-db/postgresql-setup/pull/35)
-- Resolves: #2207931
-
 * Wed Nov 16 2022 Filip Januš <fjanus@redhat.com> - 10.23-1
-- Resolves: CVE-2022-2625
+- Fix CVE-2022-2625
+- Resolves: #2143167
 - Rebase to 10.23
 
 * Mon May 16 2022 Filip Januš <fjanus@redhat.com> - 10.21-1