diff --git a/SOURCES/postgresql-CVE-2023-5869.patch b/SOURCES/postgresql-CVE-2023-5869.patch
new file mode 100644
index 0000000..343de03
--- /dev/null
+++ b/SOURCES/postgresql-CVE-2023-5869.patch
@@ -0,0 +1,615 @@
+This patch was created based on upstream commit:
+https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=18b585155a891784ca8985f595ebc0dde94e0d43
+
+The upstream regression test is not applicable for PG9.2
+
+int.h source file comes from:
+https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/include/common/int.h;h=487124473d25b206a985a9742f39b348f50a5324
+
+diff -urN -x '*cscope*' postgresql-9.2.24/src/backend/utils/adt/arrayfuncs.c postgresql-final/src/backend/utils/adt/arrayfuncs.c
+--- postgresql-9.2.24/src/backend/utils/adt/arrayfuncs.c 2017-11-06 23:17:39.000000000 +0100
++++ postgresql-final/src/backend/utils/adt/arrayfuncs.c 2023-11-21 15:20:49.000000000 +0100
+@@ -24,7 +24,7 @@
+ #include "utils/lsyscache.h"
+ #include "utils/memutils.h"
+ #include "utils/typcache.h"
+-
++#include "common/int.h"
+
+ /*
+ * GUC parameter
+@@ -2138,22 +2138,38 @@
+ addedbefore = addedafter = 0;
+
+ /*
+- * Check subscripts
++ * Check subscripts. We assume the existing subscripts passed
++ * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without
++ * overflow. But we must beware of other overflows in our calculations of
++ * new dim[] values.
+ */
+ if (ndim == 1)
+ {
+ if (indx[0] < lb[0])
+ {
+- addedbefore = lb[0] - indx[0];
+- dim[0] += addedbefore;
++ // addedbefore = lb[0] - indx[0];
++ // dim[0] += addedbefore;
++ if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) ||
++ pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
++ ereport(ERROR,
++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
++ errmsg("array size exceeds the maximum allowed (%d)",
++ (int) MaxArraySize)));
+ lb[0] = indx[0];
+ if (addedbefore > 1)
+ newhasnulls = true; /* will insert nulls */
+ }
+ if (indx[0] >= (dim[0] + lb[0]))
+ {
+- addedafter = indx[0] - (dim[0] + lb[0]) + 1;
+- dim[0] += addedafter;
++ // addedafter = indx[0] - (dim[0] + lb[0]) + 1;
++ // dim[0] += addedafter;
++ if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) ||
++ pg_add_s32_overflow(addedafter, 1, &addedafter) ||
++ pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
++ ereport(ERROR,
++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
++ errmsg("array size exceeds the maximum allowed (%d)",
++ (int) MaxArraySize)));
+ if (addedafter > 1)
+ newhasnulls = true; /* will insert nulls */
+ }
+@@ -2435,18 +2451,31 @@
+ errmsg("upper bound cannot be less than lower bound")));
+ if (lowerIndx[0] < lb[0])
+ {
+- if (upperIndx[0] < lb[0] - 1)
+- newhasnulls = true; /* will insert nulls */
+- addedbefore = lb[0] - lowerIndx[0];
+- dim[0] += addedbefore;
++ // addedbefore = lb[0] - lowerIndx[0];
++ // dim[0] += addedbefore;
++ if (pg_sub_s32_overflow(lb[0], lowerIndx[0], &addedbefore) ||
++ pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
++ ereport(ERROR,
++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
++ errmsg("array size exceeds the maximum allowed (%d)",
++ (int) MaxArraySize)));
+ lb[0] = lowerIndx[0];
++ if (addedbefore > 1)
++ newhasnulls = true; /* will insert nulls */
+ }
+ if (upperIndx[0] >= (dim[0] + lb[0]))
+ {
+- if (lowerIndx[0] > (dim[0] + lb[0]))
++ if (pg_sub_s32_overflow(upperIndx[0], dim[0] + lb[0], &addedafter) ||
++ pg_add_s32_overflow(addedafter, 1, &addedafter) ||
++ pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
++ ereport(ERROR,
++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
++ errmsg("array size exceeds the maximum allowed (%d)",
++ (int) MaxArraySize)));
++ if (addedafter > 1)
+ newhasnulls = true; /* will insert nulls */
+- addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1;
+- dim[0] += addedafter;
++ // addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1;
++ // dim[0] += addedafter;
+ }
+ }
+ else
+diff -urN -x '*cscope*' postgresql-9.2.24/src/backend/utils/adt/arrayutils.c postgresql-final/src/backend/utils/adt/arrayutils.c
+--- postgresql-9.2.24/src/backend/utils/adt/arrayutils.c 2017-11-06 23:17:39.000000000 +0100
++++ postgresql-final/src/backend/utils/adt/arrayutils.c 2023-11-21 15:19:25.000000000 +0100
+@@ -63,10 +63,6 @@
+ * This must do overflow checking, since it is used to validate that a user
+ * dimensionality request doesn't overflow what we can handle.
+ *
+- * We limit array sizes to at most about a quarter billion elements,
+- * so that it's not necessary to check for overflow in quite so many
+- * places --- for instance when palloc'ing Datum arrays.
+- *
+ * The multiplication overflow check only works on machines that have int64
+ * arithmetic, but that is nearly all platforms these days, and doing check
+ * divides for those that don't seems way too expensive.
+@@ -77,7 +73,6 @@
+ int32 ret;
+ int i;
+
+-#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
+
+ if (ndim <= 0)
+ return 0;
+diff -urN -x '*cscope*' postgresql-9.2.24/src/include/c.h postgresql-final/src/include/c.h
+--- postgresql-9.2.24/src/include/c.h 2017-11-06 23:17:39.000000000 +0100
++++ postgresql-final/src/include/c.h 2023-11-21 15:19:25.000000000 +0100
+@@ -215,6 +215,23 @@
+ */
+
+ /*
++ * stdint.h limits aren't guaranteed to be present and aren't guaranteed to
++ * have compatible types with our fixed width types. So just define our own.
++ */
++#define PG_INT8_MIN (-0x7F-1)
++#define PG_INT8_MAX (0x7F)
++#define PG_UINT8_MAX (0xFF)
++#define PG_INT16_MIN (-0x7FFF-1)
++#define PG_INT16_MAX (0x7FFF)
++#define PG_UINT16_MAX (0xFFFF)
++#define PG_INT32_MIN (-0x7FFFFFFF-1)
++#define PG_INT32_MAX (0x7FFFFFFF)
++#define PG_UINT32_MAX (0xFFFFFFFFU)
++#define PG_INT64_MIN (-INT64CONST(0x7FFFFFFFFFFFFFFF) - 1)
++#define PG_INT64_MAX INT64CONST(0x7FFFFFFFFFFFFFFF)
++#define PG_UINT64_MAX UINT64CONST(0xFFFFFFFFFFFFFFFF)
++
++/*
+ * Pointer
+ * Variable holding address of any memory resident object.
+ *
+diff -urN -x '*cscope*' postgresql-9.2.24/src/include/common/int.h postgresql-final/src/include/common/int.h
+--- postgresql-9.2.24/src/include/common/int.h 1970-01-01 01:00:00.000000000 +0100
++++ postgresql-final/src/include/common/int.h 2023-11-21 15:19:25.000000000 +0100
+@@ -0,0 +1,441 @@
++/*-------------------------------------------------------------------------
++ *
++ * int.h
++ * Routines to perform integer math, while checking for overflows.
++ *
++ * The routines in this file are intended to be well defined C, without
++ * relying on compiler flags like -fwrapv.
++ *
++ * To reduce the overhead of these routines try to use compiler intrinsics
++ * where available. That's not that important for the 16, 32 bit cases, but
++ * the 64 bit cases can be considerably faster with intrinsics. In case no
++ * intrinsics are available 128 bit math is used where available.
++ *
++ * Copyright (c) 2017-2023, PostgreSQL Global Development Group
++ *
++ * src/include/common/int.h
++ *
++ *-------------------------------------------------------------------------
++ */
++#ifndef COMMON_INT_H
++#define COMMON_INT_H
++
++
++/*---------
++ * The following guidelines apply to all the routines:
++ * - If a + b overflows, return true, otherwise store the result of a + b
++ * into *result. The content of *result is implementation defined in case of
++ * overflow.
++ * - If a - b overflows, return true, otherwise store the result of a - b
++ * into *result. The content of *result is implementation defined in case of
++ * overflow.
++ * - If a * b overflows, return true, otherwise store the result of a * b
++ * into *result. The content of *result is implementation defined in case of
++ * overflow.
++ *---------
++ */
++
++/*------------------------------------------------------------------------
++ * Overflow routines for signed integers
++ *------------------------------------------------------------------------
++ */
++
++/*
++ * INT16
++ */
++static inline bool
++pg_add_s16_overflow(int16 a, int16 b, int16 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_add_overflow(a, b, result);
++#else
++ int32 res = (int32) a + (int32) b;
++
++ if (res > PG_INT16_MAX || res < PG_INT16_MIN)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (int16) res;
++ return false;
++#endif
++}
++
++static inline bool
++pg_sub_s16_overflow(int16 a, int16 b, int16 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_sub_overflow(a, b, result);
++#else
++ int32 res = (int32) a - (int32) b;
++
++ if (res > PG_INT16_MAX || res < PG_INT16_MIN)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (int16) res;
++ return false;
++#endif
++}
++
++static inline bool
++pg_mul_s16_overflow(int16 a, int16 b, int16 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_mul_overflow(a, b, result);
++#else
++ int32 res = (int32) a * (int32) b;
++
++ if (res > PG_INT16_MAX || res < PG_INT16_MIN)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (int16) res;
++ return false;
++#endif
++}
++
++/*
++ * INT32
++ */
++static inline bool
++pg_add_s32_overflow(int32 a, int32 b, int32 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_add_overflow(a, b, result);
++#else
++ int64 res = (int64) a + (int64) b;
++
++ if (res > PG_INT32_MAX || res < PG_INT32_MIN)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (int32) res;
++ return false;
++#endif
++}
++
++static inline bool
++pg_sub_s32_overflow(int32 a, int32 b, int32 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_sub_overflow(a, b, result);
++#else
++ int64 res = (int64) a - (int64) b;
++
++ if (res > PG_INT32_MAX || res < PG_INT32_MIN)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (int32) res;
++ return false;
++#endif
++}
++
++static inline bool
++pg_mul_s32_overflow(int32 a, int32 b, int32 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_mul_overflow(a, b, result);
++#else
++ int64 res = (int64) a * (int64) b;
++
++ if (res > PG_INT32_MAX || res < PG_INT32_MIN)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (int32) res;
++ return false;
++#endif
++}
++
++/*
++ * INT64
++ */
++static inline bool
++pg_add_s64_overflow(int64 a, int64 b, int64 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_add_overflow(a, b, result);
++#elif defined(HAVE_INT128)
++ int128 res = (int128) a + (int128) b;
++
++ if (res > PG_INT64_MAX || res < PG_INT64_MIN)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (int64) res;
++ return false;
++#else
++ if ((a > 0 && b > 0 && a > PG_INT64_MAX - b) ||
++ (a < 0 && b < 0 && a < PG_INT64_MIN - b))
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = a + b;
++ return false;
++#endif
++}
++
++static inline bool
++pg_sub_s64_overflow(int64 a, int64 b, int64 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_sub_overflow(a, b, result);
++#elif defined(HAVE_INT128)
++ int128 res = (int128) a - (int128) b;
++
++ if (res > PG_INT64_MAX || res < PG_INT64_MIN)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (int64) res;
++ return false;
++#else
++ /*
++ * Note: overflow is also possible when a == 0 and b < 0 (specifically,
++ * when b == PG_INT64_MIN).
++ */
++ if ((a < 0 && b > 0 && a < PG_INT64_MIN + b) ||
++ (a >= 0 && b < 0 && a > PG_INT64_MAX + b))
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = a - b;
++ return false;
++#endif
++}
++
++static inline bool
++pg_mul_s64_overflow(int64 a, int64 b, int64 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_mul_overflow(a, b, result);
++#elif defined(HAVE_INT128)
++ int128 res = (int128) a * (int128) b;
++
++ if (res > PG_INT64_MAX || res < PG_INT64_MIN)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (int64) res;
++ return false;
++#else
++ /*
++ * Overflow can only happen if at least one value is outside the range
++ * sqrt(min)..sqrt(max) so check that first as the division can be quite a
++ * bit more expensive than the multiplication.
++ *
++ * Multiplying by 0 or 1 can't overflow of course and checking for 0
++ * separately avoids any risk of dividing by 0. Be careful about dividing
++ * INT_MIN by -1 also, note reversing the a and b to ensure we're always
++ * dividing it by a positive value.
++ *
++ */
++ if ((a > PG_INT32_MAX || a < PG_INT32_MIN ||
++ b > PG_INT32_MAX || b < PG_INT32_MIN) &&
++ a != 0 && a != 1 && b != 0 && b != 1 &&
++ ((a > 0 && b > 0 && a > PG_INT64_MAX / b) ||
++ (a > 0 && b < 0 && b < PG_INT64_MIN / a) ||
++ (a < 0 && b > 0 && a < PG_INT64_MIN / b) ||
++ (a < 0 && b < 0 && a < PG_INT64_MAX / b)))
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = a * b;
++ return false;
++#endif
++}
++
++/*------------------------------------------------------------------------
++ * Overflow routines for unsigned integers
++ *------------------------------------------------------------------------
++ */
++
++/*
++ * UINT16
++ */
++static inline bool
++pg_add_u16_overflow(uint16 a, uint16 b, uint16 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_add_overflow(a, b, result);
++#else
++ uint16 res = a + b;
++
++ if (res < a)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = res;
++ return false;
++#endif
++}
++
++static inline bool
++pg_sub_u16_overflow(uint16 a, uint16 b, uint16 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_sub_overflow(a, b, result);
++#else
++ if (b > a)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = a - b;
++ return false;
++#endif
++}
++
++static inline bool
++pg_mul_u16_overflow(uint16 a, uint16 b, uint16 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_mul_overflow(a, b, result);
++#else
++ uint32 res = (uint32) a * (uint32) b;
++
++ if (res > PG_UINT16_MAX)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (uint16) res;
++ return false;
++#endif
++}
++
++/*
++ * INT32
++ */
++static inline bool
++pg_add_u32_overflow(uint32 a, uint32 b, uint32 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_add_overflow(a, b, result);
++#else
++ uint32 res = a + b;
++
++ if (res < a)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = res;
++ return false;
++#endif
++}
++
++static inline bool
++pg_sub_u32_overflow(uint32 a, uint32 b, uint32 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_sub_overflow(a, b, result);
++#else
++ if (b > a)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = a - b;
++ return false;
++#endif
++}
++
++static inline bool
++pg_mul_u32_overflow(uint32 a, uint32 b, uint32 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_mul_overflow(a, b, result);
++#else
++ uint64 res = (uint64) a * (uint64) b;
++
++ if (res > PG_UINT32_MAX)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (uint32) res;
++ return false;
++#endif
++}
++
++/*
++ * UINT64
++ */
++static inline bool
++pg_add_u64_overflow(uint64 a, uint64 b, uint64 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_add_overflow(a, b, result);
++#else
++ uint64 res = a + b;
++
++ if (res < a)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = res;
++ return false;
++#endif
++}
++
++static inline bool
++pg_sub_u64_overflow(uint64 a, uint64 b, uint64 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_sub_overflow(a, b, result);
++#else
++ if (b > a)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = a - b;
++ return false;
++#endif
++}
++
++static inline bool
++pg_mul_u64_overflow(uint64 a, uint64 b, uint64 *result)
++{
++#if defined(HAVE__BUILTIN_OP_OVERFLOW)
++ return __builtin_mul_overflow(a, b, result);
++#elif defined(HAVE_INT128)
++ uint128 res = (uint128) a * (uint128) b;
++
++ if (res > PG_UINT64_MAX)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = (uint64) res;
++ return false;
++#else
++ uint64 res = a * b;
++
++ if (a != 0 && b != res / a)
++ {
++ *result = 0x5EED; /* to avoid spurious warnings */
++ return true;
++ }
++ *result = res;
++ return false;
++#endif
++}
++
++#endif /* COMMON_INT_H */
+diff -urN -x '*cscope*' postgresql-9.2.24/src/include/utils/array.h postgresql-final/src/include/utils/array.h
+--- postgresql-9.2.24/src/include/utils/array.h 2017-11-06 23:17:39.000000000 +0100
++++ postgresql-final/src/include/utils/array.h 2023-11-21 15:19:25.000000000 +0100
+@@ -59,6 +59,14 @@
+ #include "fmgr.h"
+
+ /*
++* Maximum number of elements in an array. We limit this to at most about a
++* quarter billion elements, so that it's not necessary to check for overflow
++* in quite so many places --- for instance when palloc'ing Datum arrays.
++*/
++#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
++
++
++/*
+ * Arrays are varlena objects, so must meet the varlena convention that
+ * the first int32 of the object contains the total object size in bytes.
+ * Be sure to use VARSIZE() and SET_VARSIZE() to access it, though!
diff --git a/SPECS/postgresql.spec b/SPECS/postgresql.spec
index e1c7178..34bd520 100644
--- a/SPECS/postgresql.spec
+++ b/SPECS/postgresql.spec
@@ -63,7 +63,7 @@ Summary: PostgreSQL client programs
Name: postgresql
%global majorversion 9.2
Version: 9.2.24
-Release: 8%{?dist}
+Release: 9%{?dist}
# The PostgreSQL license is very similar to other MIT licenses, but the OSI
# recognizes it as an independent license, so we do as well.
@@ -158,11 +158,16 @@ Patch18: postgresql-9.2.24-CVE-2020-25695.patch
Patch19: postgresql-9.2.24-CVE-2019-10208.patch
Patch20: postgresql-CVE-2021-32027.patch
-# Backport fox for: CVE-2022-1552
+# Backport fix for: CVE-2022-1552
# Upstream commit: a117cebd638dd02e5c2e791c25e43745f233111b
# See: https://bugzilla.redhat.com/show_bug.cgi?id=2081126
Patch21: postgresql-CVE-2022-1552.patch
+# Backport fix for: CVE-2023-5869
+# Upstream commit: 18b585155a891784ca8985f595ebc0dde94e0d43
+# BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2247169
+Patch22: postgresql-CVE-2023-5869.patch
+
BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk help2man
BuildRequires: perl(ExtUtils::Embed), perl-devel
BuildRequires: readline-devel zlib-devel
@@ -408,6 +413,7 @@ benchmarks.
%patch19 -p1
%patch20 -p1
%patch21 -p1
+%patch22 -p1
# We used to run autoconf here, but there's no longer any real need to,
# since Postgres ships with a reasonably modern configure script.
@@ -1205,6 +1211,9 @@ fi
%endif
%changelog
+* Thu Nov 16 2023 Filip Janus <fjanus@redhat.com> - 9.2.24-9
+- Backport fix for CVE-2023-5869
+
* Wed Jun 1 2022 Filip Januš <fjanus@redhat.com> - 9.2.24-8
- Resolves: CVE-2022-1552
- Backport upstrem fix: a117cebd638dd02e5c2e791c25e43745f233111b