postgresql: Update to 14.9

This is a minor release to address CVEs and other bug fixes without new features. Remove patches that are fixed in this release. Release notes are available at: https://www.postgresql.org/docs/release/14.6/ https://www.postgresql.org/docs/release/14.7/ https://www.postgresql.org/docs/release/14.8/ https://www.postgresql.org/docs/release/14.9/ License-Update: Copyright year updated Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> [Fixup patch fuzzy] Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-01 13:58:06 +00:00 · 2023-08-20 19:12:57 -07:00 · 2023-08-20 19:12:57 -07:00 · 4aeca7b2b3
commit 4aeca7b2b3
parent ac60beb44f
11 changed files with 31 additions and 479 deletions
--- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
@ -1,16 +1,17 @@
-From 780fd27ea6f7f2c446c46a7a5e26d94106c67efd Mon Sep 17 00:00:00 2001
+From 0801befde991250b4502954fdec61bec8c33da3b Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sun, 20 Nov 2016 15:04:52 +0000
 Subject: [PATCH] Add support for RISC-V.

 The architecture is sufficiently similar to aarch64 that simply
 extending the existing aarch64 macro works.
+
 ---
 src/include/storage/s_lock.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

 diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h
-index dccbd29..ad60429 100644
+index 95049f0..e08c963 100644
 --- a/src/include/storage/s_lock.h
 +++ b/src/include/storage/s_lock.h
@@ -317,11 +317,12 @@ tas(volatile slock_t *lock)
@ -35,7 +36,4 @@ index dccbd29..ad60429 100644
 +#endif	 /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */
 
 
- /*
-- 
-2.34.1
-
+ /* S/390 and S/390x Linux (32- and 64-bit zSeries) */
--- a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch
@ -1,4 +1,4 @@
-From bbba8a5261a99e79c9cd4693ef56021014a9856b Mon Sep 17 00:00:00 2001
+From e167d58d6be1b1ee4d49571650444700ab97ed7c Mon Sep 17 00:00:00 2001
 From: Changqing Li <changqing.li@windriver.com>
 Date: Mon, 28 Dec 2020 16:38:21 +0800
 Subject: [PATCH] Improve reproducibility,
@ -18,6 +18,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>

 update patch for v13.1
 Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
 ---
 src/common/Makefile | 3 ---
 1 file changed, 3 deletions(-)
@ -36,6 +37,3 @@ index 880722f..7a9b9d4 100644
 override CPPFLAGS += -DVAL_CFLAGS_SL="\"$(CFLAGS_SL)\""
 override CPPFLAGS += -DVAL_LDFLAGS="\"$(STD_LDFLAGS)\""
 override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\""
-- 
-2.34.1
-
--- a/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch
@ -1,50 +0,0 @@
-From 586b074026d703c29057b04b1318e984701fe195 Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Thu, 2 Mar 2023 19:10:47 +0800
-Subject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet
- reception
-
-pqsecure_open_gss() includes a code path handling error messages with
-v2-style protocol messages coming from the server.  The client-side
-buffer holding the error message does not force a NULL-termination, with
-the data of the server getting copied to the errorMessage of the
-connection.  Hence, it would be possible for a server to send an
-unterminated string and copy arbitrary bytes in the buffer receiving the
-error message in the client, opening the door to a crash or even data
-exposure.
-
-As at this stage of the authentication process the exchange has not been
-completed yet, this could be abused by an attacker without Kerberos
-credentials.  Clients that have a valid kerberos cache are vulnerable as
-libpq opportunistically requests for it except if gssencmode is
-disabled.
-
-Author: Jacob Champion
-Backpatch-through: 12
-Security: CVE-2022-41862
-
-Upstream-Status: Backport [https://github.com/postgres/postgres/commit/71c37797d7bd78266146a5829ab62b3687c47295]
-CVE: CVE-2022-41862
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
- src/interfaces/libpq/fe-secure-gssapi.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
-index c783a53..a42ebc0 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
-+++ b/src/interfaces/libpq/fe-secure-gssapi.c
-@@ -577,7 +577,8 @@ pqsecure_open_gss(PGconn *conn)
- 				return result;
- 
- 			PqGSSRecvLength += ret;
-
-+			Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE);
-+			PqGSSRecvBuffer[PqGSSRecvLength] = '\0';
- 			appendPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1);
- 
- 			return PGRES_POLLING_FAILED;
-- 
-2.25.1
-
--- a/meta-oe/recipes-dbs/postgresql/files/0001-config_info.c-not-expose-build-info.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-config_info.c-not-expose-build-info.patch
@ -1,4 +1,4 @@
-From b92eebe8b0760fee7bd55c6c22318620c2c07579 Mon Sep 17 00:00:00 2001
+From 805f03529c7fc33685979651562112bab524e5a5 Mon Sep 17 00:00:00 2001
 From: Mingli Yu <mingli.yu@windriver.com>
 Date: Mon, 1 Aug 2022 15:44:38 +0800
 Subject: [PATCH] config_info.c: not expose build info
@ -8,13 +8,14 @@ Don't collect the build information to fix the buildpaths issue.
 Upstream-Status: Inappropriate [oe specific]

 Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+
 ---
 configure.ac             |  2 +-
- src/common/config_info.c | 68 ----------------------------------------
- 2 files changed, 1 insertion(+), 69 deletions(-)
+ src/common/config_info.c | 70 +---------------------------------------
+ 2 files changed, 2 insertions(+), 70 deletions(-)

 diff --git a/configure.ac b/configure.ac
-index 0eb595b..508487b 100644
+index 54a539e..c6edc0a 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -23,7 +23,7 @@ AC_COPYRIGHT([Copyright (c) 1996-2021, PostgreSQL Global Development Group])
@ -27,10 +28,10 @@ index 0eb595b..508487b 100644
 [PG_MAJORVERSION=`expr "$PACKAGE_VERSION" : '\([0-9][0-9]*\)'`]
 [PG_MINORVERSION=`expr "$PACKAGE_VERSION" : '.*\.\([0-9][0-9]*\)'`]
 diff --git a/src/common/config_info.c b/src/common/config_info.c
-index e72e729..b482c20 100644
+index e72e729..a020236 100644
 --- a/src/common/config_info.c
 +++ b/src/common/config_info.c
-@@ -38,7 +38,7 @@
+@@ -38,7 +38,7 @@ get_configdata(const char *my_exec_path, size_t *configdata_len)
 	int			i = 0;
 
 	/* Adjust this to match the number of items filled below */
@ -39,7 +40,7 @@ index e72e729..b482c20 100644
 	configdata = (ConfigData *) palloc(*configdata_len * sizeof(ConfigData));
 
 	configdata[i].name = pstrdup("BINDIR");
-@@ -123,74 +123,6 @@
+@@ -123,74 +123,6 @@ get_configdata(const char *my_exec_path, size_t *configdata_len)
 	configdata[i].setting = pstrdup(path);
 	i++;
 
@ -114,6 +115,3 @@ index e72e729..b482c20 100644
 	configdata[i].name = pstrdup("VERSION");
 	configdata[i].setting = pstrdup("PostgreSQL " PG_VERSION);
 	i++;
-- 
-2.25.1
-
--- a/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch
@ -1,4 +1,4 @@
-From 258c6bd2ad96f2c42f1cb5f4c84e4ca5865059f0 Mon Sep 17 00:00:00 2001
+From 2d3ac7b2eab1bba53c1729e8edb9f8a86700b60f Mon Sep 17 00:00:00 2001
 From: Yi Fan Yu <yifan.yu@windriver.com>
 Date: Fri, 5 Feb 2021 17:15:42 -0500
 Subject: [PATCH] configure.ac: bypass autoconf 2.69 version check
@ -14,12 +14,12 @@ Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
 1 file changed, 4 deletions(-)

 diff --git a/configure.ac b/configure.ac
-index ffe878e..c39799b 100644
+index d0f0b14..54a539e 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros
 
- AC_INIT([PostgreSQL], [14.5], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
+ AC_INIT([PostgreSQL], [14.9], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
 
 -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required.
 -Untested combinations of 'autoconf' and PostgreSQL versions are not
--- a/meta-oe/recipes-dbs/postgresql/files/0001-postgresql-fix-ptest-failure-of-sysviews.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-postgresql-fix-ptest-failure-of-sysviews.patch
@ -1,4 +1,4 @@
-From 9f81377dddfe32d950844d7053020a36b40fce08 Mon Sep 17 00:00:00 2001
+From 5a17b7b88776cbbe5b37838baff71726b8a6e7dd Mon Sep 17 00:00:00 2001
 From: Manoj Saun <manojsingh.saun@windriver.com>
 Date: Wed, 22 Mar 2023 08:07:26 +0000
 Subject: [PATCH] postgresql: fix ptest failure of sysviews
@ -13,14 +13,17 @@ to make the test output shown as pass.
 Upstream-Status: Inappropriate [oe specific]

 Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
+
 ---
 src/test/regress/expected/sysviews.out | 2 +-
 src/test/regress/sql/sysviews.sql      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

+diff --git a/src/test/regress/expected/sysviews.out b/src/test/regress/expected/sysviews.out
+index 2088857..96a15cc 100644
 --- a/src/test/regress/expected/sysviews.out
 +++ b/src/test/regress/expected/sysviews.out
-@@ -29,7 +29,7 @@ select name, ident, parent, level, total
+@@ -29,7 +29,7 @@ select name, ident, parent, level, total_bytes >= free_bytes
 (1 row)
 
 -- At introduction, pg_config had 23 entries; it may grow
@ -29,9 +32,11 @@ Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
  ok 
 ----
  t
+diff --git a/src/test/regress/sql/sysviews.sql b/src/test/regress/sql/sysviews.sql
+index b24816e..72ff887 100644
 --- a/src/test/regress/sql/sysviews.sql
 +++ b/src/test/regress/sql/sysviews.sql
-@@ -18,7 +18,7 @@ select name, ident, parent, level, total
+@@ -18,7 +18,7 @@ select name, ident, parent, level, total_bytes >= free_bytes
   from pg_backend_memory_contexts where level = 0;
 
 -- At introduction, pg_config had 23 entries; it may grow
--- a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch
@ -1,235 +0,0 @@
-From 23cb8eaeb97df350273cb8902e55842a955339c8 Mon Sep 17 00:00:00 2001
-From: Noah Misch <noah@leadboat.com>
-Date: Mon, 8 May 2023 06:14:07 -0700
-Subject: [PATCH] Replace last PushOverrideSearchPath() call with
- set_config_option().
-
-The two methods don't cooperate, so set_config_option("search_path",
-...) has been ineffective under non-empty overrideStack.  This defect
-enabled an attacker having database-level CREATE privilege to execute
-arbitrary code as the bootstrap superuser.  While that particular attack
-requires v13+ for the trusted extension attribute, other attacks are
-feasible in all supported versions.
-
-Standardize on the combination of NewGUCNestLevel() and
-set_config_option("search_path", ...).  It is newer than
-PushOverrideSearchPath(), more-prevalent, and has no known
-disadvantages.  The "override" mechanism remains for now, for
-compatibility with out-of-tree code.  Users should update such code,
-which likely suffers from the same sort of vulnerability closed here.
-Back-patch to v11 (all supported versions).
-
-Alexander Lakhin.  Reported by Alexander Lakhin.
-
-Security: CVE-2023-2454
-
-Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=23cb8eaeb97df350273cb8902e55842a955339c8]
-CVE: CVE-2023-2454
-Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
- src/backend/catalog/namespace.c         |  4 +++
- src/backend/commands/schemacmds.c       | 37 ++++++++++++++------
- src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++
- src/test/regress/sql/namespace.sql      | 24 +++++++++++++
- 4 files changed, 100 insertions(+), 10 deletions(-)
-
-diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c
-index 81b6472..0175a91 100644
--- a/src/backend/catalog/namespace.c
-+++ b/src/backend/catalog/namespace.c
-@@ -3518,6 +3518,10 @@ OverrideSearchPathMatchesCurrent(OverrideSearchPath *path)
- /*
-  * PushOverrideSearchPath - temporarily override the search path
-  *
-+ * Do not use this function; almost any usage introduces a security
-+ * vulnerability.  It exists for the benefit of legacy code running in
-+ * non-security-sensitive environments.
-+ *
-  * We allow nested overrides, hence the push/pop terminology.  The GUC
-  * search_path variable is ignored while an override is active.
-  *
-diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
-index 66306d1..ecd0cbb 100644
--- a/src/backend/commands/schemacmds.c
-+++ b/src/backend/commands/schemacmds.c
-@@ -29,6 +29,7 @@
- #include "commands/schemacmds.h"
- #include "miscadmin.h"
- #include "parser/parse_utilcmd.h"
-+#include "parser/scansup.h"
- #include "tcop/utility.h"
- #include "utils/acl.h"
- #include "utils/builtins.h"
-@@ -52,14 +53,16 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
- {
- 	const char *schemaName = stmt->schemaname;
- 	Oid			namespaceId;
-	OverrideSearchPath *overridePath;
- 	List	   *parsetree_list;
- 	ListCell   *parsetree_item;
- 	Oid			owner_uid;
- 	Oid			saved_uid;
- 	int			save_sec_context;
-+	int			save_nestlevel;
-+	char	   *nsp = namespace_search_path;
- 	AclResult	aclresult;
- 	ObjectAddress address;
-+	StringInfoData pathbuf;
- 
- 	GetUserIdAndSecContext(&saved_uid, &save_sec_context);
- 
-@@ -152,14 +155,26 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
- 	CommandCounterIncrement();
- 
- 	/*
-	 * Temporarily make the new namespace be the front of the search path, as
-	 * well as the default creation target namespace.  This will be undone at
-	 * the end of this routine, or upon error.
-+	 * Prepend the new schema to the current search path.
-+	 *
-+	 * We use the equivalent of a function SET option to allow the setting to
-+	 * persist for exactly the duration of the schema creation.  guc.c also
-+	 * takes care of undoing the setting on error.
- 	 */
-	overridePath = GetOverrideSearchPath(CurrentMemoryContext);
-	overridePath->schemas = lcons_oid(namespaceId, overridePath->schemas);
-	/* XXX should we clear overridePath->useTemp? */
-	PushOverrideSearchPath(overridePath);
-+	save_nestlevel = NewGUCNestLevel();
-+
-+	initStringInfo(&pathbuf);
-+	appendStringInfoString(&pathbuf, quote_identifier(schemaName));
-+
-+	while (scanner_isspace(*nsp))
-+		nsp++;
-+
-+	if (*nsp != '\0')
-+		appendStringInfo(&pathbuf, ", %s", nsp);
-+
-+	(void) set_config_option("search_path", pathbuf.data,
-+							 PGC_USERSET, PGC_S_SESSION,
-+							 GUC_ACTION_SAVE, true, 0, false);
- 
- 	/*
- 	 * Report the new schema to possibly interested event triggers.  Note we
-@@ -213,8 +228,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
- 		CommandCounterIncrement();
- 	}
- 
-	/* Reset search path to normal state */
-	PopOverrideSearchPath();
-+	/*
-+	 * Restore the GUC variable search_path we set above.
-+	 */
-+	AtEOXact_GUC(true, save_nestlevel);
- 
- 	/* Reset current user and security context */
- 	SetUserIdAndSecContext(saved_uid, save_sec_context);
-diff --git a/src/test/regress/expected/namespace.out b/src/test/regress/expected/namespace.out
-index 2564d1b..a62fd8d 100644
--- a/src/test/regress/expected/namespace.out
-+++ b/src/test/regress/expected/namespace.out
-@@ -1,6 +1,14 @@
- --
- -- Regression tests for schemas (namespaces)
- --
-+-- set the whitespace-only search_path to test that the
-+-- GUC list syntax is preserved during a schema creation
-+SELECT pg_catalog.set_config('search_path', ' ', false);
-+ set_config 
-+------------
-+  
-+(1 row)
-+
- CREATE SCHEMA test_ns_schema_1
-        CREATE UNIQUE INDEX abc_a_idx ON abc (a)
-        CREATE VIEW abc_view AS
-@@ -9,6 +17,43 @@ CREATE SCHEMA test_ns_schema_1
-               a serial,
-               b int UNIQUE
-        );
-+-- verify that the correct search_path restored on abort
-+SET search_path to public;
-+BEGIN;
-+SET search_path to public, test_ns_schema_1;
-+CREATE SCHEMA test_ns_schema_2
-+       CREATE VIEW abc_view AS SELECT c FROM abc;
-+ERROR:  column "c" does not exist
-+LINE 2:        CREATE VIEW abc_view AS SELECT c FROM abc;
-+                                              ^
-+COMMIT;
-+SHOW search_path;
-+ search_path 
-+-------------
-+ public
-+(1 row)
-+
-+-- verify that the correct search_path preserved
-+-- after creating the schema and on commit
-+BEGIN;
-+SET search_path to public, test_ns_schema_1;
-+CREATE SCHEMA test_ns_schema_2
-+       CREATE VIEW abc_view AS SELECT a FROM abc;
-+SHOW search_path;
-+       search_path        
-+--------------------------
-+ public, test_ns_schema_1
-+(1 row)
-+
-+COMMIT;
-+SHOW search_path;
-+       search_path        
-+--------------------------
-+ public, test_ns_schema_1
-+(1 row)
-+
-+DROP SCHEMA test_ns_schema_2 CASCADE;
-+NOTICE:  drop cascades to view test_ns_schema_2.abc_view
- -- verify that the objects were created
- SELECT COUNT(*) FROM pg_class WHERE relnamespace =
-     (SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1');
-diff --git a/src/test/regress/sql/namespace.sql b/src/test/regress/sql/namespace.sql
-index 6b12c96..3474f5e 100644
--- a/src/test/regress/sql/namespace.sql
-+++ b/src/test/regress/sql/namespace.sql
-@@ -2,6 +2,10 @@
- -- Regression tests for schemas (namespaces)
- --
- 
-+-- set the whitespace-only search_path to test that the
-+-- GUC list syntax is preserved during a schema creation
-+SELECT pg_catalog.set_config('search_path', ' ', false);
-+
- CREATE SCHEMA test_ns_schema_1
-        CREATE UNIQUE INDEX abc_a_idx ON abc (a)
- 
-@@ -13,6 +17,26 @@ CREATE SCHEMA test_ns_schema_1
-               b int UNIQUE
-        );
- 
-+-- verify that the correct search_path restored on abort
-+SET search_path to public;
-+BEGIN;
-+SET search_path to public, test_ns_schema_1;
-+CREATE SCHEMA test_ns_schema_2
-+       CREATE VIEW abc_view AS SELECT c FROM abc;
-+COMMIT;
-+SHOW search_path;
-+
-+-- verify that the correct search_path preserved
-+-- after creating the schema and on commit
-+BEGIN;
-+SET search_path to public, test_ns_schema_1;
-+CREATE SCHEMA test_ns_schema_2
-+       CREATE VIEW abc_view AS SELECT a FROM abc;
-+SHOW search_path;
-+COMMIT;
-+SHOW search_path;
-+DROP SCHEMA test_ns_schema_2 CASCADE;
-+
- -- verify that the objects were created
- SELECT COUNT(*) FROM pg_class WHERE relnamespace =
-     (SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1');
-- 
-2.25.1
-
--- a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch
@ -1,118 +0,0 @@
-From 473626cf00babd829eb15c36b51dfb358d32bc95 Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 8 May 2023 10:12:45 -0400
-Subject: [PATCH] Handle RLS dependencies in inlined set-returning functions
- properly.
-
-If an SRF in the FROM clause references a table having row-level
-security policies, and we inline that SRF into the calling query,
-we neglected to mark the plan as potentially dependent on which
-role is executing it.  This could lead to later executions in the
-same session returning or hiding rows that should have been hidden
-or returned instead.
-
-Our thanks to Wolfgang Walther for reporting this problem.
-
-Stephen Frost and Tom Lane
-
-Security: CVE-2023-2455
-
-Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=473626cf00babd829eb15c36b51dfb358d32bc95]
-CVE: CVE-2023-2455
-Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
- src/backend/optimizer/util/clauses.c      |  7 ++++++
- src/test/regress/expected/rowsecurity.out | 27 +++++++++++++++++++++++
- src/test/regress/sql/rowsecurity.sql      | 20 +++++++++++++++++
- 3 files changed, 54 insertions(+)
-
-diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
-index 9d7aa8b..da50bef 100644
--- a/src/backend/optimizer/util/clauses.c
-+++ b/src/backend/optimizer/util/clauses.c
-@@ -5095,6 +5095,13 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte)
- 	 */
- 	record_plan_function_dependency(root, func_oid);
- 
-+	/*
-+	 * We must also notice if the inserted query adds a dependency on the
-+	 * calling role due to RLS quals.
-+	 */
-+	if (querytree->hasRowSecurity)
-+		root->glob->dependsOnRole = true;
-+
- 	return querytree;
- 
- 	/* Here if func is not inlinable: release temp memory and return NULL */
-diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out
-index 89397e4..379f988 100644
--- a/src/test/regress/expected/rowsecurity.out
-+++ b/src/test/regress/expected/rowsecurity.out
-@@ -3982,6 +3982,33 @@ SELECT * FROM rls_tbl;
- 
- DROP TABLE rls_tbl;
- RESET SESSION AUTHORIZATION;
-+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
-+create table rls_t (c text);
-+insert into rls_t values ('invisible to bob');
-+alter table rls_t enable row level security;
-+grant select on rls_t to regress_rls_alice, regress_rls_bob;
-+create policy p1 on rls_t for select to regress_rls_alice using (true);
-+create policy p2 on rls_t for select to regress_rls_bob using (false);
-+create function rls_f () returns setof rls_t
-+  stable language sql
-+  as $$ select * from rls_t $$;
-+prepare q as select current_user, * from rls_f();
-+set role regress_rls_alice;
-+execute q;
-+   current_user    |        c         
-+-------------------+------------------
-+ regress_rls_alice | invisible to bob
-+(1 row)
-+
-+set role regress_rls_bob;
-+execute q;
-+ current_user | c 
-+--------------+---
-+(0 rows)
-+
-+RESET ROLE;
-+DROP FUNCTION rls_f();
-+DROP TABLE rls_t;
- --
- -- Clean up objects
- --
-diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql
-index 44deb42..3015d89 100644
--- a/src/test/regress/sql/rowsecurity.sql
-+++ b/src/test/regress/sql/rowsecurity.sql
-@@ -1839,6 +1839,26 @@ SELECT * FROM rls_tbl;
- DROP TABLE rls_tbl;
- RESET SESSION AUTHORIZATION;
- 
-+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
-+create table rls_t (c text);
-+insert into rls_t values ('invisible to bob');
-+alter table rls_t enable row level security;
-+grant select on rls_t to regress_rls_alice, regress_rls_bob;
-+create policy p1 on rls_t for select to regress_rls_alice using (true);
-+create policy p2 on rls_t for select to regress_rls_bob using (false);
-+create function rls_f () returns setof rls_t
-+  stable language sql
-+  as $$ select * from rls_t $$;
-+prepare q as select current_user, * from rls_f();
-+set role regress_rls_alice;
-+execute q;
-+set role regress_rls_bob;
-+execute q;
-+
-+RESET ROLE;
-+DROP FUNCTION rls_f();
-+DROP TABLE rls_t;
-+
- --
- -- Clean up objects
- --
-- 
-2.25.1
-
--- a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch
@ -1,4 +1,4 @@
-From 56b830edecff1cac5f8a8a956e7a7eeef2aa7c17 Mon Sep 17 00:00:00 2001
+From 09fad1883f3312965a8d066f8477166eaa4db2c7 Mon Sep 17 00:00:00 2001
 From: Changqing Li <changqing.li@windriver.com>
 Date: Tue, 27 Nov 2018 13:25:15 +0800
 Subject: [PATCH] not check libperl under cross compiling
@ -15,15 +15,16 @@ Signed-off-by: Roy Li <rongqing.li@windriver.com>

 update patch to version 11.1
 Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
 ---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/configure.ac b/configure.ac
-index fba79ee..7170f26 100644
+index 159f2a2..d0f0b14 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -2261,7 +2261,7 @@ Use --without-tcl to disable building PL/Tcl.])
+@@ -2332,7 +2332,7 @@ Use --without-tcl to disable building PL/Tcl.])
 fi
 
 # check for <perl.h>
@ -32,6 +33,3 @@ index fba79ee..7170f26 100644
   ac_save_CPPFLAGS=$CPPFLAGS
   CPPFLAGS="$CPPFLAGS $perl_includespec"
   AC_CHECK_HEADER(perl.h, [], [AC_MSG_ERROR([header file <perl.h> is required for Perl])],
-- 
-2.34.1
-
--- a/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch
@ -1,38 +0,0 @@
-Remove duplicate code for riscv
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
--- a/src/include/storage/s_lock.h
-+++ b/src/include/storage/s_lock.h
-@@ -341,30 +341,6 @@ tas(volatile slock_t *lock)
- #endif	 /* HAVE_GCC__SYNC_INT32_TAS */
- #endif	 /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */
- 
-
-/*
- * RISC-V likewise uses __sync_lock_test_and_set(int *, int) if available.
- */
-#if defined(__riscv)
-#ifdef HAVE_GCC__SYNC_INT32_TAS
-#define HAS_TEST_AND_SET
-
-#define TAS(lock) tas(lock)
-
-typedef int slock_t;
-
-static __inline__ int
-tas(volatile slock_t *lock)
-{
-	return __sync_lock_test_and_set(lock, 1);
-}
-
-#define S_UNLOCK(lock) __sync_lock_release(lock)
-
-#endif	 /* HAVE_GCC__SYNC_INT32_TAS */
-#endif	 /* __riscv */
-
-
- /* S/390 and S/390x Linux (32- and 64-bit zSeries) */
- #if defined(__s390__) || defined(__s390x__)
- #define HAS_TEST_AND_SET
--- a/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb
@ -1,21 +1,17 @@
 require postgresql.inc

-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=75af6e3eeec4a06cdd2e578673236fc3"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c31f662bb2bfb3b4187fe9a53e0ffe7c"

 SRC_URI += "\
   file://not-check-libperl.patch \
   file://0001-Add-support-for-RISC-V.patch \
   file://0001-Improve-reproducibility.patch \
   file://0001-configure.ac-bypass-autoconf-2.69-version-check.patch \
-   file://remove_duplicate.patch \
   file://0001-config_info.c-not-expose-build-info.patch \
-   file://0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch \
   file://0001-postgresql-fix-ptest-failure-of-sysviews.patch \
-   file://CVE-2023-2454.patch \
-   file://CVE-2023-2455.patch \
 "

-SRC_URI[sha256sum] = "d4f72cb5fb857c9a9f75ec8cf091a1771272802f2178f0b2e65b7b6ff64f4a30"
+SRC_URI[sha256sum] = "b1fe3ba9b1a7f3a9637dd1656dfdad2889016073fd4d35f13b50143cbbb6a8ef"

 CVE_CHECK_IGNORE += "\
   CVE-2017-8806 \