Adding debian version 2:8.1.0875-5+deb10u4.debian/2%8.1.0875-5+deb10u4

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

17 files changed, 1329 insertions, 20 deletions

diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
index 80c5e28..6c94c65 100644
--- a/debian/.gitlab-ci.yml
+++ b/debian/.gitlab-ci.yml
@@ -1,19 +1,4 @@
-.build_template: &build
-  only:
-    - branches
-  before_script:
-    - adduser --home /home/ci ci --quiet --disabled-login --gecos "" --uid 1000
-    - apt-get -q update
-    - env DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Debug::pkgProblemResolver=yes build-dep .
-    - env DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Debug::pkgProblemResolver=yes install --no-install-recommends gitpkg fakeroot sudo
-    - rm -rf ../deb-packages/vim
-    - install -d -o ci ../deb-packages ../deb-packages/vim
-    - export UPSTREAM_VERSION=$(dpkg-parsechangelog -SVersion | sed -e 's/^[0-9]*://' -e 's/\(.*\)-[^-]*/\1/')
-    - sudo -u ci gitpkg --keep-unpacked-source "$CI_COMMIT_SHA" v"$UPSTREAM_VERSION"
-  script:
-    - cd ../deb-packages/vim/vim-"$UPSTREAM_VERSION"
-    - sudo -u ci dpkg-buildpackage -us -uc
-
-test:buster:
-  <<: *build
-  image: debian:buster
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+variables:
+  RELEASE: 'buster'
diff --git a/debian/changelog b/debian/changelog
index 7471584..952d323 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+vim (2:8.1.0875-5+deb10u4) buster-security; urgency=medium
+
+  * Non-maintainer upload by the LTS team.
+  * Add missing CVE to previous changelog entry.
+  * Fix CVE-2022-0318, CVE-2022-0392, CVE-2022-0629,
+    CVE-2022-0696, CVE-2022-1619, CVE-2022-1621, CVE-2022-1785,
+    CVE-2022-1897, CVE-2022-1942, CVE-2022-2000, CVE-2022-2129,
+    CVE-2022-3235, CVE-2022-3256, CVE-2022-3352
+
+ -- Helmut Grohne <helmut@subdivi.de>  Wed, 23 Nov 2022 15:54:38 +0100
+
 vim (2:8.1.0875-5+deb10u3) buster-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
@@ -10,7 +21,8 @@ vim (2:8.1.0875-5+deb10u3) buster-security; urgency=high
     CVE-2022-0943, CVE-2022-1154, CVE-2022-1616, CVE-2022-1720,
     CVE-2022-1851, CVE-2022-1898, CVE_2022-1968, CVE-2022-2285,
     CVE-2022-2304, CVE-2022-2598, CVE-2022-2946, CVE-2022-3099,
-    CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705
+    CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705,
+    CVE-2021-3872
     Multiple security vulnerabilities have been discovered in vim, an enhanced
     vi editor. Buffer overflows, out-of-bounds reads and use-after-free may
     lead to a denial-of-service (application crash) or other unspecified
diff --git a/debian/patches/CVE-2022-0318.patch b/debian/patches/CVE-2022-0318.patch
new file mode 100644
index 0000000..b2005a7
--- /dev/null
+++ b/debian/patches/CVE-2022-0318.patch
@@ -0,0 +1,104 @@
+From 57df9e8a9f9ae1aafdde9b86b10ad907627a87dc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 20 Jan 2022 12:10:48 +0000
+Subject: [PATCH] patch 8.2.4151: reading beyond the end of a line
+
+Problem:    Reading beyond the end of a line.
+Solution:   For block insert only use the offset for correcting the length.
+---
+ src/ops.c                   | 19 ++-----------------
+ src/testdir/test_visual.vim |  9 +++++++++
+ src/version.c               |  2 ++
+ 3 files changed, 13 insertions(+), 17 deletions(-)
+
+Backport:
+ * In Debian, this patch got swapped with CVE-2022-0261 aka
+   9f8c304c8a390ade133bac29963dc8e56ab14cbc.
+ * We also backport the spaces check from
+   4067bd3604215b48e4b4201e28f9e401b08418e4, see #1023818.
+ * We also backport the expected test output from
+   fc6ccebea668c49e9e617e0657421b6a8ed9df1e.
+ * Replace expr-.. by expr-.
+
+diff --git a/src/ops.c b/src/ops.c
+index a9968024901e..e0fa344d8ee6 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -629,24 +629,12 @@ block_insert(
+ 	}
+ 
+ 	if (has_mbyte && spaces > 0)
+-	{
+-	    int off;
++	    /* avoid copying part of a multi-byte character */
++	    offset -= (*mb_head_off)(oldp, oldp + offset);
+ 
+-	    /* Avoid starting halfway a multi-byte character. */
+-	    if (b_insert)
+-	    {
+-		off = (*mb_head_off)(oldp, oldp + offset + spaces);
+-		spaces -= off;
+-		count -= off;
+-	    }
+-	    else
+-	    {
+-		// spaces fill the gap, the character that's at the edge moves
+-		// right
+-		off = (*mb_head_off)(oldp, oldp + offset);
+-		offset -= off;
+-	    }
+-	}
++	if (spaces < 0)  // can happen when the cursor was moved
++	    spaces = 0;
++
+ 	// Make sure the allocated size matches what is actually copied below.
+ 	newp = alloc_check((unsigned)(STRLEN(oldp)) + spaces + s_len
+ 		    + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0)
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index b438fa1e66c6..a187aa8e085e 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -417,6 +417,15 @@
+   bwipe!
+ endfunc
+ 
++func Test_visual_block_insert_round_off()
++  new
++  " The number of characters are tuned to fill a 4096 byte allocated block,
++  " so that valgrind reports going over the end.
++  call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
++  exe "normal gg0\<C-V>GI" . repeat('0', 1320) . "\<Esc>"
++  bwipe!
++endfunc
++
+ " CVE-2022-0361
+ func Test_visual_ex_copy_line()
+   new
+diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim
+index 0210ce63c..862e73b9a 100644
+--- a/src/testdir/test_utf8.vim
++++ b/src/testdir/test_utf8.vim
+@@ -6,7 +6,7 @@ func Test_visual_block_insert()
+   new
+   call setline(1, ["aaa", "あああ", "bbb"])
+   exe ":norm! gg0l\<C-V>jjIx\<Esc>"
+-  call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$'))
++  call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$'))
+   bwipeout!
+ endfunc
+ 
+diff --git a/src/version.c b/src/version.c
+index 53f1619f94d4..227eaa958e2b 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -797,6 +797,10 @@ static char *(features[]) =
+     5024,
+ /**/
+     4214,
++/**/
++    4152,
++/**/
++    4151,
+ /**/
+     4120,
+ /**/
diff --git a/debian/patches/CVE-2022-0392.patch b/debian/patches/CVE-2022-0392.patch
new file mode 100644
index 0000000..e410044
--- /dev/null
+++ b/debian/patches/CVE-2022-0392.patch
@@ -0,0 +1,130 @@
+From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 20:45:16 +0000
+Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in
+ Ex mode
+
+Problem:    Illegal memory access with bracketed paste in Ex mode.
+Solution:   Reserve space for the trailing NUL.
+---
+ src/edit.c                 | 3 ++-
+ src/testdir/test_paste.vim | 3 +++
+ src/version.c              | 2 ++
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+From fe4bbac1166f2e4e3fa18cb966ec7305198c8176 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 20 Jan 2020 21:12:20 +0100
+Subject: [PATCH] patch 8.2.0135: bracketed paste can still cause invalid
+ memory access
+
+Problem:    Bracketed paste can still cause invalid memory access. (Dominique
+            Pelle)
+Solution:   Check for NULL pointer.
+---
+ src/edit.c                  | 2 +-
+ src/testdir/test_search.vim | 3 ++-
+ src/version.c               | 2 ++
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+Backport: drop included_patches 135 due to version bump
+
+From 98a336dd497d3422e7efeef9f24cc9e25aeb8a49 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 20 Jan 2020 20:22:30 +0100
+Subject: [PATCH] patch 8.2.0133: invalid memory access with search command
+
+Problem:    Invalid memory access with search command.
+Solution:   When :normal runs out of characters in bracketed paste mode break
+            out of the loop.(closes #5511)
+---
+ src/edit.c                  | 4 ++--
+ src/testdir/test_search.vim | 5 +++++
+ src/version.c               | 2 ++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+Backport: drop included_patches 135 due to version bump
+
+diff --git a/src/edit.c b/src/edit.c
+index ee3caf0dad50..2b5301100ddb 100644
+--- a/src/edit.c
++++ b/src/edit.c
+@@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+     int		save_paste = p_paste;
+ 
+     /* If the end code is too long we can't detect it, read everything. */
+-    if (STRLEN(end) >= NUMBUFLEN)
++    if (end != NULL && STRLEN(end) >= NUMBUFLEN)
+ 	end = NULL;
+     ++no_mapping;
+     allow_keys = 0;
+@@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 	{
+ 	    c = vgetc();
+ 	} while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR);
+-	if (c == NUL || got_int)
++	if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C))
+ 	    // When CTRL-C was encountered the typeahead will be flushed and we
+-	    // won't get the end sequence.
++	    // won't get the end sequence.  Except when using ":normal".
+ 	    break;
+ 
+ 	if (has_mbyte)
+@@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 		    break;
+ 
+ 		case PASTE_EX:
+-		    if (gap != NULL && ga_grow(gap, idx) == OK)
++		    /* add one for the NUL that is going to be appended */
++		    if (gap != NULL && ga_grow(gap, idx + 1) == OK)
+ 		    {
+ 			mch_memmove((char *)gap->ga_data + gap->ga_len,
+ 							     buf, (size_t)idx);
+diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
+index c94fe7c357ed..5b8d8a0e3e2d 100644
+--- a/src/testdir/test_paste.vim
++++ b/src/testdir/test_paste.vim
+@@ -84,6 +84,16 @@
+   call assert_equal("\"afoo\<CR>barb", getreg(':'))
+ endfunc
+ 
++" bracketed paste in Ex-mode
++func Test_paste_ex_mode()
++  unlet! foo
++  call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt')
++  call assert_equal("foo\rbar", foo)
++
++  " pasting more than 40 bytes
++  exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>"
++endfunc
++ 
+ func Test_paste_visual_mode()
+   new
+   call setline(1, 'here are some words')
+diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
+index 60152f602..89ca6e131 100644
+--- a/src/testdir/test_search.vim
++++ b/src/testdir/test_search.vim
+@@ -1187,3 +1187,9 @@
+   call assert_equal(bufcontent[1], @/)
+   call Incsearch_cleanup()
+ endfunc
++
++func Test_search_special()
++  " this was causing illegal memory access and an endless loop
++  set t_PE=
++  exe "norm /\x80PS"
++endfunc
+diff --git a/src/version.c b/src/version.c
+index 6685b554f537..9dcf34928f8d 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+     805,
+ /**/
+     5024,
++/**/
++    4218,
+ /**/
+     4214,
+ /**/
diff --git a/debian/patches/CVE-2022-0629.patch b/debian/patches/CVE-2022-0629.patch
new file mode 100644
index 0000000..b3348ef
--- /dev/null
+++ b/debian/patches/CVE-2022-0629.patch
@@ -0,0 +1,59 @@
+From 34f8117dec685ace52cd9e578e2729db278163fc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 16 Feb 2022 12:16:19 +0000
+Subject: [PATCH] patch 8.2.4397: crash when using many composing characters in
+ error message
+
+Problem:    Crash when using many composing characters in error message.
+Solution:   Use mb_cptr2char_adv() instead of mb_ptr2char_adv().
+---
+ src/testdir/test_assert.vim | 8 ++++++++
+ src/testing.c               | 2 +-
+ src/version.c               | 2 ++
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
+index 8987f3f8dfcd..27b2d73fbfc8 100644
+--- a/src/testdir/test_assert.vim
++++ b/src/testdir/test_assert.vim
+@@ -35,6 +35,14 @@ func Test_assert_equal()
+   call assert_equal('XxxxxxxxxxxxxxxxxxxxxxX', 'XyyyyyyyyyyyyyyyyyyyyyyyyyX')
+   call assert_match("Expected 'X\\\\\\[x occurs 21 times]X' but got 'X\\\\\\[y occurs 25 times]X'", v:errors[0])
+   call remove(v:errors, 0)
++
++  " many composing characters are handled properly
++  call setline(1, ' ')
++  norm 100gr݀
++  call assert_equal(1, getline(1))
++  call assert_match("Expected 1 but got '.* occurs 100 times]'", v:errors[0])
++  call remove(v:errors, 0)
++  bwipe!
+ endfunc
+ 
+ func Test_assert_equalfile()
+diff --git a/src/testing.c b/src/testing.c
+index 448c01c1e964..48ba14d2cafd 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -101,7 +101,7 @@ ga_concat_shorten_esc(garray_T *gap, char_u *str)
+     {
+ 	same_len = 1;
+ 	s = p;
+-	c = mb_ptr2char_adv(&s);
++	c = mb_cptr2char_adv(&s);
+ 	clen = s - p;
+ 	while (*s != NUL && c == mb_ptr2char(s))
+ 	{
+diff --git a/src/version.c b/src/version.c
+index fb1b8476e1a6..b4983661cadc 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+     805,
+ /**/
+     5024,
++/**/
++    4397,
+ /**/
+     4218,
+ /**/
diff --git a/debian/patches/CVE-2022-0696.patch b/debian/patches/CVE-2022-0696.patch
new file mode 100644
index 0000000..0e1491e
--- /dev/null
+++ b/debian/patches/CVE-2022-0696.patch
@@ -0,0 +1,69 @@
+From 0f6e28f686dbb59ab3b562408ab9b2234797b9b1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 20 Feb 2022 20:49:35 +0000
+Subject: [PATCH] patch 8.2.4428: crash when switching tabpage while in the
+ cmdline window
+
+Problem:    Crash when switching tabpage while in the cmdline window.
+Solution:   Disallow switching tabpage when in the cmdline window.
+---
+ src/evalvars.c       | 14 ++------------
+ src/proto/window.pro |  1 +
+ src/usercmd.c        | 24 ++++--------------------
+ src/version.c        |  2 ++
+ src/window.c         | 26 ++++++++++++++++++++++++++
+ 5 files changed, 35 insertions(+), 32 deletions(-)
+
+Backport: Since the old version dosn't do command line completion
+correctly, those parts are dropped and we only forbid switching the tab
+page.
+
+diff --git a/src/version.c b/src/version.c
+index c5f5c22f90ac..777476d80dce 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+     805,
+ /**/
+     5024,
++/**/
++    4428,
+ /**/
+     4397,
+ /**/
+diff --git a/src/window.c b/src/window.c
+index 1f5e7096047c..b00ed977fc04 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -3656,6 +3656,14 @@ win_new_tabpage(int after)
+     tabpage_T	*newtp;
+     int		n;
+ 
++#ifdef FEAT_CMDWIN
++    if (cmdwin_type != 0)
++    {
++	emsg(_("E11: Invalid in command-line window; :q<CR> closes the window"));
++	return FAIL;
++    }
++#endif
++
+     newtp = alloc_tabpage();
+     if (newtp == NULL)
+ 	return FAIL;
+@@ -3997,6 +4005,7 @@ goto_tabpage(int n)
+ 	text_locked_msg();
+ 	return;
+     }
++    CHECK_CMDWIN;
+ 
+     /* If there is only one it can't work. */
+     if (first_tabpage->tp_next == NULL)
+@@ -4064,6 +4073,8 @@ goto_tabpage_tp(
+     int		trigger_enter_autocmds,
+     int		trigger_leave_autocmds)
+ {
++    CHECK_CMDWIN;
++
+     /* Don't repeat a message in another tab page. */
+     set_keep_msg(NULL, 0);
+ 
diff --git a/debian/patches/CVE-2022-1619.patch b/debian/patches/CVE-2022-1619.patch
new file mode 100644
index 0000000..121a1b7
--- /dev/null
+++ b/debian/patches/CVE-2022-1619.patch
@@ -0,0 +1,74 @@
+From ef02f16609ff0a26ffc6e20263523424980898fe Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 7 May 2022 10:49:10 +0100
+Subject: [PATCH] patch 8.2.4899: with latin1 encoding CTRL-W might go before
+ the cmdline
+
+Problem:    With latin1 encoding CTRL-W might go before the start of the
+            command line.
+Solution:   Check already being at the start of the command line.
+---
+ src/ex_getln.c               | 11 +++++++----
+ src/testdir/test_cmdline.vim |  3 +++
+ src/version.c                |  2 ++
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index a97024b35171..7020f5143a01 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -1635,10 +1635,13 @@
+ 		    {
+ 			while (p > ccline.cmdbuff && vim_isspace(p[-1]))
+ 			    --p;
+-			i = vim_iswordc(p[-1]);
+-			while (p > ccline.cmdbuff && !vim_isspace(p[-1])
+-				&& vim_iswordc(p[-1]) == i)
+-			    --p;
++			if (p > ccline.cmdbuff)
++			{
++			    i = vim_iswordc(p[-1]);
++			    while (p > ccline.cmdbuff && !vim_isspace(p[-1])
++				    && vim_iswordc(p[-1]) == i)
++				--p;
++			}
+ 		    }
+ 		    else
+ 			--p;
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 474638fb00d6..5a849f77f755 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -641,6 +641,19 @@
+   let &lines = lines
+   let &columns = columns
+ endfunc
++
++func Test_cmdline_remove_char()
++  let encoding_save = &encoding
++
++  for e in ['utf8', 'latin1']
++    exe 'set encoding=' . e
++
++    " This was going before the start in latin1.
++    call feedkeys(": \<C-W>\<CR>", 'tx')
++  endfor
++
++  let &encoding = encoding_save
++endfunc
+
+
+ set cpo&
+diff --git a/src/version.c b/src/version.c
+index 201d26f06eb9..05888c722e8e 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+     805,
+ /**/
+     5024,
++/**/
++    4899,
+ /**/
+     4428,
+ /**/
diff --git a/debian/patches/CVE-2022-1621.patch b/debian/patches/CVE-2022-1621.patch
new file mode 100644
index 0000000..29f8532
--- /dev/null
+++ b/debian/patches/CVE-2022-1621.patch
@@ -0,0 +1,114 @@
+From 7c824682d2028432ee082703ef0ab399867a089b Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 8 May 2022 22:32:58 +0100
+Subject: [PATCH] patch 8.2.4919: can add invalid bytes with :spellgood
+
+Problem:    Can add invalid bytes with :spellgood.
+Solution:   Check for a valid word string.
+---
+ src/errors.h                    |  4 ++++
+ src/mbyte.c                     |  2 +-
+ src/spellfile.c                 | 10 ++++++++++
+ src/testdir/test_spell_utf8.vim |  5 +++++
+ src/version.c                   |  2 ++
+ 5 files changed, 22 insertions(+), 1 deletion(-)
+
+From fe978c2b6bb9d897d962595a4a51dd7a71dc8e89 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 8 May 2022 22:43:51 +0100
+Subject: [PATCH] patch 8.2.4921: spell test fails because of new illegal byte
+ check
+
+Problem:    Spell test fails because of new illegal byte check.
+Solution:   Remove the test.
+---
+ src/testdir/test_spell.vim | 8 --------
+ src/version.c              | 2 ++
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/src/mbyte.c b/src/mbyte.c
+index 2b7f9991ae14..a01a05140207 100644
+--- a/src/mbyte.c
++++ b/src/mbyte.c
+@@ -4047,7 +4047,7 @@ utf_find_illegal(void)
+     convert_setup(&vimconv, NULL, NULL);
+ }
+ 
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+  * Return TRUE if string "s" is a valid utf-8 string.
+  * When "end" is NULL stop at the first NUL.
+diff --git a/src/spellfile.c b/src/spellfile.c
+index 22cf82da0872..f0d6d96a47f0 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
+@@ -4361,6 +4361,10 @@ store_word(
+     int		res = OK;
+     char_u	*p;
+ 
++    // Avoid adding illegal bytes to the word tree.
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++	return FAIL;
++
+     (void)spell_casefold(word, len, foldword, MAXWLEN);
+     for (p = pfxlist; res == OK; ++p)
+     {
+@@ -6167,6 +6171,12 @@ spell_add_word(
+     int		i;
+     char_u	*spf;
+ 
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++    {
++	emsg(_("E1280: Illegal character in word"));
++	return;
++    }
++
+     if (idx == 0)	    /* use internal wordlist */
+     {
+ 	if (int_wordlist == NULL)
+diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
+index 79dc3e4a4a62..17fa23555818 100644
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -476,16 +476,6 @@
+   bwipe!
+ endfunc
+ 
+-func Test_spell_single_word()
+-  set spell
+-  new
+-  silent! norm 0R00
+-  spell! ��
+-  silent 0norm 0r$ Dvz=
+-  set nospell
+-  bwipe!
+-endfunc
+-
+ let g:test_data_aff1 = [
+       \"SET ISO8859-1",
+       \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
+@@ -936,3 +926,8 @@
+       \"SAL Z                    S",
+       \ ]
+
++" Invalid bytes may cause trouble when creating the word list.
++func Test_check_for_valid_word()
++  call assert_fails("spellgood! 0\xac", 'E1280:')
++endfunc
++
+diff --git a/src/version.c b/src/version.c
+index f949dd6d7ed0..c4f5655bf6c2 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,10 @@ static char *(features[]) =
+     805,
+ /**/
+     5024,
++/**/
++    4921,
++/**/
++    4919,
+ /**/
+     4899,
+ /**/
diff --git a/debian/patches/CVE-2022-1785.patch b/debian/patches/CVE-2022-1785.patch
new file mode 100644
index 0000000..1d3817f
--- /dev/null
+++ b/debian/patches/CVE-2022-1785.patch
@@ -0,0 +1,89 @@
+From e2bd8600b873d2cd1f9d667c28cba8b1dba18839 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 18 May 2022 13:11:57 +0100
+Subject: [PATCH] patch 8.2.4977: memory access error when substitute
+ expression changes window
+
+Problem:    Memory access error when substitute expression changes window.
+Solution:   Disallow changing window in substitute expression.
+---
+ src/ex_cmds.c                   | 11 +++++++++++
+ src/testdir/test_substitute.vim | 13 +++++++++++++
+ src/version.c                   |  2 ++
+ 3 files changed, 26 insertions(+)
+
+Backport: Use textlock instead of textwinlock. In this version, textwinlock
+ wasn't yet split out from textlock and it'll get merged back later.
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 7e730becb48f..210e21fe7a5b 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -5576,12 +5576,17 @@ ex_substitute(exarg_T *eap)
+ 		/* Save flags for recursion.  They can change for e.g.
+ 		 * :s/^/\=execute("s#^##gn") */
+ 		subflags_save = subflags;
++
++		/* Disallow changing text or switching window in an expression. */
++		++textlock;
+ #endif
+ 		/* get length of substitution part */
+ 		sublen = vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 				    sub, sub_firstline, FALSE, p_magic, TRUE);
+ #ifdef FEAT_EVAL
++		--textlock;
++
+ 		/* Don't keep flags set by a recursive call. */
+ 		subflags = subflags_save;
+ 		if (subflags.do_count)
+@@ -5670,9 +5675,15 @@ ex_substitute(exarg_T *eap)
+ 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ 		new_end += copy_len;
+ 
++#ifdef FEAT_EVAL
++		++textlock;
++#endif
+ 		(void)vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 					   sub, new_end, TRUE, p_magic, TRUE);
++#ifdef FEAT_EVAL
++		--textlock;
++#endif
+ 		sub_nsubs++;
+ 		did_sub = TRUE;
+ 
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index f3fd7ab1ce77..a1c324ed8d20 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -517,3 +517,16 @@ func Test_using_old_sub()
+   set nocompatible
+ endfunc
+ 
++" This was switching windows in between computing the length and using it.
++func Test_sub_change_window()
++  silent! lfile
++  sil! norm o0000000000000000000000000000000000000000000000000000
++  func Repl()
++    lopen
++  endfunc
++  silent!  s/\%')/\=Repl()
++  bwipe!
++  bwipe!
++  delfunc Repl
++endfunc
++
+diff --git a/src/version.c b/src/version.c
+index 4c63ea0771ad..782642b5d5a1 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+     805,
+ /**/
+     5024,
++/**/
++    4977,
+ /**/
+     4921,
+ /**/
diff --git a/debian/patches/CVE-2022-1897.patch b/debian/patches/CVE-2022-1897.patch
new file mode 100644
index 0000000..1a44481
--- /dev/null
+++ b/debian/patches/CVE-2022-1897.patch
@@ -0,0 +1,149 @@
+From 338f1fc0ee3ca929387448fe464579d6113fa76a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 26 May 2022 15:56:23 +0100
+Subject: [PATCH] patch 8.2.5023: substitute overwrites allocated buffer
+
+Problem:    Substitute overwrites allocated buffer.
+Solution:   Disallow undo when in a substitute command.
+---
+ src/normal.c                    | 42 ++++++++++++++++-----------------
+ src/testdir/test_substitute.vim | 22 +++++++++++++++++
+ src/undo.c                      |  6 +++++
+ src/version.c                   |  2 ++
+ 4 files changed, 51 insertions(+), 21 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index bc3e29e1abaa..53c50dc8b368 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -514,6 +514,22 @@ find_command(int cmdchar)
+     return idx;
+ }
+ 
++/*
++ * If currently editing a cmdline or text is locked: beep and give an error
++ * message, return TRUE.
++ */
++    static int
++check_text_locked(oparg_T *oap)
++{
++    if (text_locked())
++    {
++	clearopbeep(oap);
++	text_locked_msg();
++	return TRUE;
++    }
++    return FALSE;
++}
++
+ /*
+  * Execute a command in Normal mode.
+  */
+@@ -775,14 +791,9 @@ normal_cmd(
+ 	goto normal_end;
+     }
+ 
+-    if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+-    {
+-	/* This command is not allowed while editing a cmdline: beep. */
+-	clearopbeep(oap);
+-	text_locked_msg();
+-	goto normal_end;
+-    }
+-    if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
++    if ((nv_cmds[idx].cmd_flags & NV_NCW)
++				&& (check_text_locked(oap) || curbuf_locked()))
++	/* this command is not allowed now */
+ 	goto normal_end;
+ 
+     /*
+@@ -6164,12 +6175,8 @@ nv_gotofile(cmdarg_T *cap)
+     char_u	*ptr;
+     linenr_T	lnum = -1;
+ 
+-    if (text_locked())
+-    {
+-	clearopbeep(cap->oap);
+-	text_locked_msg();
++    if (check_text_locked(cap->oap))
+ 	return;
+-    }
+     if (curbuf_locked())
+     {
+ 	clearop(cap->oap);
+@@ -8330,14 +8337,7 @@ nv_g_cmd(cmdarg_T *cap)
+ 
+     /* "gQ": improved Ex mode */
+     case 'Q':
+-	if (text_locked())
+-	{
+-	    clearopbeep(cap->oap);
+-	    text_locked_msg();
+-	    break;
+-	}
+-
+-	if (!checkclearopq(oap))
++	if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ 	    do_exmode(TRUE);
+ 	break;
+ 
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index a1c324ed8d20..c8df09f4ec1e 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -530,3 +530,25 @@ func Test_sub_change_window()
+   delfunc Repl
+ endfunc
+ 
++" This was undoign a change in between computing the length and using it.
++func Do_Test_sub_undo_change()
++  new
++  norm o0000000000000000000000000000000000000000000000000000
++  silent! s/\%')/\=Repl()
++  bwipe!
++endfunc
++
++func Test_sub_undo_change()
++  func Repl()
++    silent! norm g-
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  func! Repl()
++    silent earlier
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  delfunc Repl
++endfunc
++
+diff --git a/src/undo.c b/src/undo.c
+index cac09f0f58df..81cc28e8b801 100644
+--- a/src/undo.c
++++ b/src/undo.c
+@@ -2278,6 +2278,12 @@ undo_time(
+     int		    above = FALSE;
+     int		    did_undo = TRUE;
+ 
++    if (text_locked())
++    {
++	text_locked_msg();
++	return;
++    }
++
+     /* First make sure the current undoable change is synced. */
+     if (curbuf->b_u_synced == FALSE)
+ 	u_sync(TRUE);
+diff --git a/src/version.c b/src/version.c
+index 9751865c7adf..cd6c33162204 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+     805,
+ /**/
+     5024,
++/**/
++    5023,
+ /**/
+     4977,
+ /**/
diff --git a/debian/patches/CVE-2022-1942.patch b/debian/patches/CVE-2022-1942.patch
new file mode 100644
index 0000000..e2f5b9c
--- /dev/null
+++ b/debian/patches/CVE-2022-1942.patch
@@ -0,0 +1,122 @@
+From 71223e2db87c2bf3b09aecb46266b56cda26191d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 30 May 2022 15:23:09 +0100
+Subject: [PATCH] patch 8.2.5043: can open a cmdline window from a substitute
+ expression
+
+Problem:    Can open a cmdline window from a substitute expression.
+Solution:   Disallow opening a command line window when text or buffer is
+            locked.
+---
+ src/buffer.c                    |  7 +------
+ src/ex_getln.c                  | 19 +++++++++++++++++++
+ src/proto/ex_getln.pro          |  5 +++--
+ src/testdir/test_substitute.vim | 25 +++++++++++++++++++++++++
+ src/version.c                   |  2 ++
+ src/window.c                    |  5 +----
+ 6 files changed, 51 insertions(+), 12 deletions(-)
+
+Backport: Drop test case, because the expected E565 was only introduced in
+ 8.2.0670 and the testcase does not otherwise fail or issue messages in
+ valgrind.
+
+diff --git a/src/buffer.c b/src/buffer.c
+index efec431c822d..e775398d0294 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -2297,12 +2297,7 @@ buflist_getfile(
+     if (buf == curbuf)
+ 	return OK;
+ 
+-    if (text_locked())
+-    {
+-	text_locked_msg();
+-	return FAIL;
+-    }
+-    if (curbuf_locked())
++    if (text_or_buf_locked())
+ 	return FAIL;
+ 
+     /* altfpos may be changed by getfile(), get it now */
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 9dadfbf2fabe..623bd1d4984a 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -2589,6 +2589,21 @@ get_text_locked_msg(void)
+     return e_secure;
+ }
+ 
++/*
++ * Check for text, window or buffer locked.
++ * Give an error message and return TRUE if something is locked.
++ */
++    int
++text_or_buf_locked(void)
++{
++    if (text_locked())
++    {
++	text_locked_msg();
++	return TRUE;
++    }
++    return curbuf_locked();
++}
++
+ /*
+  * Check if "curbuf_lock" or "allbuf_lock" is set and return TRUE when it is
+  * and give an error message.
+@@ -7188,6 +7203,10 @@ open_cmdwin(void)
+     int			save_KeyTyped;
+ #endif
+ 
++    /* Can't do this when text or buffer is locked. */
++    if (text_or_buf_locked())
++	return K_IGNORE;
++
+     /* Can't do this recursively.  Can't do it when typing a password. */
+     if (cmdwin_type != 0
+ # if defined(FEAT_CRYPT) || defined(FEAT_EVAL)
+diff --git a/src/proto/ex_getln.pro b/src/proto/ex_getln.pro
+index 8c8bd0ebd4cd..bcc310c7dd0e 100644
+--- a/src/proto/ex_getln.pro
++++ b/src/proto/ex_getln.pro
+@@ -5,6 +5,7 @@
+ int text_locked(void);
+ void text_locked_msg(void);
+ char *get_text_locked_msg(void);
++int text_or_buf_locked(void);
+ int curbuf_locked(void);
+ int allbuf_locked(void);
+ char_u *getexline(int c, void *cookie, int indent);
+diff --git a/src/version.c b/src/version.c
+index 18a1fdb41cb6..a15bb3ed8d6a 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    5043,
+ /**/
+     805,
+ /**/
+diff --git a/src/window.c b/src/window.c
+index f2913d4a76ef..9b5ac97286cd 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -4173,14 +4173,11 @@ win_goto(win_T *wp)
+     win_T	*owp = curwin;
+ #endif
+
+-    if (text_locked())
++    if (text_or_buf_locked())
+     {
+ 	beep_flush();
+-	text_locked_msg();
+ 	return;
+     }
+-    if (curbuf_locked())
+-	return;
+ 
+     if (wp->w_buffer != curbuf)
+ 	reset_VIsual_and_resel();
diff --git a/debian/patches/CVE-2022-2000.patch b/debian/patches/CVE-2022-2000.patch
new file mode 100644
index 0000000..7f1a1e6
--- /dev/null
+++ b/debian/patches/CVE-2022-2000.patch
@@ -0,0 +1,65 @@
+From 44a3f3353e0407e9fffee138125a6927d1c9e7e5 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 6 Jun 2022 15:38:21 +0100
+Subject: [PATCH] patch 8.2.5063: error for a command may go over the end of
+ IObuff
+
+Problem:    Error for a command may go over the end of IObuff.
+Solution:   Truncate the message.
+---
+ src/ex_docmd.c               | 12 ++++++++++--
+ src/testdir/test_cmdline.vim |  5 +++++
+ src/version.c                |  2 ++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index cfb40e8d5cfa..634a1bcef566 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3111,9 +3111,17 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+     static void
+ append_command(char_u *cmd)
+ {
+-    char_u *s = cmd;
+-    char_u *d;
++    size_t  len = STRLEN(IObuff);
++    char_u  *s = cmd;
++    char_u  *d;
+ 
++    if (len > IOSIZE - 100)
++    {
++	// Not enough space, truncate and put in "...".
++	d = IObuff + IOSIZE - 100;
++	d -= mb_head_off(IObuff, d);
++	STRCPY(d, "...");
++    }
+     STRCAT(IObuff, ": ");
+     d = IObuff + STRLEN(IObuff);
+     while (*s != NUL && d - IObuff + 5 < IOSIZE)
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 77965b3f65a3..2289c343e9f8 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -657,3 +657,9 @@
+
+
+ set cpo&
++
++func Test_long_error_message()
++  " the error should be truncated, not overrun IObuff
++  silent! norm Q00000000000000     000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000                                                                                                                                                                                                                        
++endfunc
++
+diff --git a/src/version.c b/src/version.c
+index 542028606dde..dd585c81afe9 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    5063,
+ /**/
+     5043,
+ /**/
diff --git a/debian/patches/CVE-2022-2129.patch b/debian/patches/CVE-2022-2129.patch
new file mode 100644
index 0000000..70bdd57
--- /dev/null
+++ b/debian/patches/CVE-2022-2129.patch
@@ -0,0 +1,65 @@
+From d6211a52ab9f53b82f884561ed43d2fe4d24ff7d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 18 Jun 2022 19:48:14 +0100
+Subject: [PATCH] patch 8.2.5126: substitute may overrun destination buffer
+
+Problem:    Substitute may overrun destination buffer.
+Solution:   Disallow switching buffers in a substitute expression.
+---
+ src/ex_docmd.c                  |  7 ++++---
+ src/testdir/test_substitute.vim | 13 +++++++++++++
+ src/version.c                   |  2 ++
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index fed9330b52e9..1185cd1550a6 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -8778,9 +8778,10 @@ do_exedit(
+ #endif
+ 	    )
+     {
+-	/* Can't edit another file when "curbuf_lock" is set.  Only ":edit"
+-	 * can bring us here, others are stopped earlier. */
+-	if (*eap->arg != NUL && curbuf_locked())
++	/* Can't edit another file when "textlock" or "curbuf_lock" is set.
++	 * Only ":edit" or ":script" can bring us here, others are stopped
++	   earlier. */
++	if (*eap->arg != NUL && text_or_buf_locked())
+ 	    return;
+ 
+ 	n = readonlymode;
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 46ea95513192..c056fa965692 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -552,3 +552,16 @@
+   delfunc Repl
+ endfunc
+ 
++" This was editing a script file from the expression
++func Test_sub_edit_scriptfile()
++  new
++  norm o0000000000000000000000000000000000000000000000000000
++  func EditScript()
++    silent! scr! Xfile
++  endfunc
++  s/\%')/\=EditScript()
++
++  delfunc EditScript
++  bwipe!
++endfunc
++
+diff --git a/src/version.c b/src/version.c
+index 82ac4eaf2dd9..2f397ae315f7 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    5126,
+ /**/
+     5063,
+ /**/
diff --git a/debian/patches/CVE-2022-3235.patch b/debian/patches/CVE-2022-3235.patch
new file mode 100644
index 0000000..fc3e20e
--- /dev/null
+++ b/debian/patches/CVE-2022-3235.patch
@@ -0,0 +1,116 @@
+From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 17 Sep 2022 19:43:23 +0100
+Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
+ autocmd
+
+Problem:    Using freed memory with cmdwin and BufEnter autocmd.
+Solution:   Make sure pointer to b_p_iminsert is still valid.
+---
+ src/ex_getln.c              |  8 ++++++--
+ src/testdir/test_cmdwin.vim | 10 ++++++++++
+ src/version.c               |  2 ++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+Backport: rewrote b_im_ptr handling
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 70436b31f05e..a4fb61145c96 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -858,6 +858,7 @@ getcmdline_int(
+ #endif
+     expand_T	xpc;
+     long	*b_im_ptr = NULL;
++    buf_T	*b_im_ptr_buf = NULL;	// buffer where b_im_ptr is valid
+     struct cmdline_info save_ccline;
+     int		did_save_ccline = FALSE;
+     int		cmdline_type;
+@@ -968,6 +969,7 @@ getcmdline_int(
+ 	    b_im_ptr = &curbuf->b_p_iminsert;
+ 	else
+ 	    b_im_ptr = &curbuf->b_p_imsearch;
++	b_im_ptr_buf = curbuf;
+ 	if (*b_im_ptr == B_IMODE_LMAP)
+ 	    State |= LANGMAP;
+ #ifdef HAVE_INPUT_METHOD
+@@ -1718,7 +1720,7 @@ getcmdline_int(
+ #ifdef HAVE_INPUT_METHOD
+ 		    im_set_active(FALSE);	/* Disable input method */
+ #endif
+-		    if (b_im_ptr != NULL)
++		    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ 		    {
+ 			if (State & LANGMAP)
+ 			    *b_im_ptr = B_IMODE_LMAP;
+@@ -1732,7 +1734,7 @@ getcmdline_int(
+ 		    /* There are no ":lmap" mappings, toggle IM.  When
+ 		     * 'imdisable' is set don't try getting the status, it's
+ 		     * always off. */
+-		    if ((p_imdisable && b_im_ptr != NULL)
++ 		    if ((p_imdisable && b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ 			    ? *b_im_ptr == B_IMODE_IM : im_get_status())
+ 		    {
+ 			im_set_active(FALSE);	/* Disable input method */
+@@ -1742,12 +1744,12 @@ getcmdline_int(
+ 		    else
+ 		    {
+ 			im_set_active(TRUE);	/* Enable input method */
+-			if (b_im_ptr != NULL)
++			if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ 			    *b_im_ptr = B_IMODE_IM;
+ 		    }
+ 		}
+ #endif
+-		if (b_im_ptr != NULL)
++		if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ 		{
+ 		    if (b_im_ptr == &curbuf->b_p_iminsert)
+ 			set_iminsert_global();
+@@ -2476,7 +2478,8 @@ getcmdline_int(
+ 
+     State = save_State;
+ #ifdef HAVE_INPUT_METHOD
+-    if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
++    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
++						  && *b_im_ptr != B_IMODE_LMAP)
+ 	im_save_status(b_im_ptr);
+     im_set_active(FALSE);
+ #endif
+diff --git a/src/testdir/test_cmdwin.vim b/src/testdir/test_cmdwin.vim
+index d62673aba254..fe849bcc1686 100644
+--- /dev/null
++++ b/src/testdir/test_cmdwin.vim
+@@ -0,0 +0,12 @@
++" This was using a pointer to a freed buffer
++func Test_cmdwin_freed_buffer_ptr()
++  au BufEnter * next 0| file 
++  edit 0
++  silent! norm q/
++
++  au! BufEnter
++  bwipe!
++endfunc
++
++
++" vim: shiftwidth=2 sts=2 expandtab
+--- a/src/testdir/Make_all.mak
++++ b/src/testdir/Make_all.mak
+@@ -89,6 +89,7 @@
+ 	test_clientserver \
+ 	test_close_count \
+ 	test_cmdline \
++	test_cmdwin \
+ 	test_command_count \
+ 	test_comparators \
+ 	test_compiler \
+--- a/src/version.c
++++ b/src/version.c
+@@ -2618,6 +2618,7 @@
+     "8.2.3403",
+     "8.2.3409",
+     "8.2.3428",
++    "9.0.0490",
+ /**/
+     NULL
+ };
diff --git a/debian/patches/CVE-2022-3256.patch b/debian/patches/CVE-2022-3256.patch
new file mode 100644
index 0000000..ab1abab
--- /dev/null
+++ b/debian/patches/CVE-2022-3256.patch
@@ -0,0 +1,73 @@
+From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 21 Sep 2022 13:07:22 +0100
+Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark
+
+Problem:    Using freed memory when autocmd changes mark.
+Solution:   Copy the mark before editing another buffer.
+---
+ src/mark.c                 | 12 +++++++-----
+ src/testdir/test_marks.vim | 13 +++++++++++++
+ src/version.c              |  2 ++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/src/mark.c b/src/mark.c
+index ade5a1087b7d..584db033d3ca 100644
+--- a/src/mark.c
++++ b/src/mark.c
+@@ -252,17 +252,19 @@ movemark(int count)
+ 	    fname2fnum(jmp);
+ 	if (jmp->fmark.fnum != curbuf->b_fnum)
+ 	{
+-	    /* jump to other file */
+-	    if (buflist_findnr(jmp->fmark.fnum) == NULL)
++	    /* Make a copy, an autocommand may make "jmp" invalid. */
++	    fmark_T fmark = jmp->fmark;
++
++	    /* jump to the file with the mark */
++	    if (buflist_findnr(fmark.fnum) == NULL)
+ 	    {					     /* Skip this one .. */
+ 		count += count < 0 ? -1 : 1;
+ 		continue;
+ 	    }
+-	    if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum,
+-							    0, FALSE) == FAIL)
++	    if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL)
+ 		return (pos_T *)NULL;
+ 	    /* Set lnum again, autocommands my have changed it */
+-	    curwin->w_cursor = jmp->fmark.mark;
++	    curwin->w_cursor = fmark.mark;
+ 	    pos = (pos_T *)-1;
+ 	}
+ 	else
+diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim
+index 12501a3aba07..20fb3041f244 100644
+--- a/src/testdir/test_marks.vim
++++ b/src/testdir/test_marks.vim
+@@ -174,3 +174,16 @@ func Test_getmarklist()
+   call assert_fails('mark xx', 'E488:')
+   call assert_fails('mark _', 'E191:')
+ endfunc
++" This was using freed memory
++func Test_jump_mark_autocmd()
++  next 00
++  edit 0
++  sargument
++  au BufEnter 0 all
++  sil norm 
++
++  au! BufEnter
++  bwipe!
++endfunc
++
++
+--- a/src/version.c
++++ b/src/version.c
+@@ -2619,6 +2619,7 @@
+     "8.2.3409",
+     "8.2.3428",
+     "9.0.0490",
++    "9.0.0530",
+ /**/
+     NULL
+ };
diff --git a/debian/patches/CVE-2022-3352.patch b/debian/patches/CVE-2022-3352.patch
new file mode 100644
index 0000000..f55e40d
--- /dev/null
+++ b/debian/patches/CVE-2022-3352.patch
@@ -0,0 +1,69 @@
+From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 28 Sep 2022 11:48:30 +0100
+Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
+
+Problem:    SpellFileMissing autocmd may delete buffer.
+Solution:   Disallow deleting the current buffer to avoid using freed memory.
+---
+ src/buffer.c                 |  7 ++++++-
+ src/spell.c                  |  6 ++++++
+ src/testdir/test_autocmd.vim | 10 ++++++++++
+ src/version.c                |  2 ++
+ 4 files changed, 24 insertions(+), 1 deletion(-)
+
+Backport: src/buffer.c isn't vulnerable yet
+
+diff --git a/src/spell.c b/src/spell.c
+index 628814fe6db3..975b5a6789a9 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -1813,6 +1813,10 @@ spell_load_lang(char_u *lang)
+     sl.sl_slang = NULL;
+     sl.sl_nobreak = FALSE;
+ 
++    // Disallow deleting the current buffer.  Autocommands can do weird things
++    // and cause "lang" to be freed.
++    ++curbuf->b_locked;
++
+     /* We may retry when no spell file is found for the language, an
+      * autocommand may load it then. */
+     for (round = 1; round <= 2; ++round)
+@@ -1866,6 +1870,8 @@ spell_load_lang(char_u *lang)
+ 	STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
+ 	do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
+     }
++
++    --curbuf->b_locked;
+ }
+ 
+ /*
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 86732f15dbe4..70f0f553a226 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -1416,3 +1416,14 @@
+ endfunc
+ 
+ " FileChangedShell tested in test_filechanged.vim
++
++" this was wiping out the current buffer and using freed memory
++func Test_SpellFileMissing_bwipe()
++  next 0
++  au SpellFileMissing 0 bwipe
++  call assert_fails('set spell spelllang=0', 'E937:')
++
++  au! SpellFileMissing
++  bwipe
++endfunc
++
+--- a/src/version.c
++++ b/src/version.c
+@@ -2620,6 +2620,7 @@
+     "8.2.3428",
+     "9.0.0490",
+     "9.0.0530",
++    "9.0.0614",
+ /**/
+     NULL
+ };
diff --git a/debian/patches/series b/debian/patches/series
index 5cb3483..acb4b8e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -62,3 +62,17 @@ CVE-2022-3134.patch
 CVE-2022-3234.patch
 CVE-2022-3324.patch
 CVE-2022-3705.patch
+CVE-2022-0318.patch
+CVE-2022-0392.patch
+CVE-2022-0629.patch
+CVE-2022-0696.patch
+CVE-2022-1619.patch
+CVE-2022-1621.patch
+CVE-2022-1785.patch
+CVE-2022-1897.patch
+CVE-2022-1942.patch
+CVE-2022-2000.patch
+CVE-2022-2129.patch
+CVE-2022-3235.patch
+CVE-2022-3256.patch
+CVE-2022-3352.patch