Adding debian version 2:8.1.0875-5+deb10u4.debian/2%8.1.0875-5+deb10u4

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 116 insertions, 0 deletions

diff --git a/debian/patches/CVE-2022-3235.patch b/debian/patches/CVE-2022-3235.patch
new file mode 100644
index 0000000..fc3e20e
--- /dev/null
+++ b/debian/patches/CVE-2022-3235.patch
@@ -0,0 +1,116 @@
+From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 17 Sep 2022 19:43:23 +0100
+Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
+ autocmd
+
+Problem:    Using freed memory with cmdwin and BufEnter autocmd.
+Solution:   Make sure pointer to b_p_iminsert is still valid.
+---
+ src/ex_getln.c              |  8 ++++++--
+ src/testdir/test_cmdwin.vim | 10 ++++++++++
+ src/version.c               |  2 ++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+Backport: rewrote b_im_ptr handling
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 70436b31f05e..a4fb61145c96 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -858,6 +858,7 @@ getcmdline_int(
+ #endif
+     expand_T	xpc;
+     long	*b_im_ptr = NULL;
++    buf_T	*b_im_ptr_buf = NULL;	// buffer where b_im_ptr is valid
+     struct cmdline_info save_ccline;
+     int		did_save_ccline = FALSE;
+     int		cmdline_type;
+@@ -968,6 +969,7 @@ getcmdline_int(
+ 	    b_im_ptr = &curbuf->b_p_iminsert;
+ 	else
+ 	    b_im_ptr = &curbuf->b_p_imsearch;
++	b_im_ptr_buf = curbuf;
+ 	if (*b_im_ptr == B_IMODE_LMAP)
+ 	    State |= LANGMAP;
+ #ifdef HAVE_INPUT_METHOD
+@@ -1718,7 +1720,7 @@ getcmdline_int(
+ #ifdef HAVE_INPUT_METHOD
+ 		    im_set_active(FALSE);	/* Disable input method */
+ #endif
+-		    if (b_im_ptr != NULL)
++		    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ 		    {
+ 			if (State & LANGMAP)
+ 			    *b_im_ptr = B_IMODE_LMAP;
+@@ -1732,7 +1734,7 @@ getcmdline_int(
+ 		    /* There are no ":lmap" mappings, toggle IM.  When
+ 		     * 'imdisable' is set don't try getting the status, it's
+ 		     * always off. */
+-		    if ((p_imdisable && b_im_ptr != NULL)
++ 		    if ((p_imdisable && b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ 			    ? *b_im_ptr == B_IMODE_IM : im_get_status())
+ 		    {
+ 			im_set_active(FALSE);	/* Disable input method */
+@@ -1742,12 +1744,12 @@ getcmdline_int(
+ 		    else
+ 		    {
+ 			im_set_active(TRUE);	/* Enable input method */
+-			if (b_im_ptr != NULL)
++			if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ 			    *b_im_ptr = B_IMODE_IM;
+ 		    }
+ 		}
+ #endif
+-		if (b_im_ptr != NULL)
++		if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ 		{
+ 		    if (b_im_ptr == &curbuf->b_p_iminsert)
+ 			set_iminsert_global();
+@@ -2476,7 +2478,8 @@ getcmdline_int(
+ 
+     State = save_State;
+ #ifdef HAVE_INPUT_METHOD
+-    if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
++    if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
++						  && *b_im_ptr != B_IMODE_LMAP)
+ 	im_save_status(b_im_ptr);
+     im_set_active(FALSE);
+ #endif
+diff --git a/src/testdir/test_cmdwin.vim b/src/testdir/test_cmdwin.vim
+index d62673aba254..fe849bcc1686 100644
+--- /dev/null
++++ b/src/testdir/test_cmdwin.vim
+@@ -0,0 +0,12 @@
++" This was using a pointer to a freed buffer
++func Test_cmdwin_freed_buffer_ptr()
++  au BufEnter * next 0| file 
++  edit 0
++  silent! norm q/
++
++  au! BufEnter
++  bwipe!
++endfunc
++
++
++" vim: shiftwidth=2 sts=2 expandtab
+--- a/src/testdir/Make_all.mak
++++ b/src/testdir/Make_all.mak
+@@ -89,6 +89,7 @@
+ 	test_clientserver \
+ 	test_close_count \
+ 	test_cmdline \
++	test_cmdwin \
+ 	test_command_count \
+ 	test_comparators \
+ 	test_compiler \
+--- a/src/version.c
++++ b/src/version.c
+@@ -2618,6 +2618,7 @@
+     "8.2.3403",
+     "8.2.3409",
+     "8.2.3428",
++    "9.0.0490",
+ /**/
+     NULL
+ };