summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/.gitlab-ci.yml23
-rw-r--r--debian/changelog14
-rw-r--r--debian/patches/CVE-2022-0318.patch104
-rw-r--r--debian/patches/CVE-2022-0392.patch130
-rw-r--r--debian/patches/CVE-2022-0629.patch59
-rw-r--r--debian/patches/CVE-2022-0696.patch69
-rw-r--r--debian/patches/CVE-2022-1619.patch74
-rw-r--r--debian/patches/CVE-2022-1621.patch114
-rw-r--r--debian/patches/CVE-2022-1785.patch89
-rw-r--r--debian/patches/CVE-2022-1897.patch149
-rw-r--r--debian/patches/CVE-2022-1942.patch122
-rw-r--r--debian/patches/CVE-2022-2000.patch65
-rw-r--r--debian/patches/CVE-2022-2129.patch65
-rw-r--r--debian/patches/CVE-2022-3235.patch116
-rw-r--r--debian/patches/CVE-2022-3256.patch73
-rw-r--r--debian/patches/CVE-2022-3352.patch69
-rw-r--r--debian/patches/series14
17 files changed, 1329 insertions, 20 deletions
diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml
index 80c5e28..6c94c65 100644
--- a/debian/.gitlab-ci.yml
+++ b/debian/.gitlab-ci.yml
@@ -1,19 +1,4 @@
-.build_template: &build
- only:
- - branches
- before_script:
- - adduser --home /home/ci ci --quiet --disabled-login --gecos "" --uid 1000
- - apt-get -q update
- - env DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Debug::pkgProblemResolver=yes build-dep .
- - env DEBIAN_FRONTEND=noninteractive apt-get -q -y -o Debug::pkgProblemResolver=yes install --no-install-recommends gitpkg fakeroot sudo
- - rm -rf ../deb-packages/vim
- - install -d -o ci ../deb-packages ../deb-packages/vim
- - export UPSTREAM_VERSION=$(dpkg-parsechangelog -SVersion | sed -e 's/^[0-9]*://' -e 's/\(.*\)-[^-]*/\1/')
- - sudo -u ci gitpkg --keep-unpacked-source "$CI_COMMIT_SHA" v"$UPSTREAM_VERSION"
- script:
- - cd ../deb-packages/vim/vim-"$UPSTREAM_VERSION"
- - sudo -u ci dpkg-buildpackage -us -uc
-
-test:buster:
- <<: *build
- image: debian:buster
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+variables:
+ RELEASE: 'buster'
diff --git a/debian/changelog b/debian/changelog
index 7471584..952d323 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+vim (2:8.1.0875-5+deb10u4) buster-security; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Add missing CVE to previous changelog entry.
+ * Fix CVE-2022-0318, CVE-2022-0392, CVE-2022-0629,
+ CVE-2022-0696, CVE-2022-1619, CVE-2022-1621, CVE-2022-1785,
+ CVE-2022-1897, CVE-2022-1942, CVE-2022-2000, CVE-2022-2129,
+ CVE-2022-3235, CVE-2022-3256, CVE-2022-3352
+
+ -- Helmut Grohne <helmut@subdivi.de> Wed, 23 Nov 2022 15:54:38 +0100
+
vim (2:8.1.0875-5+deb10u3) buster-security; urgency=high
* Non-maintainer upload by the LTS team.
@@ -10,7 +21,8 @@ vim (2:8.1.0875-5+deb10u3) buster-security; urgency=high
CVE-2022-0943, CVE-2022-1154, CVE-2022-1616, CVE-2022-1720,
CVE-2022-1851, CVE-2022-1898, CVE_2022-1968, CVE-2022-2285,
CVE-2022-2304, CVE-2022-2598, CVE-2022-2946, CVE-2022-3099,
- CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705
+ CVE-2022-3134, CVE-2022-3234, CVE-2022-3324, CVE-2022-3705,
+ CVE-2021-3872
Multiple security vulnerabilities have been discovered in vim, an enhanced
vi editor. Buffer overflows, out-of-bounds reads and use-after-free may
lead to a denial-of-service (application crash) or other unspecified
diff --git a/debian/patches/CVE-2022-0318.patch b/debian/patches/CVE-2022-0318.patch
new file mode 100644
index 0000000..b2005a7
--- /dev/null
+++ b/debian/patches/CVE-2022-0318.patch
@@ -0,0 +1,104 @@
+From 57df9e8a9f9ae1aafdde9b86b10ad907627a87dc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 20 Jan 2022 12:10:48 +0000
+Subject: [PATCH] patch 8.2.4151: reading beyond the end of a line
+
+Problem: Reading beyond the end of a line.
+Solution: For block insert only use the offset for correcting the length.
+---
+ src/ops.c | 19 ++-----------------
+ src/testdir/test_visual.vim | 9 +++++++++
+ src/version.c | 2 ++
+ 3 files changed, 13 insertions(+), 17 deletions(-)
+
+Backport:
+ * In Debian, this patch got swapped with CVE-2022-0261 aka
+ 9f8c304c8a390ade133bac29963dc8e56ab14cbc.
+ * We also backport the spaces check from
+ 4067bd3604215b48e4b4201e28f9e401b08418e4, see #1023818.
+ * We also backport the expected test output from
+ fc6ccebea668c49e9e617e0657421b6a8ed9df1e.
+ * Replace expr-.. by expr-.
+
+diff --git a/src/ops.c b/src/ops.c
+index a9968024901e..e0fa344d8ee6 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -629,24 +629,12 @@ block_insert(
+ }
+
+ if (has_mbyte && spaces > 0)
+- {
+- int off;
++ /* avoid copying part of a multi-byte character */
++ offset -= (*mb_head_off)(oldp, oldp + offset);
+
+- /* Avoid starting halfway a multi-byte character. */
+- if (b_insert)
+- {
+- off = (*mb_head_off)(oldp, oldp + offset + spaces);
+- spaces -= off;
+- count -= off;
+- }
+- else
+- {
+- // spaces fill the gap, the character that's at the edge moves
+- // right
+- off = (*mb_head_off)(oldp, oldp + offset);
+- offset -= off;
+- }
+- }
++ if (spaces < 0) // can happen when the cursor was moved
++ spaces = 0;
++
+ // Make sure the allocated size matches what is actually copied below.
+ newp = alloc_check((unsigned)(STRLEN(oldp)) + spaces + s_len
+ + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0)
+diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim
+index b438fa1e66c6..a187aa8e085e 100644
+--- a/src/testdir/test_visual.vim
++++ b/src/testdir/test_visual.vim
+@@ -417,6 +417,15 @@
+ bwipe!
+ endfunc
+
++func Test_visual_block_insert_round_off()
++ new
++ " The number of characters are tuned to fill a 4096 byte allocated block,
++ " so that valgrind reports going over the end.
++ call setline(1, ['xxxxx', repeat('0', 1350), "\t", repeat('x', 60)])
++ exe "normal gg0\<C-V>GI" . repeat('0', 1320) . "\<Esc>"
++ bwipe!
++endfunc
++
+ " CVE-2022-0361
+ func Test_visual_ex_copy_line()
+ new
+diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim
+index 0210ce63c..862e73b9a 100644
+--- a/src/testdir/test_utf8.vim
++++ b/src/testdir/test_utf8.vim
+@@ -6,7 +6,7 @@ func Test_visual_block_insert()
+ new
+ call setline(1, ["aaa", "あああ", "bbb"])
+ exe ":norm! gg0l\<C-V>jjIx\<Esc>"
+- call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$'))
++ call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$'))
+ bwipeout!
+ endfunc
+
+diff --git a/src/version.c b/src/version.c
+index 53f1619f94d4..227eaa958e2b 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -797,6 +797,10 @@ static char *(features[]) =
+ 5024,
+ /**/
+ 4214,
++/**/
++ 4152,
++/**/
++ 4151,
+ /**/
+ 4120,
+ /**/
diff --git a/debian/patches/CVE-2022-0392.patch b/debian/patches/CVE-2022-0392.patch
new file mode 100644
index 0000000..e410044
--- /dev/null
+++ b/debian/patches/CVE-2022-0392.patch
@@ -0,0 +1,130 @@
+From 806d037671e133bd28a7864248763f643967973a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Tue, 25 Jan 2022 20:45:16 +0000
+Subject: [PATCH] patch 8.2.4218: illegal memory access with bracketed paste in
+ Ex mode
+
+Problem: Illegal memory access with bracketed paste in Ex mode.
+Solution: Reserve space for the trailing NUL.
+---
+ src/edit.c | 3 ++-
+ src/testdir/test_paste.vim | 3 +++
+ src/version.c | 2 ++
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+From fe4bbac1166f2e4e3fa18cb966ec7305198c8176 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 20 Jan 2020 21:12:20 +0100
+Subject: [PATCH] patch 8.2.0135: bracketed paste can still cause invalid
+ memory access
+
+Problem: Bracketed paste can still cause invalid memory access. (Dominique
+ Pelle)
+Solution: Check for NULL pointer.
+---
+ src/edit.c | 2 +-
+ src/testdir/test_search.vim | 3 ++-
+ src/version.c | 2 ++
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+Backport: drop included_patches 135 due to version bump
+
+From 98a336dd497d3422e7efeef9f24cc9e25aeb8a49 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 20 Jan 2020 20:22:30 +0100
+Subject: [PATCH] patch 8.2.0133: invalid memory access with search command
+
+Problem: Invalid memory access with search command.
+Solution: When :normal runs out of characters in bracketed paste mode break
+ out of the loop.(closes #5511)
+---
+ src/edit.c | 4 ++--
+ src/testdir/test_search.vim | 5 +++++
+ src/version.c | 2 ++
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+Backport: drop included_patches 135 due to version bump
+
+diff --git a/src/edit.c b/src/edit.c
+index ee3caf0dad50..2b5301100ddb 100644
+--- a/src/edit.c
++++ b/src/edit.c
+@@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ int save_paste = p_paste;
+
+ /* If the end code is too long we can't detect it, read everything. */
+- if (STRLEN(end) >= NUMBUFLEN)
++ if (end != NULL && STRLEN(end) >= NUMBUFLEN)
+ end = NULL;
+ ++no_mapping;
+ allow_keys = 0;
+@@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ {
+ c = vgetc();
+ } while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR);
+- if (c == NUL || got_int)
++ if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C))
+ // When CTRL-C was encountered the typeahead will be flushed and we
+- // won't get the end sequence.
++ // won't get the end sequence. Except when using ":normal".
+ break;
+
+ if (has_mbyte)
+@@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ break;
+
+ case PASTE_EX:
+- if (gap != NULL && ga_grow(gap, idx) == OK)
++ /* add one for the NUL that is going to be appended */
++ if (gap != NULL && ga_grow(gap, idx + 1) == OK)
+ {
+ mch_memmove((char *)gap->ga_data + gap->ga_len,
+ buf, (size_t)idx);
+diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim
+index c94fe7c357ed..5b8d8a0e3e2d 100644
+--- a/src/testdir/test_paste.vim
++++ b/src/testdir/test_paste.vim
+@@ -84,6 +84,16 @@
+ call assert_equal("\"afoo\<CR>barb", getreg(':'))
+ endfunc
+
++" bracketed paste in Ex-mode
++func Test_paste_ex_mode()
++ unlet! foo
++ call feedkeys("Qlet foo=\"\<Esc>[200~foo\<CR>bar\<Esc>[201~\"\<CR>vi\<CR>", 'xt')
++ call assert_equal("foo\rbar", foo)
++
++ " pasting more than 40 bytes
++ exe "norm Q\<PasteStart>0000000000000000000000000000000000000000000000000000000000000000000000\<C-C>"
++endfunc
++
+ func Test_paste_visual_mode()
+ new
+ call setline(1, 'here are some words')
+diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim
+index 60152f602..89ca6e131 100644
+--- a/src/testdir/test_search.vim
++++ b/src/testdir/test_search.vim
+@@ -1187,3 +1187,9 @@
+ call assert_equal(bufcontent[1], @/)
+ call Incsearch_cleanup()
+ endfunc
++
++func Test_search_special()
++ " this was causing illegal memory access and an endless loop
++ set t_PE=
++ exe "norm /\x80PS"
++endfunc
+diff --git a/src/version.c b/src/version.c
+index 6685b554f537..9dcf34928f8d 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+ 805,
+ /**/
+ 5024,
++/**/
++ 4218,
+ /**/
+ 4214,
+ /**/
diff --git a/debian/patches/CVE-2022-0629.patch b/debian/patches/CVE-2022-0629.patch
new file mode 100644
index 0000000..b3348ef
--- /dev/null
+++ b/debian/patches/CVE-2022-0629.patch
@@ -0,0 +1,59 @@
+From 34f8117dec685ace52cd9e578e2729db278163fc Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 16 Feb 2022 12:16:19 +0000
+Subject: [PATCH] patch 8.2.4397: crash when using many composing characters in
+ error message
+
+Problem: Crash when using many composing characters in error message.
+Solution: Use mb_cptr2char_adv() instead of mb_ptr2char_adv().
+---
+ src/testdir/test_assert.vim | 8 ++++++++
+ src/testing.c | 2 +-
+ src/version.c | 2 ++
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
+index 8987f3f8dfcd..27b2d73fbfc8 100644
+--- a/src/testdir/test_assert.vim
++++ b/src/testdir/test_assert.vim
+@@ -35,6 +35,14 @@ func Test_assert_equal()
+ call assert_equal('XxxxxxxxxxxxxxxxxxxxxxX', 'XyyyyyyyyyyyyyyyyyyyyyyyyyX')
+ call assert_match("Expected 'X\\\\\\[x occurs 21 times]X' but got 'X\\\\\\[y occurs 25 times]X'", v:errors[0])
+ call remove(v:errors, 0)
++
++ " many composing characters are handled properly
++ call setline(1, ' ')
++ norm 100gr݀
++ call assert_equal(1, getline(1))
++ call assert_match("Expected 1 but got '.* occurs 100 times]'", v:errors[0])
++ call remove(v:errors, 0)
++ bwipe!
+ endfunc
+
+ func Test_assert_equalfile()
+diff --git a/src/testing.c b/src/testing.c
+index 448c01c1e964..48ba14d2cafd 100644
+--- a/src/eval.c
++++ b/src/eval.c
+@@ -101,7 +101,7 @@ ga_concat_shorten_esc(garray_T *gap, char_u *str)
+ {
+ same_len = 1;
+ s = p;
+- c = mb_ptr2char_adv(&s);
++ c = mb_cptr2char_adv(&s);
+ clen = s - p;
+ while (*s != NUL && c == mb_ptr2char(s))
+ {
+diff --git a/src/version.c b/src/version.c
+index fb1b8476e1a6..b4983661cadc 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+ 805,
+ /**/
+ 5024,
++/**/
++ 4397,
+ /**/
+ 4218,
+ /**/
diff --git a/debian/patches/CVE-2022-0696.patch b/debian/patches/CVE-2022-0696.patch
new file mode 100644
index 0000000..0e1491e
--- /dev/null
+++ b/debian/patches/CVE-2022-0696.patch
@@ -0,0 +1,69 @@
+From 0f6e28f686dbb59ab3b562408ab9b2234797b9b1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 20 Feb 2022 20:49:35 +0000
+Subject: [PATCH] patch 8.2.4428: crash when switching tabpage while in the
+ cmdline window
+
+Problem: Crash when switching tabpage while in the cmdline window.
+Solution: Disallow switching tabpage when in the cmdline window.
+---
+ src/evalvars.c | 14 ++------------
+ src/proto/window.pro | 1 +
+ src/usercmd.c | 24 ++++--------------------
+ src/version.c | 2 ++
+ src/window.c | 26 ++++++++++++++++++++++++++
+ 5 files changed, 35 insertions(+), 32 deletions(-)
+
+Backport: Since the old version dosn't do command line completion
+correctly, those parts are dropped and we only forbid switching the tab
+page.
+
+diff --git a/src/version.c b/src/version.c
+index c5f5c22f90ac..777476d80dce 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+ 805,
+ /**/
+ 5024,
++/**/
++ 4428,
+ /**/
+ 4397,
+ /**/
+diff --git a/src/window.c b/src/window.c
+index 1f5e7096047c..b00ed977fc04 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -3656,6 +3656,14 @@ win_new_tabpage(int after)
+ tabpage_T *newtp;
+ int n;
+
++#ifdef FEAT_CMDWIN
++ if (cmdwin_type != 0)
++ {
++ emsg(_("E11: Invalid in command-line window; :q<CR> closes the window"));
++ return FAIL;
++ }
++#endif
++
+ newtp = alloc_tabpage();
+ if (newtp == NULL)
+ return FAIL;
+@@ -3997,6 +4005,7 @@ goto_tabpage(int n)
+ text_locked_msg();
+ return;
+ }
++ CHECK_CMDWIN;
+
+ /* If there is only one it can't work. */
+ if (first_tabpage->tp_next == NULL)
+@@ -4064,6 +4073,8 @@ goto_tabpage_tp(
+ int trigger_enter_autocmds,
+ int trigger_leave_autocmds)
+ {
++ CHECK_CMDWIN;
++
+ /* Don't repeat a message in another tab page. */
+ set_keep_msg(NULL, 0);
+
diff --git a/debian/patches/CVE-2022-1619.patch b/debian/patches/CVE-2022-1619.patch
new file mode 100644
index 0000000..121a1b7
--- /dev/null
+++ b/debian/patches/CVE-2022-1619.patch
@@ -0,0 +1,74 @@
+From ef02f16609ff0a26ffc6e20263523424980898fe Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 7 May 2022 10:49:10 +0100
+Subject: [PATCH] patch 8.2.4899: with latin1 encoding CTRL-W might go before
+ the cmdline
+
+Problem: With latin1 encoding CTRL-W might go before the start of the
+ command line.
+Solution: Check already being at the start of the command line.
+---
+ src/ex_getln.c | 11 +++++++----
+ src/testdir/test_cmdline.vim | 3 +++
+ src/version.c | 2 ++
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index a97024b35171..7020f5143a01 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -1635,10 +1635,13 @@
+ {
+ while (p > ccline.cmdbuff && vim_isspace(p[-1]))
+ --p;
+- i = vim_iswordc(p[-1]);
+- while (p > ccline.cmdbuff && !vim_isspace(p[-1])
+- && vim_iswordc(p[-1]) == i)
+- --p;
++ if (p > ccline.cmdbuff)
++ {
++ i = vim_iswordc(p[-1]);
++ while (p > ccline.cmdbuff && !vim_isspace(p[-1])
++ && vim_iswordc(p[-1]) == i)
++ --p;
++ }
+ }
+ else
+ --p;
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 474638fb00d6..5a849f77f755 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -641,6 +641,19 @@
+ let &lines = lines
+ let &columns = columns
+ endfunc
++
++func Test_cmdline_remove_char()
++ let encoding_save = &encoding
++
++ for e in ['utf8', 'latin1']
++ exe 'set encoding=' . e
++
++ " This was going before the start in latin1.
++ call feedkeys(": \<C-W>\<CR>", 'tx')
++ endfor
++
++ let &encoding = encoding_save
++endfunc
+
+
+ set cpo&
+diff --git a/src/version.c b/src/version.c
+index 201d26f06eb9..05888c722e8e 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+ 805,
+ /**/
+ 5024,
++/**/
++ 4899,
+ /**/
+ 4428,
+ /**/
diff --git a/debian/patches/CVE-2022-1621.patch b/debian/patches/CVE-2022-1621.patch
new file mode 100644
index 0000000..29f8532
--- /dev/null
+++ b/debian/patches/CVE-2022-1621.patch
@@ -0,0 +1,114 @@
+From 7c824682d2028432ee082703ef0ab399867a089b Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 8 May 2022 22:32:58 +0100
+Subject: [PATCH] patch 8.2.4919: can add invalid bytes with :spellgood
+
+Problem: Can add invalid bytes with :spellgood.
+Solution: Check for a valid word string.
+---
+ src/errors.h | 4 ++++
+ src/mbyte.c | 2 +-
+ src/spellfile.c | 10 ++++++++++
+ src/testdir/test_spell_utf8.vim | 5 +++++
+ src/version.c | 2 ++
+ 5 files changed, 22 insertions(+), 1 deletion(-)
+
+From fe978c2b6bb9d897d962595a4a51dd7a71dc8e89 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 8 May 2022 22:43:51 +0100
+Subject: [PATCH] patch 8.2.4921: spell test fails because of new illegal byte
+ check
+
+Problem: Spell test fails because of new illegal byte check.
+Solution: Remove the test.
+---
+ src/testdir/test_spell.vim | 8 --------
+ src/version.c | 2 ++
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/src/mbyte.c b/src/mbyte.c
+index 2b7f9991ae14..a01a05140207 100644
+--- a/src/mbyte.c
++++ b/src/mbyte.c
+@@ -4047,7 +4047,7 @@ utf_find_illegal(void)
+ convert_setup(&vimconv, NULL, NULL);
+ }
+
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+ * Return TRUE if string "s" is a valid utf-8 string.
+ * When "end" is NULL stop at the first NUL.
+diff --git a/src/spellfile.c b/src/spellfile.c
+index 22cf82da0872..f0d6d96a47f0 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
+@@ -4361,6 +4361,10 @@ store_word(
+ int res = OK;
+ char_u *p;
+
++ // Avoid adding illegal bytes to the word tree.
++ if (enc_utf8 && !utf_valid_string(word, NULL))
++ return FAIL;
++
+ (void)spell_casefold(word, len, foldword, MAXWLEN);
+ for (p = pfxlist; res == OK; ++p)
+ {
+@@ -6167,6 +6171,12 @@ spell_add_word(
+ int i;
+ char_u *spf;
+
++ if (enc_utf8 && !utf_valid_string(word, NULL))
++ {
++ emsg(_("E1280: Illegal character in word"));
++ return;
++ }
++
+ if (idx == 0) /* use internal wordlist */
+ {
+ if (int_wordlist == NULL)
+diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim
+index 79dc3e4a4a62..17fa23555818 100644
+--- a/src/testdir/test_spell.vim
++++ b/src/testdir/test_spell.vim
+@@ -476,16 +476,6 @@
+ bwipe!
+ endfunc
+
+-func Test_spell_single_word()
+- set spell
+- new
+- silent! norm 0R00
+- spell!
+- silent 0norm 0r$ Dvz=
+- set nospell
+- bwipe!
+-endfunc
+-
+ let g:test_data_aff1 = [
+ \"SET ISO8859-1",
+ \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ",
+@@ -936,3 +926,8 @@
+ \"SAL Z S",
+ \ ]
+
++" Invalid bytes may cause trouble when creating the word list.
++func Test_check_for_valid_word()
++ call assert_fails("spellgood! 0\xac", 'E1280:')
++endfunc
++
+diff --git a/src/version.c b/src/version.c
+index f949dd6d7ed0..c4f5655bf6c2 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,10 @@ static char *(features[]) =
+ 805,
+ /**/
+ 5024,
++/**/
++ 4921,
++/**/
++ 4919,
+ /**/
+ 4899,
+ /**/
diff --git a/debian/patches/CVE-2022-1785.patch b/debian/patches/CVE-2022-1785.patch
new file mode 100644
index 0000000..1d3817f
--- /dev/null
+++ b/debian/patches/CVE-2022-1785.patch
@@ -0,0 +1,89 @@
+From e2bd8600b873d2cd1f9d667c28cba8b1dba18839 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 18 May 2022 13:11:57 +0100
+Subject: [PATCH] patch 8.2.4977: memory access error when substitute
+ expression changes window
+
+Problem: Memory access error when substitute expression changes window.
+Solution: Disallow changing window in substitute expression.
+---
+ src/ex_cmds.c | 11 +++++++++++
+ src/testdir/test_substitute.vim | 13 +++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 26 insertions(+)
+
+Backport: Use textlock instead of textwinlock. In this version, textwinlock
+ wasn't yet split out from textlock and it'll get merged back later.
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 7e730becb48f..210e21fe7a5b 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -5576,12 +5576,17 @@ ex_substitute(exarg_T *eap)
+ /* Save flags for recursion. They can change for e.g.
+ * :s/^/\=execute("s#^##gn") */
+ subflags_save = subflags;
++
++ /* Disallow changing text or switching window in an expression. */
++ ++textlock;
+ #endif
+ /* get length of substitution part */
+ sublen = vim_regsub_multi(&regmatch,
+ sub_firstlnum - regmatch.startpos[0].lnum,
+ sub, sub_firstline, FALSE, p_magic, TRUE);
+ #ifdef FEAT_EVAL
++ --textlock;
++
+ /* Don't keep flags set by a recursive call. */
+ subflags = subflags_save;
+ if (subflags.do_count)
+@@ -5670,9 +5675,15 @@ ex_substitute(exarg_T *eap)
+ mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ new_end += copy_len;
+
++#ifdef FEAT_EVAL
++ ++textlock;
++#endif
+ (void)vim_regsub_multi(&regmatch,
+ sub_firstlnum - regmatch.startpos[0].lnum,
+ sub, new_end, TRUE, p_magic, TRUE);
++#ifdef FEAT_EVAL
++ --textlock;
++#endif
+ sub_nsubs++;
+ did_sub = TRUE;
+
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index f3fd7ab1ce77..a1c324ed8d20 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -517,3 +517,16 @@ func Test_using_old_sub()
+ set nocompatible
+ endfunc
+
++" This was switching windows in between computing the length and using it.
++func Test_sub_change_window()
++ silent! lfile
++ sil! norm o0000000000000000000000000000000000000000000000000000
++ func Repl()
++ lopen
++ endfunc
++ silent! s/\%')/\=Repl()
++ bwipe!
++ bwipe!
++ delfunc Repl
++endfunc
++
+diff --git a/src/version.c b/src/version.c
+index 4c63ea0771ad..782642b5d5a1 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+ 805,
+ /**/
+ 5024,
++/**/
++ 4977,
+ /**/
+ 4921,
+ /**/
diff --git a/debian/patches/CVE-2022-1897.patch b/debian/patches/CVE-2022-1897.patch
new file mode 100644
index 0000000..1a44481
--- /dev/null
+++ b/debian/patches/CVE-2022-1897.patch
@@ -0,0 +1,149 @@
+From 338f1fc0ee3ca929387448fe464579d6113fa76a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 26 May 2022 15:56:23 +0100
+Subject: [PATCH] patch 8.2.5023: substitute overwrites allocated buffer
+
+Problem: Substitute overwrites allocated buffer.
+Solution: Disallow undo when in a substitute command.
+---
+ src/normal.c | 42 ++++++++++++++++-----------------
+ src/testdir/test_substitute.vim | 22 +++++++++++++++++
+ src/undo.c | 6 +++++
+ src/version.c | 2 ++
+ 4 files changed, 51 insertions(+), 21 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index bc3e29e1abaa..53c50dc8b368 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -514,6 +514,22 @@ find_command(int cmdchar)
+ return idx;
+ }
+
++/*
++ * If currently editing a cmdline or text is locked: beep and give an error
++ * message, return TRUE.
++ */
++ static int
++check_text_locked(oparg_T *oap)
++{
++ if (text_locked())
++ {
++ clearopbeep(oap);
++ text_locked_msg();
++ return TRUE;
++ }
++ return FALSE;
++}
++
+ /*
+ * Execute a command in Normal mode.
+ */
+@@ -775,14 +791,9 @@ normal_cmd(
+ goto normal_end;
+ }
+
+- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+- {
+- /* This command is not allowed while editing a cmdline: beep. */
+- clearopbeep(oap);
+- text_locked_msg();
+- goto normal_end;
+- }
+- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
++ if ((nv_cmds[idx].cmd_flags & NV_NCW)
++ && (check_text_locked(oap) || curbuf_locked()))
++ /* this command is not allowed now */
+ goto normal_end;
+
+ /*
+@@ -6164,12 +6175,8 @@ nv_gotofile(cmdarg_T *cap)
+ char_u *ptr;
+ linenr_T lnum = -1;
+
+- if (text_locked())
+- {
+- clearopbeep(cap->oap);
+- text_locked_msg();
++ if (check_text_locked(cap->oap))
+ return;
+- }
+ if (curbuf_locked())
+ {
+ clearop(cap->oap);
+@@ -8330,14 +8337,7 @@ nv_g_cmd(cmdarg_T *cap)
+
+ /* "gQ": improved Ex mode */
+ case 'Q':
+- if (text_locked())
+- {
+- clearopbeep(cap->oap);
+- text_locked_msg();
+- break;
+- }
+-
+- if (!checkclearopq(oap))
++ if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ do_exmode(TRUE);
+ break;
+
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index a1c324ed8d20..c8df09f4ec1e 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -530,3 +530,25 @@ func Test_sub_change_window()
+ delfunc Repl
+ endfunc
+
++" This was undoign a change in between computing the length and using it.
++func Do_Test_sub_undo_change()
++ new
++ norm o0000000000000000000000000000000000000000000000000000
++ silent! s/\%')/\=Repl()
++ bwipe!
++endfunc
++
++func Test_sub_undo_change()
++ func Repl()
++ silent! norm g-
++ endfunc
++ call Do_Test_sub_undo_change()
++
++ func! Repl()
++ silent earlier
++ endfunc
++ call Do_Test_sub_undo_change()
++
++ delfunc Repl
++endfunc
++
+diff --git a/src/undo.c b/src/undo.c
+index cac09f0f58df..81cc28e8b801 100644
+--- a/src/undo.c
++++ b/src/undo.c
+@@ -2278,6 +2278,12 @@ undo_time(
+ int above = FALSE;
+ int did_undo = TRUE;
+
++ if (text_locked())
++ {
++ text_locked_msg();
++ return;
++ }
++
+ /* First make sure the current undoable change is synced. */
+ if (curbuf->b_u_synced == FALSE)
+ u_sync(TRUE);
+diff --git a/src/version.c b/src/version.c
+index 9751865c7adf..cd6c33162204 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -795,6 +795,8 @@ static char *(features[]) =
+ 805,
+ /**/
+ 5024,
++/**/
++ 5023,
+ /**/
+ 4977,
+ /**/
diff --git a/debian/patches/CVE-2022-1942.patch b/debian/patches/CVE-2022-1942.patch
new file mode 100644
index 0000000..e2f5b9c
--- /dev/null
+++ b/debian/patches/CVE-2022-1942.patch
@@ -0,0 +1,122 @@
+From 71223e2db87c2bf3b09aecb46266b56cda26191d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 30 May 2022 15:23:09 +0100
+Subject: [PATCH] patch 8.2.5043: can open a cmdline window from a substitute
+ expression
+
+Problem: Can open a cmdline window from a substitute expression.
+Solution: Disallow opening a command line window when text or buffer is
+ locked.
+---
+ src/buffer.c | 7 +------
+ src/ex_getln.c | 19 +++++++++++++++++++
+ src/proto/ex_getln.pro | 5 +++--
+ src/testdir/test_substitute.vim | 25 +++++++++++++++++++++++++
+ src/version.c | 2 ++
+ src/window.c | 5 +----
+ 6 files changed, 51 insertions(+), 12 deletions(-)
+
+Backport: Drop test case, because the expected E565 was only introduced in
+ 8.2.0670 and the testcase does not otherwise fail or issue messages in
+ valgrind.
+
+diff --git a/src/buffer.c b/src/buffer.c
+index efec431c822d..e775398d0294 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -2297,12 +2297,7 @@ buflist_getfile(
+ if (buf == curbuf)
+ return OK;
+
+- if (text_locked())
+- {
+- text_locked_msg();
+- return FAIL;
+- }
+- if (curbuf_locked())
++ if (text_or_buf_locked())
+ return FAIL;
+
+ /* altfpos may be changed by getfile(), get it now */
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 9dadfbf2fabe..623bd1d4984a 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -2589,6 +2589,21 @@ get_text_locked_msg(void)
+ return e_secure;
+ }
+
++/*
++ * Check for text, window or buffer locked.
++ * Give an error message and return TRUE if something is locked.
++ */
++ int
++text_or_buf_locked(void)
++{
++ if (text_locked())
++ {
++ text_locked_msg();
++ return TRUE;
++ }
++ return curbuf_locked();
++}
++
+ /*
+ * Check if "curbuf_lock" or "allbuf_lock" is set and return TRUE when it is
+ * and give an error message.
+@@ -7188,6 +7203,10 @@ open_cmdwin(void)
+ int save_KeyTyped;
+ #endif
+
++ /* Can't do this when text or buffer is locked. */
++ if (text_or_buf_locked())
++ return K_IGNORE;
++
+ /* Can't do this recursively. Can't do it when typing a password. */
+ if (cmdwin_type != 0
+ # if defined(FEAT_CRYPT) || defined(FEAT_EVAL)
+diff --git a/src/proto/ex_getln.pro b/src/proto/ex_getln.pro
+index 8c8bd0ebd4cd..bcc310c7dd0e 100644
+--- a/src/proto/ex_getln.pro
++++ b/src/proto/ex_getln.pro
+@@ -5,6 +5,7 @@
+ int text_locked(void);
+ void text_locked_msg(void);
+ char *get_text_locked_msg(void);
++int text_or_buf_locked(void);
+ int curbuf_locked(void);
+ int allbuf_locked(void);
+ char_u *getexline(int c, void *cookie, int indent);
+diff --git a/src/version.c b/src/version.c
+index 18a1fdb41cb6..a15bb3ed8d6a 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 5043,
+ /**/
+ 805,
+ /**/
+diff --git a/src/window.c b/src/window.c
+index f2913d4a76ef..9b5ac97286cd 100644
+--- a/src/window.c
++++ b/src/window.c
+@@ -4173,14 +4173,11 @@ win_goto(win_T *wp)
+ win_T *owp = curwin;
+ #endif
+
+- if (text_locked())
++ if (text_or_buf_locked())
+ {
+ beep_flush();
+- text_locked_msg();
+ return;
+ }
+- if (curbuf_locked())
+- return;
+
+ if (wp->w_buffer != curbuf)
+ reset_VIsual_and_resel();
diff --git a/debian/patches/CVE-2022-2000.patch b/debian/patches/CVE-2022-2000.patch
new file mode 100644
index 0000000..7f1a1e6
--- /dev/null
+++ b/debian/patches/CVE-2022-2000.patch
@@ -0,0 +1,65 @@
+From 44a3f3353e0407e9fffee138125a6927d1c9e7e5 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 6 Jun 2022 15:38:21 +0100
+Subject: [PATCH] patch 8.2.5063: error for a command may go over the end of
+ IObuff
+
+Problem: Error for a command may go over the end of IObuff.
+Solution: Truncate the message.
+---
+ src/ex_docmd.c | 12 ++++++++++--
+ src/testdir/test_cmdline.vim | 5 +++++
+ src/version.c | 2 ++
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index cfb40e8d5cfa..634a1bcef566 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -3111,9 +3111,17 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent)
+ static void
+ append_command(char_u *cmd)
+ {
+- char_u *s = cmd;
+- char_u *d;
++ size_t len = STRLEN(IObuff);
++ char_u *s = cmd;
++ char_u *d;
+
++ if (len > IOSIZE - 100)
++ {
++ // Not enough space, truncate and put in "...".
++ d = IObuff + IOSIZE - 100;
++ d -= mb_head_off(IObuff, d);
++ STRCPY(d, "...");
++ }
+ STRCAT(IObuff, ": ");
+ d = IObuff + STRLEN(IObuff);
+ while (*s != NUL && d - IObuff + 5 < IOSIZE)
+diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim
+index 77965b3f65a3..2289c343e9f8 100644
+--- a/src/testdir/test_cmdline.vim
++++ b/src/testdir/test_cmdline.vim
+@@ -657,3 +657,9 @@
+
+
+ set cpo&
++
++func Test_long_error_message()
++ " the error should be truncated, not overrun IObuff
++ silent! norm Q00000000000000     000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000                                                                                                                                                                                                                        
++endfunc
++
+diff --git a/src/version.c b/src/version.c
+index 542028606dde..dd585c81afe9 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 5063,
+ /**/
+ 5043,
+ /**/
diff --git a/debian/patches/CVE-2022-2129.patch b/debian/patches/CVE-2022-2129.patch
new file mode 100644
index 0000000..70bdd57
--- /dev/null
+++ b/debian/patches/CVE-2022-2129.patch
@@ -0,0 +1,65 @@
+From d6211a52ab9f53b82f884561ed43d2fe4d24ff7d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 18 Jun 2022 19:48:14 +0100
+Subject: [PATCH] patch 8.2.5126: substitute may overrun destination buffer
+
+Problem: Substitute may overrun destination buffer.
+Solution: Disallow switching buffers in a substitute expression.
+---
+ src/ex_docmd.c | 7 ++++---
+ src/testdir/test_substitute.vim | 13 +++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index fed9330b52e9..1185cd1550a6 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -8778,9 +8778,10 @@ do_exedit(
+ #endif
+ )
+ {
+- /* Can't edit another file when "curbuf_lock" is set. Only ":edit"
+- * can bring us here, others are stopped earlier. */
+- if (*eap->arg != NUL && curbuf_locked())
++ /* Can't edit another file when "textlock" or "curbuf_lock" is set.
++ * Only ":edit" or ":script" can bring us here, others are stopped
++ earlier. */
++ if (*eap->arg != NUL && text_or_buf_locked())
+ return;
+
+ n = readonlymode;
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 46ea95513192..c056fa965692 100644
+--- a/src/testdir/test_substitute.vim
++++ b/src/testdir/test_substitute.vim
+@@ -552,3 +552,16 @@
+ delfunc Repl
+ endfunc
+
++" This was editing a script file from the expression
++func Test_sub_edit_scriptfile()
++ new
++ norm o0000000000000000000000000000000000000000000000000000
++ func EditScript()
++ silent! scr! Xfile
++ endfunc
++ s/\%')/\=EditScript()
++
++ delfunc EditScript
++ bwipe!
++endfunc
++
+diff --git a/src/version.c b/src/version.c
+index 82ac4eaf2dd9..2f397ae315f7 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -791,6 +791,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 5126,
+ /**/
+ 5063,
+ /**/
diff --git a/debian/patches/CVE-2022-3235.patch b/debian/patches/CVE-2022-3235.patch
new file mode 100644
index 0000000..fc3e20e
--- /dev/null
+++ b/debian/patches/CVE-2022-3235.patch
@@ -0,0 +1,116 @@
+From 1c3dd8ddcba63c1af5112e567215b3cec2de11d0 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 17 Sep 2022 19:43:23 +0100
+Subject: [PATCH] patch 9.0.0490: using freed memory with cmdwin and BufEnter
+ autocmd
+
+Problem: Using freed memory with cmdwin and BufEnter autocmd.
+Solution: Make sure pointer to b_p_iminsert is still valid.
+---
+ src/ex_getln.c | 8 ++++++--
+ src/testdir/test_cmdwin.vim | 10 ++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+Backport: rewrote b_im_ptr handling
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 70436b31f05e..a4fb61145c96 100644
+--- a/src/ex_getln.c
++++ b/src/ex_getln.c
+@@ -858,6 +858,7 @@ getcmdline_int(
+ #endif
+ expand_T xpc;
+ long *b_im_ptr = NULL;
++ buf_T *b_im_ptr_buf = NULL; // buffer where b_im_ptr is valid
+ struct cmdline_info save_ccline;
+ int did_save_ccline = FALSE;
+ int cmdline_type;
+@@ -968,6 +969,7 @@ getcmdline_int(
+ b_im_ptr = &curbuf->b_p_iminsert;
+ else
+ b_im_ptr = &curbuf->b_p_imsearch;
++ b_im_ptr_buf = curbuf;
+ if (*b_im_ptr == B_IMODE_LMAP)
+ State |= LANGMAP;
+ #ifdef HAVE_INPUT_METHOD
+@@ -1718,7 +1720,7 @@ getcmdline_int(
+ #ifdef HAVE_INPUT_METHOD
+ im_set_active(FALSE); /* Disable input method */
+ #endif
+- if (b_im_ptr != NULL)
++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ {
+ if (State & LANGMAP)
+ *b_im_ptr = B_IMODE_LMAP;
+@@ -1732,7 +1734,7 @@ getcmdline_int(
+ /* There are no ":lmap" mappings, toggle IM. When
+ * 'imdisable' is set don't try getting the status, it's
+ * always off. */
+- if ((p_imdisable && b_im_ptr != NULL)
++ if ((p_imdisable && b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ ? *b_im_ptr == B_IMODE_IM : im_get_status())
+ {
+ im_set_active(FALSE); /* Disable input method */
+@@ -1742,12 +1744,12 @@ getcmdline_int(
+ else
+ {
+ im_set_active(TRUE); /* Enable input method */
+- if (b_im_ptr != NULL)
++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ *b_im_ptr = B_IMODE_IM;
+ }
+ }
+ #endif
+- if (b_im_ptr != NULL)
++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf))
+ {
+ if (b_im_ptr == &curbuf->b_p_iminsert)
+ set_iminsert_global();
+@@ -2476,7 +2478,8 @@ getcmdline_int(
+
+ State = save_State;
+ #ifdef HAVE_INPUT_METHOD
+- if (b_im_ptr != NULL && *b_im_ptr != B_IMODE_LMAP)
++ if (b_im_ptr != NULL && buf_valid(b_im_ptr_buf)
++ && *b_im_ptr != B_IMODE_LMAP)
+ im_save_status(b_im_ptr);
+ im_set_active(FALSE);
+ #endif
+diff --git a/src/testdir/test_cmdwin.vim b/src/testdir/test_cmdwin.vim
+index d62673aba254..fe849bcc1686 100644
+--- /dev/null
++++ b/src/testdir/test_cmdwin.vim
+@@ -0,0 +0,12 @@
++" This was using a pointer to a freed buffer
++func Test_cmdwin_freed_buffer_ptr()
++ au BufEnter * next 0| file
++ edit 0
++ silent! norm q/
++
++ au! BufEnter
++ bwipe!
++endfunc
++
++
++" vim: shiftwidth=2 sts=2 expandtab
+--- a/src/testdir/Make_all.mak
++++ b/src/testdir/Make_all.mak
+@@ -89,6 +89,7 @@
+ test_clientserver \
+ test_close_count \
+ test_cmdline \
++ test_cmdwin \
+ test_command_count \
+ test_comparators \
+ test_compiler \
+--- a/src/version.c
++++ b/src/version.c
+@@ -2618,6 +2618,7 @@
+ "8.2.3403",
+ "8.2.3409",
+ "8.2.3428",
++ "9.0.0490",
+ /**/
+ NULL
+ };
diff --git a/debian/patches/CVE-2022-3256.patch b/debian/patches/CVE-2022-3256.patch
new file mode 100644
index 0000000..ab1abab
--- /dev/null
+++ b/debian/patches/CVE-2022-3256.patch
@@ -0,0 +1,73 @@
+From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 21 Sep 2022 13:07:22 +0100
+Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark
+
+Problem: Using freed memory when autocmd changes mark.
+Solution: Copy the mark before editing another buffer.
+---
+ src/mark.c | 12 +++++++-----
+ src/testdir/test_marks.vim | 13 +++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/src/mark.c b/src/mark.c
+index ade5a1087b7d..584db033d3ca 100644
+--- a/src/mark.c
++++ b/src/mark.c
+@@ -252,17 +252,19 @@ movemark(int count)
+ fname2fnum(jmp);
+ if (jmp->fmark.fnum != curbuf->b_fnum)
+ {
+- /* jump to other file */
+- if (buflist_findnr(jmp->fmark.fnum) == NULL)
++ /* Make a copy, an autocommand may make "jmp" invalid. */
++ fmark_T fmark = jmp->fmark;
++
++ /* jump to the file with the mark */
++ if (buflist_findnr(fmark.fnum) == NULL)
+ { /* Skip this one .. */
+ count += count < 0 ? -1 : 1;
+ continue;
+ }
+- if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum,
+- 0, FALSE) == FAIL)
++ if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL)
+ return (pos_T *)NULL;
+ /* Set lnum again, autocommands my have changed it */
+- curwin->w_cursor = jmp->fmark.mark;
++ curwin->w_cursor = fmark.mark;
+ pos = (pos_T *)-1;
+ }
+ else
+diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim
+index 12501a3aba07..20fb3041f244 100644
+--- a/src/testdir/test_marks.vim
++++ b/src/testdir/test_marks.vim
+@@ -174,3 +174,16 @@ func Test_getmarklist()
+ call assert_fails('mark xx', 'E488:')
+ call assert_fails('mark _', 'E191:')
+ endfunc
++" This was using freed memory
++func Test_jump_mark_autocmd()
++ next 00
++ edit 0
++ sargument
++ au BufEnter 0 all
++ sil norm 
++
++ au! BufEnter
++ bwipe!
++endfunc
++
++
+--- a/src/version.c
++++ b/src/version.c
+@@ -2619,6 +2619,7 @@
+ "8.2.3409",
+ "8.2.3428",
+ "9.0.0490",
++ "9.0.0530",
+ /**/
+ NULL
+ };
diff --git a/debian/patches/CVE-2022-3352.patch b/debian/patches/CVE-2022-3352.patch
new file mode 100644
index 0000000..f55e40d
--- /dev/null
+++ b/debian/patches/CVE-2022-3352.patch
@@ -0,0 +1,69 @@
+From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 28 Sep 2022 11:48:30 +0100
+Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
+
+Problem: SpellFileMissing autocmd may delete buffer.
+Solution: Disallow deleting the current buffer to avoid using freed memory.
+---
+ src/buffer.c | 7 ++++++-
+ src/spell.c | 6 ++++++
+ src/testdir/test_autocmd.vim | 10 ++++++++++
+ src/version.c | 2 ++
+ 4 files changed, 24 insertions(+), 1 deletion(-)
+
+Backport: src/buffer.c isn't vulnerable yet
+
+diff --git a/src/spell.c b/src/spell.c
+index 628814fe6db3..975b5a6789a9 100644
+--- a/src/spell.c
++++ b/src/spell.c
+@@ -1813,6 +1813,10 @@ spell_load_lang(char_u *lang)
+ sl.sl_slang = NULL;
+ sl.sl_nobreak = FALSE;
+
++ // Disallow deleting the current buffer. Autocommands can do weird things
++ // and cause "lang" to be freed.
++ ++curbuf->b_locked;
++
+ /* We may retry when no spell file is found for the language, an
+ * autocommand may load it then. */
+ for (round = 1; round <= 2; ++round)
+@@ -1866,6 +1870,8 @@ spell_load_lang(char_u *lang)
+ STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
+ do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
+ }
++
++ --curbuf->b_locked;
+ }
+
+ /*
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 86732f15dbe4..70f0f553a226 100644
+--- a/src/testdir/test_autocmd.vim
++++ b/src/testdir/test_autocmd.vim
+@@ -1416,3 +1416,14 @@
+ endfunc
+
+ " FileChangedShell tested in test_filechanged.vim
++
++" this was wiping out the current buffer and using freed memory
++func Test_SpellFileMissing_bwipe()
++ next 0
++ au SpellFileMissing 0 bwipe
++ call assert_fails('set spell spelllang=0', 'E937:')
++
++ au! SpellFileMissing
++ bwipe
++endfunc
++
+--- a/src/version.c
++++ b/src/version.c
+@@ -2620,6 +2620,7 @@
+ "8.2.3428",
+ "9.0.0490",
+ "9.0.0530",
++ "9.0.0614",
+ /**/
+ NULL
+ };
diff --git a/debian/patches/series b/debian/patches/series
index 5cb3483..acb4b8e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -62,3 +62,17 @@ CVE-2022-3134.patch
CVE-2022-3234.patch
CVE-2022-3324.patch
CVE-2022-3705.patch
+CVE-2022-0318.patch
+CVE-2022-0392.patch
+CVE-2022-0629.patch
+CVE-2022-0696.patch
+CVE-2022-1619.patch
+CVE-2022-1621.patch
+CVE-2022-1785.patch
+CVE-2022-1897.patch
+CVE-2022-1942.patch
+CVE-2022-2000.patch
+CVE-2022-2129.patch
+CVE-2022-3235.patch
+CVE-2022-3256.patch
+CVE-2022-3352.patch