diff options
50 files changed, 402 insertions, 314 deletions
diff --git a/debian/changelog b/debian/changelog index 952d323..f9b22b7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +vim (2:8.1.0875-5+deb10u5) buster-security; urgency=high + + * Non-maintainer upload by the LTS team. + * Fix CVE-2022-4141, CVE-2023-0054, CVE-2023-1175, CVE-2023-2610: + Multiple security vulnerabilities have been discovered in vim, an enhanced + vi editor. Buffer overflows and out-of-bounds reads may lead to a + denial-of-service (application crash) or other unspecified impact. + + -- Markus Koschany <apo@debian.org> Mon, 12 Jun 2023 16:23:03 +0200 + vim (2:8.1.0875-5+deb10u4) buster-security; urgency=medium * Non-maintainer upload by the LTS team. diff --git a/debian/patches/CVE-2022-0318.patch b/debian/patches/CVE-2022-0318.patch index b2005a7..efe9eca 100644 --- a/debian/patches/CVE-2022-0318.patch +++ b/debian/patches/CVE-2022-0318.patch @@ -20,8 +20,6 @@ Backport: fc6ccebea668c49e9e617e0657421b6a8ed9df1e. * Replace expr-.. by expr-. -diff --git a/src/ops.c b/src/ops.c -index a9968024901e..e0fa344d8ee6 100644 --- a/src/ops.c +++ b/src/ops.c @@ -629,24 +629,12 @@ block_insert( @@ -32,6 +30,9 @@ index a9968024901e..e0fa344d8ee6 100644 - int off; + /* avoid copying part of a multi-byte character */ + offset -= (*mb_head_off)(oldp, oldp + offset); ++ ++ if (spaces < 0) // can happen when the cursor was moved ++ spaces = 0; - /* Avoid starting halfway a multi-byte character. */ - if (b_insert) @@ -48,17 +49,12 @@ index a9968024901e..e0fa344d8ee6 100644 - offset -= off; - } - } -+ if (spaces < 0) // can happen when the cursor was moved -+ spaces = 0; -+ // Make sure the allocated size matches what is actually copied below. newp = alloc_check((unsigned)(STRLEN(oldp)) + spaces + s_len + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0) -diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim -index b438fa1e66c6..a187aa8e085e 100644 --- a/src/testdir/test_visual.vim +++ b/src/testdir/test_visual.vim -@@ -417,6 +417,15 @@ +@@ -417,6 +417,15 @@ func Test_visual_block_append_invalid_ch bwipe! endfunc @@ -74,8 +70,6 @@ index b438fa1e66c6..a187aa8e085e 100644 " CVE-2022-0361 func Test_visual_ex_copy_line() new -diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim -index 0210ce63c..862e73b9a 100644 --- a/src/testdir/test_utf8.vim +++ b/src/testdir/test_utf8.vim @@ -6,7 +6,7 @@ func Test_visual_block_insert() @@ -87,18 +81,16 @@ index 0210ce63c..862e73b9a 100644 bwipeout! endfunc -diff --git a/src/version.c b/src/version.c -index 53f1619f94d4..227eaa958e2b 100644 --- a/src/version.c +++ b/src/version.c -@@ -797,6 +797,10 @@ static char *(features[]) = - 5024, +@@ -798,6 +798,10 @@ static int included_patches[] = /**/ 4214, -+/**/ + /**/ + 4152, +/**/ + 4151, - /**/ ++/**/ 4120, /**/ + 1401, diff --git a/debian/patches/CVE-2022-0319.patch b/debian/patches/CVE-2022-0319.patch index f8c0add..680eddc 100644 --- a/debian/patches/CVE-2022-0319.patch +++ b/debian/patches/CVE-2022-0319.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/05b27615481e72e3b338bb12990fb3e0c2ecc2 src/window.c | 5 +++++ 2 files changed, 15 insertions(+) -diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim -index afeb4da..0841952 100644 --- a/src/testdir/test_visual.vim +++ b/src/testdir/test_visual.vim @@ -3,6 +3,16 @@ if !has('visual') @@ -29,8 +27,6 @@ index afeb4da..0841952 100644 func Test_block_shift_multibyte() " Uses double-wide character. -diff --git a/src/window.c b/src/window.c -index f78fcca..7c7f580 100644 --- a/src/window.c +++ b/src/window.c @@ -1576,6 +1576,11 @@ win_exchange(long Prenum) diff --git a/debian/patches/CVE-2022-0351.patch b/debian/patches/CVE-2022-0351.patch index 59d38ae..cdce98c 100644 --- a/debian/patches/CVE-2022-0351.patch +++ b/debian/patches/CVE-2022-0351.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/fe6fb267e6ee5c5da2f41889e4e0e0ac5bf4b8 src/testdir/test_eval_stuff.vim | 5 +++++ 2 files changed, 15 insertions(+) -diff --git a/src/eval.c b/src/eval.c -index 3f9db7d..00c73a6 100644 --- a/src/eval.c +++ b/src/eval.c @@ -4159,6 +4159,7 @@ eval7( @@ -43,8 +41,6 @@ index 3f9db7d..00c73a6 100644 return ret; } -diff --git a/src/testdir/test_eval_stuff.vim b/src/testdir/test_eval_stuff.vim -index f4b3598..6c48c48 100644 --- a/src/testdir/test_eval_stuff.vim +++ b/src/testdir/test_eval_stuff.vim @@ -94,3 +94,8 @@ func Test_let_errmsg() diff --git a/debian/patches/CVE-2022-0359.patch b/debian/patches/CVE-2022-0359.patch index e2b8ff3..6ca8edf 100644 --- a/debian/patches/CVE-2022-0359.patch +++ b/debian/patches/CVE-2022-0359.patch @@ -9,8 +9,6 @@ Origin: https://github.com/vim/vim/commit/85b6747abc15a7a81086db31289cf1b8b17e6c src/version.c | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) -diff --git a/src/ex_getln.c b/src/ex_getln.c -index cba082a..328450c 100644 --- a/src/ex_getln.c +++ b/src/ex_getln.c @@ -898,7 +898,7 @@ getcmdline_int( @@ -22,8 +20,6 @@ index cba082a..328450c 100644 if (ccline.cmdbuff == NULL) goto theend; // out of memory ccline.cmdlen = ccline.cmdpos = 0; -diff --git a/src/testdir/test_ex_equal.vim b/src/testdir/test_ex_equal.vim -index 03cfc46..fa00072 100644 --- a/src/testdir/test_ex_equal.vim +++ b/src/testdir/test_ex_equal.vim @@ -43,3 +43,12 @@ func Test_open_command_flush_line() @@ -39,16 +35,14 @@ index 03cfc46..fa00072 100644 + set ts=8 noai + bwipe! +endfunc -diff --git a/src/version.c b/src/version.c -index 0a29ebb..586e9ca 100644 --- a/src/version.c +++ b/src/version.c -@@ -791,6 +791,8 @@ static char *(features[]) = - +@@ -792,6 +792,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ -+/**/ -+ 4214, /**/ ++ 4214, ++/**/ 4120, /**/ + 1401, diff --git a/debian/patches/CVE-2022-0361.patch b/debian/patches/CVE-2022-0361.patch index d1354ed..dae21d1 100644 --- a/debian/patches/CVE-2022-0361.patch +++ b/debian/patches/CVE-2022-0361.patch @@ -8,11 +8,9 @@ Origin: https://github.com/vim/vim/commit/dc5490e2cbc8c16022a23b449b48c1bd0083f3 src/testdir/test_visual.vim | 11 +++++++++++ 2 files changed, 13 insertions(+) -diff --git a/src/ex_cmds.c b/src/ex_cmds.c -index 0b732c2..b18f58c 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c -@@ -1074,6 +1074,8 @@ ex_copy(linenr_T line1, linenr_T line2, linenr_T n) +@@ -1074,6 +1074,8 @@ ex_copy(linenr_T line1, linenr_T line2, } appended_lines_mark(n, count); @@ -21,11 +19,9 @@ index 0b732c2..b18f58c 100644 msgmore((long)count); } -diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim -index 0841952..e361f97 100644 --- a/src/testdir/test_visual.vim +++ b/src/testdir/test_visual.vim -@@ -417,3 +417,14 @@ func Test_visual_block_append_invalid_char() +@@ -417,3 +417,14 @@ func Test_visual_block_append_invalid_ch bwipe! endfunc diff --git a/debian/patches/CVE-2022-0368.patch b/debian/patches/CVE-2022-0368.patch index 23b8f91..883c57a 100644 --- a/debian/patches/CVE-2022-0368.patch +++ b/debian/patches/CVE-2022-0368.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/8d02ce1ed75d008c34a5c9aaa51b67cbb9d33b src/undo.c | 2 ++ 2 files changed, 16 insertions(+) -diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim -index e361f97..1454877 100644 --- a/src/testdir/test_visual.vim +++ b/src/testdir/test_visual.vim @@ -428,3 +428,17 @@ func Test_visual_ex_copy_line() @@ -30,8 +28,6 @@ index e361f97..1454877 100644 + bwipe! +endfunc + -diff --git a/src/undo.c b/src/undo.c -index 6b6dd47..6da9c1a 100644 --- a/src/undo.c +++ b/src/undo.c @@ -2965,6 +2965,8 @@ u_undo_end( diff --git a/debian/patches/CVE-2022-0392.patch b/debian/patches/CVE-2022-0392.patch index e410044..fb8d96a 100644 --- a/debian/patches/CVE-2022-0392.patch +++ b/debian/patches/CVE-2022-0392.patch @@ -45,11 +45,9 @@ Solution: When :normal runs out of characters in bracketed paste mode break Backport: drop included_patches 135 due to version bump -diff --git a/src/edit.c b/src/edit.c -index ee3caf0dad50..2b5301100ddb 100644 --- a/src/edit.c +++ b/src/edit.c -@@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) +@@ -9183,7 +9183,7 @@ bracketed_paste(paste_mode_T mode, int d int save_paste = p_paste; /* If the end code is too long we can't detect it, read everything. */ @@ -58,7 +56,7 @@ index ee3caf0dad50..2b5301100ddb 100644 end = NULL; ++no_mapping; allow_keys = 0; -@@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) +@@ -9201,9 +9201,9 @@ bracketed_paste(paste_mode_T mode, int d { c = vgetc(); } while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR); @@ -70,7 +68,7 @@ index ee3caf0dad50..2b5301100ddb 100644 break; if (has_mbyte) -@@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap) +@@ -9226,7 +9226,8 @@ bracketed_paste(paste_mode_T mode, int d break; case PASTE_EX: @@ -80,11 +78,9 @@ index ee3caf0dad50..2b5301100ddb 100644 { mch_memmove((char *)gap->ga_data + gap->ga_len, buf, (size_t)idx); -diff --git a/src/testdir/test_paste.vim b/src/testdir/test_paste.vim -index c94fe7c357ed..5b8d8a0e3e2d 100644 --- a/src/testdir/test_paste.vim +++ b/src/testdir/test_paste.vim -@@ -84,6 +84,16 @@ +@@ -84,6 +84,16 @@ func Test_paste_cmdline() call assert_equal("\"afoo\<CR>barb", getreg(':')) endfunc @@ -101,11 +97,9 @@ index c94fe7c357ed..5b8d8a0e3e2d 100644 func Test_paste_visual_mode() new call setline(1, 'here are some words') -diff --git a/src/testdir/test_search.vim b/src/testdir/test_search.vim -index 60152f602..89ca6e131 100644 --- a/src/testdir/test_search.vim +++ b/src/testdir/test_search.vim -@@ -1187,3 +1187,9 @@ +@@ -1187,3 +1187,9 @@ func Test_search_Ctrl_L_combining() call assert_equal(bufcontent[1], @/) call Incsearch_cleanup() endfunc @@ -115,16 +109,14 @@ index 60152f602..89ca6e131 100644 + set t_PE= + exe "norm /\x80PS" +endfunc -diff --git a/src/version.c b/src/version.c -index 6685b554f537..9dcf34928f8d 100644 --- a/src/version.c +++ b/src/version.c -@@ -795,6 +795,8 @@ static char *(features[]) = - 805, +@@ -796,6 +796,8 @@ static int included_patches[] = /**/ 5024, -+/**/ -+ 4218, /**/ ++ 4218, ++/**/ 4214, /**/ + 4152, diff --git a/debian/patches/CVE-2022-0408.patch b/debian/patches/CVE-2022-0408.patch index dc496c3..c3b596e 100644 --- a/debian/patches/CVE-2022-0408.patch +++ b/debian/patches/CVE-2022-0408.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/06f15416bb8d5636200a10776f1752c4d6e49f src/testdir/test_spell.vim | 10 ++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) -diff --git a/src/spell.c b/src/spell.c -index 05756eb..758a12e 100644 --- a/src/spell.c +++ b/src/spell.c @@ -4191,7 +4191,7 @@ suggest_try_change(suginfo_T *su) @@ -64,8 +62,6 @@ index 05756eb..758a12e 100644 } } } -diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim -index 6fccc0e..0a7d8d4 100644 --- a/src/testdir/test_spell.vim +++ b/src/testdir/test_spell.vim @@ -388,6 +388,16 @@ func Test_zeq_crash() diff --git a/debian/patches/CVE-2022-0413.patch b/debian/patches/CVE-2022-0413.patch index f3daa2e..208446b 100644 --- a/debian/patches/CVE-2022-0413.patch +++ b/debian/patches/CVE-2022-0413.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/37f47958b8a2a44abc60614271d9537e7f14e5 src/testdir/test_substitute.vim | 17 +++++++++++++++++ 2 files changed, 32 insertions(+), 4 deletions(-) -diff --git a/src/ex_cmds.c b/src/ex_cmds.c -index b18f58c..5ad8913 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -4857,6 +4857,7 @@ do_sub(exarg_T *eap) @@ -53,8 +51,6 @@ index b18f58c..5ad8913 100644 /* Restore the flag values, they can be used for ":&&". */ subflags.do_all = save_do_all; -diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim -index d84daa7..c1e8f30 100644 --- a/src/testdir/test_substitute.vim +++ b/src/testdir/test_substitute.vim @@ -500,3 +500,20 @@ func Test_sub_cmd_8() diff --git a/debian/patches/CVE-2022-0417.patch b/debian/patches/CVE-2022-0417.patch index d5a99e0..0229c69 100644 --- a/debian/patches/CVE-2022-0417.patch +++ b/debian/patches/CVE-2022-0417.patch @@ -9,8 +9,6 @@ Origin: https://github.com/vim/vim/commit/652dee448618589de5528a9e9a36995803f555 src/vim.h | 2 ++ 3 files changed, 13 insertions(+), 7 deletions(-) -diff --git a/src/option.c b/src/option.c -index 12d903f..f7643eb 100644 --- a/src/option.c +++ b/src/option.c @@ -9371,6 +9371,11 @@ set_num_option( @@ -60,8 +58,6 @@ index 12d903f..f7643eb 100644 #endif } -diff --git a/src/testdir/test_options.vim b/src/testdir/test_options.vim -index 83b315d..50aae7c 100644 --- a/src/testdir/test_options.vim +++ b/src/testdir/test_options.vim @@ -234,6 +234,8 @@ func Test_set_errors() @@ -73,8 +69,6 @@ index 83b315d..50aae7c 100644 call assert_fails('set textwidth=-1', 'E487:') call assert_fails('set timeoutlen=-1', 'E487:') call assert_fails('set updatecount=-1', 'E487:') -diff --git a/src/vim.h b/src/vim.h -index 7ee164a..dfc96bc 100644 --- a/src/vim.h +++ b/src/vim.h @@ -1988,6 +1988,8 @@ typedef int sock_T; diff --git a/debian/patches/CVE-2022-0443.patch b/debian/patches/CVE-2022-0443.patch index fdf2329..aad8d0e 100644 --- a/debian/patches/CVE-2022-0443.patch +++ b/debian/patches/CVE-2022-0443.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/9b4a80a66544f2782040b641498754bcb5b8d4 src/testdir/test_quickfix.vim | 16 ++++++++++++++++ 2 files changed, 26 insertions(+), 5 deletions(-) -diff --git a/src/buffer.c b/src/buffer.c -index 590a63c..4cac106 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -1627,6 +1627,7 @@ set_curbuf(buf_T *buf, int action) @@ -53,8 +51,6 @@ index 590a63c..4cac106 100644 clear_string_option(&buf->b_p_vts); VIM_CLEAR(buf->b_p_vts_array); #endif -diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim -index e7aa41e..8668224 100644 --- a/src/testdir/test_quickfix.vim +++ b/src/testdir/test_quickfix.vim @@ -3899,3 +3899,19 @@ func Test_viscol() diff --git a/debian/patches/CVE-2022-0554.patch b/debian/patches/CVE-2022-0554.patch index ac5038e..9599a1b 100644 --- a/debian/patches/CVE-2022-0554.patch +++ b/debian/patches/CVE-2022-0554.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461 src/testdir/test_quickfix.vim | 25 +++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 4 deletions(-) -diff --git a/src/buffer.c b/src/buffer.c -index 4cac106..912ace9 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -1471,8 +1471,14 @@ do_buffer( diff --git a/debian/patches/CVE-2022-0572.patch b/debian/patches/CVE-2022-0572.patch index 0121992..ba05e16 100644 --- a/debian/patches/CVE-2022-0572.patch +++ b/debian/patches/CVE-2022-0572.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/6e28703a8e41f775f64e442c5d11ce1ff599aa src/testdir/test_retab.vim | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) -diff --git a/src/ex_cmds.c b/src/ex_cmds.c -index 5ad8913..b3be24e 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -821,6 +821,10 @@ ex_retab(exarg_T *eap) diff --git a/debian/patches/CVE-2022-0629.patch b/debian/patches/CVE-2022-0629.patch index b3348ef..7c32714 100644 --- a/debian/patches/CVE-2022-0629.patch +++ b/debian/patches/CVE-2022-0629.patch @@ -12,8 +12,6 @@ Solution: Use mb_cptr2char_adv() instead of mb_ptr2char_adv(). src/version.c | 2 ++ 3 files changed, 11 insertions(+), 1 deletion(-) -diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim -index 8987f3f8dfcd..27b2d73fbfc8 100644 --- a/src/testdir/test_assert.vim +++ b/src/testdir/test_assert.vim @@ -35,6 +35,14 @@ func Test_assert_equal() @@ -31,11 +29,9 @@ index 8987f3f8dfcd..27b2d73fbfc8 100644 endfunc func Test_assert_equalfile() -diff --git a/src/testing.c b/src/testing.c -index 448c01c1e964..48ba14d2cafd 100644 --- a/src/eval.c +++ b/src/eval.c -@@ -101,7 +101,7 @@ ga_concat_shorten_esc(garray_T *gap, char_u *str) +@@ -9558,7 +9558,7 @@ ga_concat_shorten_esc(garray_T *gap, cha { same_len = 1; s = p; @@ -44,16 +40,14 @@ index 448c01c1e964..48ba14d2cafd 100644 clen = s - p; while (*s != NUL && c == mb_ptr2char(s)) { -diff --git a/src/version.c b/src/version.c -index fb1b8476e1a6..b4983661cadc 100644 --- a/src/version.c +++ b/src/version.c -@@ -795,6 +795,8 @@ static char *(features[]) = - 805, +@@ -796,6 +796,8 @@ static int included_patches[] = /**/ 5024, -+/**/ -+ 4397, /**/ ++ 4397, ++/**/ 4218, /**/ + 4214, diff --git a/debian/patches/CVE-2022-0685.patch b/debian/patches/CVE-2022-0685.patch index 14e5210..054765b 100644 --- a/debian/patches/CVE-2022-0685.patch +++ b/debian/patches/CVE-2022-0685.patch @@ -10,25 +10,21 @@ Origin: https://github.com/vim/vim/commit/5921aeb5741fc6e84c870d68c7c35b93ad0c9f src/version.c | 2 ++ 4 files changed, 18 insertions(+), 1 deletion(-) -diff --git a/src/charset.c b/src/charset.c -index 1fbbaee..427686d 100644 --- a/src/charset.c +++ b/src/charset.c -@@ -1672,6 +1672,12 @@ vim_isupper(int c) - return isupper(c); +@@ -1673,6 +1673,12 @@ vim_isupper(int c) } -+ int + int +vim_isalpha(int c) +{ + return vim_islower(c) || vim_isupper(c); +} + - int ++ int vim_toupper(int c) { -diff --git a/src/proto/charset.pro b/src/proto/charset.pro -index bb4132f..c078ff6 100644 + if (c <= '@') --- a/src/proto/charset.pro +++ b/src/proto/charset.pro @@ -48,6 +48,7 @@ int vim_isxdigit(int c); diff --git a/debian/patches/CVE-2022-0696.patch b/debian/patches/CVE-2022-0696.patch index 0e1491e..95ee4cd 100644 --- a/debian/patches/CVE-2022-0696.patch +++ b/debian/patches/CVE-2022-0696.patch @@ -18,21 +18,17 @@ Backport: Since the old version dosn't do command line completion correctly, those parts are dropped and we only forbid switching the tab page. -diff --git a/src/version.c b/src/version.c -index c5f5c22f90ac..777476d80dce 100644 --- a/src/version.c +++ b/src/version.c -@@ -795,6 +795,8 @@ static char *(features[]) = - 805, +@@ -796,6 +796,8 @@ static int included_patches[] = /**/ 5024, -+/**/ -+ 4428, /**/ ++ 4428, ++/**/ 4397, /**/ -diff --git a/src/window.c b/src/window.c -index 1f5e7096047c..b00ed977fc04 100644 + 4218, --- a/src/window.c +++ b/src/window.c @@ -3656,6 +3656,14 @@ win_new_tabpage(int after) diff --git a/debian/patches/CVE-2022-0714.patch b/debian/patches/CVE-2022-0714.patch index 1b86d51..459f7fd 100644 --- a/debian/patches/CVE-2022-0714.patch +++ b/debian/patches/CVE-2022-0714.patch @@ -7,8 +7,6 @@ Origin: https://github.com/vim/vim/commit/4e889f98e95ac05d7c8bd3ee933ab4d47820fd src/edit.c | 2 ++ 1 file changed, 2 insertions(+) -diff --git a/src/edit.c b/src/edit.c -index eac4803..df84631 100644 --- a/src/edit.c +++ b/src/edit.c @@ -2113,6 +2113,8 @@ change_indent( diff --git a/debian/patches/CVE-2022-0729.patch b/debian/patches/CVE-2022-0729.patch index 7333268..79c810a 100644 --- a/debian/patches/CVE-2022-0729.patch +++ b/debian/patches/CVE-2022-0729.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/6456fae9ba8e72c74b2c0c499eaf09974604ff src/testdir/test_regexp_utf8.vim | 8 ++++++++ 2 files changed, 13 insertions(+) -diff --git a/src/regexp.c b/src/regexp.c -index 6ad928d..33414ce 100644 --- a/src/regexp.c +++ b/src/regexp.c @@ -5575,6 +5575,11 @@ regmatch( @@ -24,8 +22,6 @@ index 6ad928d..33414ce 100644 --rex.lnum; rex.line = reg_getline(rex.lnum); /* Just in case regrepeat() didn't count -diff --git a/src/testdir/test_regexp_utf8.vim b/src/testdir/test_regexp_utf8.vim -index 75485dc..378bc21 100644 --- a/src/testdir/test_regexp_utf8.vim +++ b/src/testdir/test_regexp_utf8.vim @@ -215,4 +215,12 @@ func Test_match_invalid_byte() diff --git a/debian/patches/CVE-2022-0943.patch b/debian/patches/CVE-2022-0943.patch index b4870dc..b9851cd 100644 --- a/debian/patches/CVE-2022-0943.patch +++ b/debian/patches/CVE-2022-0943.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/5c68617d395f9d7b824f68475b24ce3e38d653 src/testdir/test_spell.vim | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) -diff --git a/src/spell.c b/src/spell.c -index 758a12e..2d36953 100644 --- a/src/spell.c +++ b/src/spell.c @@ -3259,6 +3259,10 @@ spell_suggest(int count) @@ -23,8 +21,6 @@ index 758a12e..2d36953 100644 } /* Find the start of the badly spelled word. */ else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0 -diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim -index 0a7d8d4..50e2d54 100644 --- a/src/testdir/test_spell.vim +++ b/src/testdir/test_spell.vim @@ -126,6 +126,23 @@ func Test_spellreall() diff --git a/debian/patches/CVE-2022-1154.patch b/debian/patches/CVE-2022-1154.patch index 42799a0..99b4175 100644 --- a/debian/patches/CVE-2022-1154.patch +++ b/debian/patches/CVE-2022-1154.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1 src/testdir/test_regexp_latin.vim | 14 ++++++++++++++ 2 files changed, 22 insertions(+) -diff --git a/src/regexp.c b/src/regexp.c -index 33414ce..4345df9 100644 --- a/src/regexp.c +++ b/src/regexp.c @@ -4322,8 +4322,16 @@ regmatch( diff --git a/debian/patches/CVE-2022-1616.patch b/debian/patches/CVE-2022-1616.patch index 85a2ed0..512bf5e 100644 --- a/debian/patches/CVE-2022-1616.patch +++ b/debian/patches/CVE-2022-1616.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc src/testdir/test_cmdline.vim | 12 ++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) -diff --git a/src/ex_docmd.c b/src/ex_docmd.c -index 1dfa95d..bb8d719 100644 --- a/src/ex_docmd.c +++ b/src/ex_docmd.c @@ -3116,7 +3116,7 @@ append_command(char_u *cmd) @@ -30,8 +28,6 @@ index 1dfa95d..bb8d719 100644 else MB_COPY_CHAR(s, d); } -diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim -index 02eeb6b..46f18dc 100644 --- a/src/testdir/test_cmdline.vim +++ b/src/testdir/test_cmdline.vim @@ -609,4 +609,16 @@ func Test_cmdline_overstrike() diff --git a/debian/patches/CVE-2022-1619.patch b/debian/patches/CVE-2022-1619.patch index 121a1b7..1015395 100644 --- a/debian/patches/CVE-2022-1619.patch +++ b/debian/patches/CVE-2022-1619.patch @@ -13,11 +13,9 @@ Solution: Check already being at the start of the command line. src/version.c | 2 ++ 3 files changed, 12 insertions(+), 4 deletions(-) -diff --git a/src/ex_getln.c b/src/ex_getln.c -index a97024b35171..7020f5143a01 100644 --- a/src/ex_getln.c +++ b/src/ex_getln.c -@@ -1635,10 +1635,13 @@ +@@ -1635,10 +1635,13 @@ getcmdline_int( { while (p > ccline.cmdbuff && vim_isspace(p[-1])) --p; @@ -35,15 +33,12 @@ index a97024b35171..7020f5143a01 100644 } else --p; -diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim -index 474638fb00d6..5a849f77f755 100644 --- a/src/testdir/test_cmdline.vim +++ b/src/testdir/test_cmdline.vim -@@ -641,6 +641,19 @@ - let &lines = lines +@@ -642,5 +642,18 @@ func Test_cmdwin_split_often() let &columns = columns endfunc -+ + +func Test_cmdline_remove_char() + let encoding_save = &encoding + @@ -56,19 +51,17 @@ index 474638fb00d6..5a849f77f755 100644 + + let &encoding = encoding_save +endfunc - - ++ + set cpo& -diff --git a/src/version.c b/src/version.c -index 201d26f06eb9..05888c722e8e 100644 --- a/src/version.c +++ b/src/version.c -@@ -795,6 +795,8 @@ static char *(features[]) = - 805, +@@ -796,6 +796,8 @@ static int included_patches[] = /**/ 5024, -+/**/ -+ 4899, /**/ ++ 4899, ++/**/ 4428, /**/ + 4397, diff --git a/debian/patches/CVE-2022-1621.patch b/debian/patches/CVE-2022-1621.patch index 29f8532..62b4eec 100644 --- a/debian/patches/CVE-2022-1621.patch +++ b/debian/patches/CVE-2022-1621.patch @@ -26,11 +26,9 @@ Solution: Remove the test. src/version.c | 2 ++ 2 files changed, 2 insertions(+), 8 deletions(-) -diff --git a/src/mbyte.c b/src/mbyte.c -index 2b7f9991ae14..a01a05140207 100644 --- a/src/mbyte.c +++ b/src/mbyte.c -@@ -4047,7 +4047,7 @@ utf_find_illegal(void) +@@ -4047,7 +4047,7 @@ theend: convert_setup(&vimconv, NULL, NULL); } @@ -39,8 +37,6 @@ index 2b7f9991ae14..a01a05140207 100644 /* * Return TRUE if string "s" is a valid utf-8 string. * When "end" is NULL stop at the first NUL. -diff --git a/src/spellfile.c b/src/spellfile.c -index 22cf82da0872..f0d6d96a47f0 100644 --- a/src/spellfile.c +++ b/src/spellfile.c @@ -4361,6 +4361,10 @@ store_word( @@ -67,11 +63,9 @@ index 22cf82da0872..f0d6d96a47f0 100644 if (idx == 0) /* use internal wordlist */ { if (int_wordlist == NULL) -diff --git a/src/testdir/test_spell_utf8.vim b/src/testdir/test_spell_utf8.vim -index 79dc3e4a4a62..17fa23555818 100644 --- a/src/testdir/test_spell.vim +++ b/src/testdir/test_spell.vim -@@ -476,16 +476,6 @@ +@@ -476,16 +476,6 @@ func RunGoodBad(good, bad, expected_word bwipe! endfunc @@ -88,27 +82,25 @@ index 79dc3e4a4a62..17fa23555818 100644 let g:test_data_aff1 = [ \"SET ISO8859-1", \"TRY esianrtolcdugmphbyfvkwjkqxz-\xEB\xE9\xE8\xEA\xEF\xEE\xE4\xE0\xE2\xF6\xFC\xFB'ESIANRTOLCDUGMPHBYFVKWJKQXZ", -@@ -936,3 +926,8 @@ +@@ -936,3 +926,8 @@ let g:test_data_aff_sal = [ \"SAL Z S", \ ] - + +" Invalid bytes may cause trouble when creating the word list. +func Test_check_for_valid_word() + call assert_fails("spellgood! 0\xac", 'E1280:') +endfunc + -diff --git a/src/version.c b/src/version.c -index f949dd6d7ed0..c4f5655bf6c2 100644 --- a/src/version.c +++ b/src/version.c -@@ -795,6 +795,10 @@ static char *(features[]) = - 805, +@@ -796,6 +796,10 @@ static int included_patches[] = /**/ 5024, -+/**/ + /**/ + 4921, +/**/ + 4919, - /**/ ++/**/ 4899, /**/ + 4428, diff --git a/debian/patches/CVE-2022-1720.patch b/debian/patches/CVE-2022-1720.patch index 80855fb..71479e0 100644 --- a/debian/patches/CVE-2022-1720.patch +++ b/debian/patches/CVE-2022-1720.patch @@ -7,8 +7,6 @@ Origin: https://github.com/vim/vim/commit/395bd1f6d3edc9f7edb5d1f2d7deaf5a9e3ab9 src/normal.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) -diff --git a/src/normal.c b/src/normal.c -index 2c36c15..ebda136 100644 --- a/src/normal.c +++ b/src/normal.c @@ -5777,9 +5777,17 @@ get_visual_text( diff --git a/debian/patches/CVE-2022-1785.patch b/debian/patches/CVE-2022-1785.patch index 1d3817f..d3789a3 100644 --- a/debian/patches/CVE-2022-1785.patch +++ b/debian/patches/CVE-2022-1785.patch @@ -15,11 +15,9 @@ Solution: Disallow changing window in substitute expression. Backport: Use textlock instead of textwinlock. In this version, textwinlock wasn't yet split out from textlock and it'll get merged back later. -diff --git a/src/ex_cmds.c b/src/ex_cmds.c -index 7e730becb48f..210e21fe7a5b 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c -@@ -5576,12 +5576,17 @@ ex_substitute(exarg_T *eap) +@@ -5576,12 +5576,17 @@ do_sub(exarg_T *eap) /* Save flags for recursion. They can change for e.g. * :s/^/\=execute("s#^##gn") */ subflags_save = subflags; @@ -37,7 +35,7 @@ index 7e730becb48f..210e21fe7a5b 100644 /* Don't keep flags set by a recursive call. */ subflags = subflags_save; if (subflags.do_count) -@@ -5670,9 +5675,15 @@ ex_substitute(exarg_T *eap) +@@ -5670,9 +5675,15 @@ do_sub(exarg_T *eap) mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); new_end += copy_len; @@ -53,8 +51,6 @@ index 7e730becb48f..210e21fe7a5b 100644 sub_nsubs++; did_sub = TRUE; -diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim -index f3fd7ab1ce77..a1c324ed8d20 100644 --- a/src/testdir/test_substitute.vim +++ b/src/testdir/test_substitute.vim @@ -517,3 +517,16 @@ func Test_using_old_sub() @@ -74,16 +70,14 @@ index f3fd7ab1ce77..a1c324ed8d20 100644 + delfunc Repl +endfunc + -diff --git a/src/version.c b/src/version.c -index 4c63ea0771ad..782642b5d5a1 100644 --- a/src/version.c +++ b/src/version.c -@@ -795,6 +795,8 @@ static char *(features[]) = - 805, +@@ -796,6 +796,8 @@ static int included_patches[] = /**/ 5024, -+/**/ -+ 4977, /**/ ++ 4977, ++/**/ 4921, /**/ + 4919, diff --git a/debian/patches/CVE-2022-1851.patch b/debian/patches/CVE-2022-1851.patch index 1b84df9..d129df1 100644 --- a/debian/patches/CVE-2022-1851.patch +++ b/debian/patches/CVE-2022-1851.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9 src/testdir/test_textformat.vim | 12 ++++++++++++ 2 files changed, 15 insertions(+) -diff --git a/src/ops.c b/src/ops.c -index 4c81922..84b5f90 100644 --- a/src/ops.c +++ b/src/ops.c @@ -4778,6 +4778,9 @@ op_format( @@ -22,8 +20,6 @@ index 4c81922..84b5f90 100644 } if (oap->is_VIsual) -diff --git a/src/testdir/test_textformat.vim b/src/testdir/test_textformat.vim -index 13fb50b..508e18b 100644 --- a/src/testdir/test_textformat.vim +++ b/src/testdir/test_textformat.vim @@ -489,3 +489,15 @@ func Test_format_list_auto() diff --git a/debian/patches/CVE-2022-1897.patch b/debian/patches/CVE-2022-1897.patch index 1a44481..e14fb46 100644 --- a/debian/patches/CVE-2022-1897.patch +++ b/debian/patches/CVE-2022-1897.patch @@ -12,15 +12,12 @@ Solution: Disallow undo when in a substitute command. src/version.c | 2 ++ 4 files changed, 51 insertions(+), 21 deletions(-) -diff --git a/src/normal.c b/src/normal.c -index bc3e29e1abaa..53c50dc8b368 100644 --- a/src/normal.c +++ b/src/normal.c -@@ -514,6 +514,22 @@ find_command(int cmdchar) - return idx; +@@ -515,6 +515,22 @@ find_command(int cmdchar) } -+/* + /* + * If currently editing a cmdline or text is locked: beep and give an error + * message, return TRUE. + */ @@ -36,10 +33,11 @@ index bc3e29e1abaa..53c50dc8b368 100644 + return FALSE; +} + - /* ++/* * Execute a command in Normal mode. */ -@@ -775,14 +791,9 @@ normal_cmd( + void +@@ -775,14 +791,9 @@ getcount: goto normal_end; } @@ -57,7 +55,7 @@ index bc3e29e1abaa..53c50dc8b368 100644 goto normal_end; /* -@@ -6164,12 +6175,8 @@ nv_gotofile(cmdarg_T *cap) +@@ -6162,12 +6173,8 @@ nv_gotofile(cmdarg_T *cap) char_u *ptr; linenr_T lnum = -1; @@ -71,7 +69,7 @@ index bc3e29e1abaa..53c50dc8b368 100644 if (curbuf_locked()) { clearop(cap->oap); -@@ -8330,14 +8337,7 @@ nv_g_cmd(cmdarg_T *cap) +@@ -8328,14 +8335,7 @@ nv_g_cmd(cmdarg_T *cap) /* "gQ": improved Ex mode */ case 'Q': @@ -87,8 +85,6 @@ index bc3e29e1abaa..53c50dc8b368 100644 do_exmode(TRUE); break; -diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim -index a1c324ed8d20..c8df09f4ec1e 100644 --- a/src/testdir/test_substitute.vim +++ b/src/testdir/test_substitute.vim @@ -530,3 +530,25 @@ func Test_sub_change_window() @@ -117,8 +113,6 @@ index a1c324ed8d20..c8df09f4ec1e 100644 + delfunc Repl +endfunc + -diff --git a/src/undo.c b/src/undo.c -index cac09f0f58df..81cc28e8b801 100644 --- a/src/undo.c +++ b/src/undo.c @@ -2278,6 +2278,12 @@ undo_time( @@ -134,16 +128,14 @@ index cac09f0f58df..81cc28e8b801 100644 /* First make sure the current undoable change is synced. */ if (curbuf->b_u_synced == FALSE) u_sync(TRUE); -diff --git a/src/version.c b/src/version.c -index 9751865c7adf..cd6c33162204 100644 --- a/src/version.c +++ b/src/version.c -@@ -795,6 +795,8 @@ static char *(features[]) = - 805, +@@ -796,6 +796,8 @@ static int included_patches[] = /**/ 5024, -+/**/ -+ 5023, /**/ ++ 5023, ++/**/ 4977, /**/ + 4921, diff --git a/debian/patches/CVE-2022-1898.patch b/debian/patches/CVE-2022-1898.patch index c5817ba..60ca549 100644 --- a/debian/patches/CVE-2022-1898.patch +++ b/debian/patches/CVE-2022-1898.patch @@ -9,8 +9,6 @@ Origin: https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc98067 src/version.c | 2 ++ 3 files changed, 14 insertions(+) -diff --git a/src/normal.c b/src/normal.c -index ebda136..c3b6897 100644 --- a/src/normal.c +++ b/src/normal.c @@ -6426,6 +6426,11 @@ nv_brackets(cmdarg_T *cap) @@ -33,8 +31,6 @@ index ebda136..c3b6897 100644 curwin->w_set_curswant = TRUE; } } -diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim -index ae47a69..da4af2f 100644 --- a/src/testdir/test_tagjump.vim +++ b/src/testdir/test_tagjump.vim @@ -255,6 +255,12 @@ func Test_tagjump_etags() @@ -50,16 +46,14 @@ index ae47a69..da4af2f 100644 endfunc " Test for getting and modifying the tag stack -diff --git a/src/version.c b/src/version.c -index 586e9ca..cd174b0 100644 --- a/src/version.c +++ b/src/version.c -@@ -791,6 +791,8 @@ static char *(features[]) = - +@@ -792,6 +792,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ -+/**/ -+ 5024, /**/ ++ 5024, ++/**/ 4214, /**/ + 4120, diff --git a/debian/patches/CVE-2022-1942.patch b/debian/patches/CVE-2022-1942.patch index e2f5b9c..7b91963 100644 --- a/debian/patches/CVE-2022-1942.patch +++ b/debian/patches/CVE-2022-1942.patch @@ -20,8 +20,6 @@ Backport: Drop test case, because the expected E565 was only introduced in 8.2.0670 and the testcase does not otherwise fail or issue messages in valgrind. -diff --git a/src/buffer.c b/src/buffer.c -index efec431c822d..e775398d0294 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -2297,12 +2297,7 @@ buflist_getfile( @@ -38,15 +36,12 @@ index efec431c822d..e775398d0294 100644 return FAIL; /* altfpos may be changed by getfile(), get it now */ -diff --git a/src/ex_getln.c b/src/ex_getln.c -index 9dadfbf2fabe..623bd1d4984a 100644 --- a/src/ex_getln.c +++ b/src/ex_getln.c -@@ -2589,6 +2589,21 @@ get_text_locked_msg(void) - return e_secure; +@@ -2590,6 +2590,21 @@ get_text_locked_msg(void) } -+/* + /* + * Check for text, window or buffer locked. + * Give an error message and return TRUE if something is locked. + */ @@ -61,9 +56,10 @@ index 9dadfbf2fabe..623bd1d4984a 100644 + return curbuf_locked(); +} + - /* ++/* * Check if "curbuf_lock" or "allbuf_lock" is set and return TRUE when it is * and give an error message. + */ @@ -7188,6 +7203,10 @@ open_cmdwin(void) int save_KeyTyped; #endif @@ -75,11 +71,9 @@ index 9dadfbf2fabe..623bd1d4984a 100644 /* Can't do this recursively. Can't do it when typing a password. */ if (cmdwin_type != 0 # if defined(FEAT_CRYPT) || defined(FEAT_EVAL) -diff --git a/src/proto/ex_getln.pro b/src/proto/ex_getln.pro -index 8c8bd0ebd4cd..bcc310c7dd0e 100644 --- a/src/proto/ex_getln.pro +++ b/src/proto/ex_getln.pro -@@ -5,6 +5,7 @@ +@@ -5,6 +5,7 @@ char_u *getcmdline_prompt(int firstc, ch int text_locked(void); void text_locked_msg(void); char *get_text_locked_msg(void); @@ -87,27 +81,23 @@ index 8c8bd0ebd4cd..bcc310c7dd0e 100644 int curbuf_locked(void); int allbuf_locked(void); char_u *getexline(int c, void *cookie, int indent); -diff --git a/src/version.c b/src/version.c -index 18a1fdb41cb6..a15bb3ed8d6a 100644 --- a/src/version.c +++ b/src/version.c -@@ -791,6 +791,8 @@ static char *(features[]) = - +@@ -792,6 +792,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ -+/**/ -+ 5043, /**/ ++ 5043, ++/**/ 805, /**/ -diff --git a/src/window.c b/src/window.c -index f2913d4a76ef..9b5ac97286cd 100644 + 5024, --- a/src/window.c +++ b/src/window.c @@ -4173,14 +4173,11 @@ win_goto(win_T *wp) win_T *owp = curwin; #endif - + - if (text_locked()) + if (text_or_buf_locked()) { diff --git a/debian/patches/CVE-2022-2000.patch b/debian/patches/CVE-2022-2000.patch index 7f1a1e6..e3fa6e2 100644 --- a/debian/patches/CVE-2022-2000.patch +++ b/debian/patches/CVE-2022-2000.patch @@ -12,11 +12,9 @@ Solution: Truncate the message. src/version.c | 2 ++ 3 files changed, 17 insertions(+), 2 deletions(-) -diff --git a/src/ex_docmd.c b/src/ex_docmd.c -index cfb40e8d5cfa..634a1bcef566 100644 --- a/src/ex_docmd.c +++ b/src/ex_docmd.c -@@ -3111,9 +3111,17 @@ parse_cmd_address(exarg_T *eap, char **errormsg, int silent) +@@ -3111,9 +3111,17 @@ checkforcmd( static void append_command(char_u *cmd) { @@ -36,13 +34,11 @@ index cfb40e8d5cfa..634a1bcef566 100644 STRCAT(IObuff, ": "); d = IObuff + STRLEN(IObuff); while (*s != NUL && d - IObuff + 5 < IOSIZE) -diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim -index 77965b3f65a3..2289c343e9f8 100644 --- a/src/testdir/test_cmdline.vim +++ b/src/testdir/test_cmdline.vim -@@ -657,3 +657,9 @@ - - +@@ -657,3 +657,9 @@ endfunc + + set cpo& + +func Test_long_error_message() @@ -50,16 +46,14 @@ index 77965b3f65a3..2289c343e9f8 100644 + silent! norm Q00000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 +endfunc + -diff --git a/src/version.c b/src/version.c -index 542028606dde..dd585c81afe9 100644 --- a/src/version.c +++ b/src/version.c -@@ -791,6 +791,8 @@ static char *(features[]) = - +@@ -792,6 +792,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ -+/**/ -+ 5063, /**/ ++ 5063, ++/**/ 5043, /**/ + 805, diff --git a/debian/patches/CVE-2022-2129.patch b/debian/patches/CVE-2022-2129.patch index 70bdd57..96e8d05 100644 --- a/debian/patches/CVE-2022-2129.patch +++ b/debian/patches/CVE-2022-2129.patch @@ -11,8 +11,6 @@ Solution: Disallow switching buffers in a substitute expression. src/version.c | 2 ++ 3 files changed, 19 insertions(+), 3 deletions(-) -diff --git a/src/ex_docmd.c b/src/ex_docmd.c -index fed9330b52e9..1185cd1550a6 100644 --- a/src/ex_docmd.c +++ b/src/ex_docmd.c @@ -8778,9 +8778,10 @@ do_exedit( @@ -29,11 +27,9 @@ index fed9330b52e9..1185cd1550a6 100644 return; n = readonlymode; -diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim -index 46ea95513192..c056fa965692 100644 --- a/src/testdir/test_substitute.vim +++ b/src/testdir/test_substitute.vim -@@ -552,3 +552,16 @@ +@@ -552,3 +552,16 @@ func Test_sub_undo_change() delfunc Repl endfunc @@ -50,16 +46,14 @@ index 46ea95513192..c056fa965692 100644 + bwipe! +endfunc + -diff --git a/src/version.c b/src/version.c -index 82ac4eaf2dd9..2f397ae315f7 100644 --- a/src/version.c +++ b/src/version.c -@@ -791,6 +791,8 @@ static char *(features[]) = - +@@ -792,6 +792,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ -+/**/ -+ 5126, /**/ ++ 5126, ++/**/ 5063, /**/ + 5043, diff --git a/debian/patches/CVE-2022-2285.patch b/debian/patches/CVE-2022-2285.patch index 5105f02..db103c6 100644 --- a/debian/patches/CVE-2022-2285.patch +++ b/debian/patches/CVE-2022-2285.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/27efc62f5d86afcb2ecb7565587fe8dea4b036 src/testdir/test_mapping.vim | 10 ++++++++++ 2 files changed, 11 insertions(+) -diff --git a/src/term.c b/src/term.c -index 47d2bda..bc46ed9 100644 --- a/src/term.c +++ b/src/term.c @@ -4440,6 +4440,7 @@ check_termcode( @@ -20,8 +18,6 @@ index 47d2bda..bc46ed9 100644 key_name[0] = NUL; /* no key name found yet */ key_name[1] = NUL; /* no key name found yet */ modifiers = 0; /* no modifiers yet */ -diff --git a/src/testdir/test_mapping.vim b/src/testdir/test_mapping.vim -index c454fc0..3c81bb5 100644 --- a/src/testdir/test_mapping.vim +++ b/src/testdir/test_mapping.vim @@ -318,3 +318,13 @@ func Test_motionforce_omap() diff --git a/debian/patches/CVE-2022-2304.patch b/debian/patches/CVE-2022-2304.patch index a76927d..4ba628d 100644 --- a/debian/patches/CVE-2022-2304.patch +++ b/debian/patches/CVE-2022-2304.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/54e5fed6d27b747ff152cdb6edfb72ff60e709 src/testdir/test_spell.vim | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) -diff --git a/src/spell.c b/src/spell.c -index 2d36953..3d9e7c8 100644 --- a/src/spell.c +++ b/src/spell.c @@ -8505,9 +8505,10 @@ spell_dump_compl( @@ -25,8 +23,6 @@ index 2d36953..3d9e7c8 100644 * Don't use keep-case words in the fold-case tree, * they will appear in the keep-case tree. * Only use the word when the region matches. */ -diff --git a/src/testdir/test_spell.vim b/src/testdir/test_spell.vim -index 50e2d54..afbb6d8 100644 --- a/src/testdir/test_spell.vim +++ b/src/testdir/test_spell.vim @@ -260,6 +260,19 @@ func Test_zz_compound() diff --git a/debian/patches/CVE-2022-2598.patch b/debian/patches/CVE-2022-2598.patch index d7732d4..a4d6886 100644 --- a/debian/patches/CVE-2022-2598.patch +++ b/debian/patches/CVE-2022-2598.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/4e677b9c40ccbc5f090971b31dc2fe07bf0554 src/testdir/test_diffmode.vim | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 3 deletions(-) -diff --git a/src/diff.c b/src/diff.c -index d368f96..745cb87 100644 --- a/src/diff.c +++ b/src/diff.c @@ -451,7 +451,10 @@ diff_mark_adjust_tp( @@ -35,8 +33,6 @@ index d368f96..745cb87 100644 } for (i = 0; i < dp->df_count[idx_from] - start_skip - end_skip; ++i) { -diff --git a/src/testdir/test_diffmode.vim b/src/testdir/test_diffmode.vim -index 84fb451..3ced8cd 100644 --- a/src/testdir/test_diffmode.vim +++ b/src/testdir/test_diffmode.vim @@ -913,3 +913,18 @@ func Test_diff_of_diff() diff --git a/debian/patches/CVE-2022-2946.patch b/debian/patches/CVE-2022-2946.patch index b3dadb9..05aa8c1 100644 --- a/debian/patches/CVE-2022-2946.patch +++ b/debian/patches/CVE-2022-2946.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e751576 src/testdir/test_tagcase.vim | 12 ++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) -diff --git a/src/tag.c b/src/tag.c -index b1915e1..4e96da3 100644 --- a/src/tag.c +++ b/src/tag.c @@ -146,6 +146,7 @@ do_tag( diff --git a/debian/patches/CVE-2022-3099.patch b/debian/patches/CVE-2022-3099.patch index 1dd5203..aecab0b 100644 --- a/debian/patches/CVE-2022-3099.patch +++ b/debian/patches/CVE-2022-3099.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/35d21c6830fc2d68aca838424a0e786821c589 src/testdir/test_eval_stuff.vim | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) -diff --git a/src/ex_docmd.c b/src/ex_docmd.c -index bb8d719..5321962 100644 --- a/src/ex_docmd.c +++ b/src/ex_docmd.c @@ -1109,7 +1109,7 @@ do_cmdline( diff --git a/debian/patches/CVE-2022-3134.patch b/debian/patches/CVE-2022-3134.patch index 16f8949..e7eaae6 100644 --- a/debian/patches/CVE-2022-3134.patch +++ b/debian/patches/CVE-2022-3134.patch @@ -7,8 +7,6 @@ Origin: https://github.com/vim/vim/commit/ccfde4d028e891a41e3548323c3d47b06fb0b8 src/tag.c | 9 +++++++++ 1 file changed, 9 insertions(+) -diff --git a/src/tag.c b/src/tag.c -index 4e96da3..6fcd6ee 100644 --- a/src/tag.c +++ b/src/tag.c @@ -539,6 +539,15 @@ do_tag( diff --git a/debian/patches/CVE-2022-3234.patch b/debian/patches/CVE-2022-3234.patch index 16207d5..28e5d63 100644 --- a/debian/patches/CVE-2022-3234.patch +++ b/debian/patches/CVE-2022-3234.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/c249913edc35c0e666d783bfc21595cf9f7d9e src/testdir/test_virtualedit.vim | 14 ++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) -diff --git a/src/ops.c b/src/ops.c -index 84b5f90..c2319b1 100644 --- a/src/ops.c +++ b/src/ops.c @@ -2295,6 +2295,8 @@ op_replace(oparg_T *oap, int c) @@ -47,8 +45,6 @@ index 84b5f90..c2319b1 100644 { int virtcols = oap->end.coladd; -diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim -index 67adede..6b8fdfd 100644 --- a/src/testdir/test_virtualedit.vim +++ b/src/testdir/test_virtualedit.vim @@ -73,3 +73,17 @@ func Test_edit_CTRL_G() diff --git a/debian/patches/CVE-2022-3235.patch b/debian/patches/CVE-2022-3235.patch index fc3e20e..d18b7a1 100644 --- a/debian/patches/CVE-2022-3235.patch +++ b/debian/patches/CVE-2022-3235.patch @@ -14,8 +14,6 @@ Solution: Make sure pointer to b_p_iminsert is still valid. Backport: rewrote b_im_ptr handling -diff --git a/src/ex_getln.c b/src/ex_getln.c -index 70436b31f05e..a4fb61145c96 100644 --- a/src/ex_getln.c +++ b/src/ex_getln.c @@ -858,6 +858,7 @@ getcmdline_int( @@ -67,7 +65,7 @@ index 70436b31f05e..a4fb61145c96 100644 { if (b_im_ptr == &curbuf->b_p_iminsert) set_iminsert_global(); -@@ -2476,7 +2478,8 @@ getcmdline_int( +@@ -2476,7 +2478,8 @@ returncmd: State = save_State; #ifdef HAVE_INPUT_METHOD @@ -77,11 +75,9 @@ index 70436b31f05e..a4fb61145c96 100644 im_save_status(b_im_ptr); im_set_active(FALSE); #endif -diff --git a/src/testdir/test_cmdwin.vim b/src/testdir/test_cmdwin.vim -index d62673aba254..fe849bcc1686 100644 --- /dev/null +++ b/src/testdir/test_cmdwin.vim -@@ -0,0 +0,12 @@ +@@ -0,0 +1,12 @@ +" This was using a pointer to a freed buffer +func Test_cmdwin_freed_buffer_ptr() + au BufEnter * next 0| file @@ -96,7 +92,7 @@ index d62673aba254..fe849bcc1686 100644 +" vim: shiftwidth=2 sts=2 expandtab --- a/src/testdir/Make_all.mak +++ b/src/testdir/Make_all.mak -@@ -89,6 +89,7 @@ +@@ -89,6 +89,7 @@ NEW_TESTS = \ test_clientserver \ test_close_count \ test_cmdline \ @@ -106,7 +102,7 @@ index d62673aba254..fe849bcc1686 100644 test_compiler \ --- a/src/version.c +++ b/src/version.c -@@ -2618,6 +2618,7 @@ +@@ -2618,6 +2618,7 @@ static char *(extra_patches[]) = "8.2.3403", "8.2.3409", "8.2.3428", diff --git a/debian/patches/CVE-2022-3256.patch b/debian/patches/CVE-2022-3256.patch index ab1abab..9cbaf88 100644 --- a/debian/patches/CVE-2022-3256.patch +++ b/debian/patches/CVE-2022-3256.patch @@ -11,8 +11,6 @@ Solution: Copy the mark before editing another buffer. src/version.c | 2 ++ 3 files changed, 22 insertions(+), 5 deletions(-) -diff --git a/src/mark.c b/src/mark.c -index ade5a1087b7d..584db033d3ca 100644 --- a/src/mark.c +++ b/src/mark.c @@ -252,17 +252,19 @@ movemark(int count) @@ -40,11 +38,9 @@ index ade5a1087b7d..584db033d3ca 100644 pos = (pos_T *)-1; } else -diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim -index 12501a3aba07..20fb3041f244 100644 --- a/src/testdir/test_marks.vim +++ b/src/testdir/test_marks.vim -@@ -174,3 +174,16 @@ func Test_getmarklist() +@@ -174,3 +174,16 @@ func Test_mark_error() call assert_fails('mark xx', 'E488:') call assert_fails('mark _', 'E191:') endfunc @@ -63,7 +59,7 @@ index 12501a3aba07..20fb3041f244 100644 + --- a/src/version.c +++ b/src/version.c -@@ -2619,6 +2619,7 @@ +@@ -2619,6 +2619,7 @@ static char *(extra_patches[]) = "8.2.3409", "8.2.3428", "9.0.0490", diff --git a/debian/patches/CVE-2022-3324.patch b/debian/patches/CVE-2022-3324.patch index 59b60e6..f3e50d5 100644 --- a/debian/patches/CVE-2022-3324.patch +++ b/debian/patches/CVE-2022-3324.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/8279af514ca7e5fd3c31cf13b0864163d1a0bf src/window.c | 5 ++++- 2 files changed, 26 insertions(+), 1 deletion(-) -diff --git a/src/testdir/test_cmdline.vim b/src/testdir/test_cmdline.vim -index 3878637..4a35201 100644 --- a/src/testdir/test_cmdline.vim +++ b/src/testdir/test_cmdline.vim @@ -620,5 +620,27 @@ func Test_report_error_with_composing() @@ -40,8 +38,6 @@ index 3878637..4a35201 100644 + set cpo& -diff --git a/src/window.c b/src/window.c -index 7c7f580..c4d97d6 100644 --- a/src/window.c +++ b/src/window.c @@ -1945,6 +1945,8 @@ win_equal_rec( @@ -53,7 +49,7 @@ index 7c7f580..c4d97d6 100644 new_size += next_curwin_size; room -= new_size - next_curwin_size; } -@@ -5899,7 +5901,8 @@ scroll_to_fraction(win_T *wp, int prev_height) +@@ -5899,7 +5901,8 @@ scroll_to_fraction(win_T *wp, int prev_h void win_new_width(win_T *wp, int width) { diff --git a/debian/patches/CVE-2022-3352.patch b/debian/patches/CVE-2022-3352.patch index f55e40d..e5808ef 100644 --- a/debian/patches/CVE-2022-3352.patch +++ b/debian/patches/CVE-2022-3352.patch @@ -14,8 +14,6 @@ Solution: Disallow deleting the current buffer to avoid using freed memory. Backport: src/buffer.c isn't vulnerable yet -diff --git a/src/spell.c b/src/spell.c -index 628814fe6db3..975b5a6789a9 100644 --- a/src/spell.c +++ b/src/spell.c @@ -1813,6 +1813,10 @@ spell_load_lang(char_u *lang) @@ -38,11 +36,9 @@ index 628814fe6db3..975b5a6789a9 100644 } /* -diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim -index 86732f15dbe4..70f0f553a226 100644 --- a/src/testdir/test_autocmd.vim +++ b/src/testdir/test_autocmd.vim -@@ -1416,3 +1416,14 @@ +@@ -1416,3 +1416,14 @@ func Test_Changed_FirstTime() endfunc " FileChangedShell tested in test_filechanged.vim @@ -59,7 +55,7 @@ index 86732f15dbe4..70f0f553a226 100644 + --- a/src/version.c +++ b/src/version.c -@@ -2620,6 +2620,7 @@ +@@ -2620,6 +2620,7 @@ static char *(extra_patches[]) = "8.2.3428", "9.0.0490", "9.0.0530", diff --git a/debian/patches/CVE-2022-3705.patch b/debian/patches/CVE-2022-3705.patch index febdb59..531ba7c 100644 --- a/debian/patches/CVE-2022-3705.patch +++ b/debian/patches/CVE-2022-3705.patch @@ -9,11 +9,9 @@ Origin: https://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e7 src/version.c | 2 ++ 3 files changed, 23 insertions(+) -diff --git a/src/quickfix.c b/src/quickfix.c -index 3bfa027..d6f773b 100644 --- a/src/quickfix.c +++ b/src/quickfix.c -@@ -4274,6 +4274,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T *old_last) +@@ -4274,6 +4274,9 @@ qf_update_buffer(qf_info_T *qi, qfline_T // when the added lines are not visible. if ((win = qf_find_win(qi)) != NULL && old_line_count < win->w_botline) redraw_buf_later(buf, NOT_VALID); @@ -23,7 +21,7 @@ index 3bfa027..d6f773b 100644 } } -@@ -4408,6 +4411,9 @@ qf_fill_buffer(qf_info_T *qi, buf_T *buf, qfline_T *old_last) +@@ -4408,6 +4411,9 @@ qf_fill_buffer(qf_info_T *qi, buf_T *buf break; } @@ -33,11 +31,9 @@ index 3bfa027..d6f773b 100644 if (old_last == NULL) // Delete the empty line which is now at the end (void)ml_delete(lnum + 1, FALSE); -diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim -index 2e5fffa..860e417 100644 --- a/src/testdir/test_quickfix.vim +++ b/src/testdir/test_quickfix.vim -@@ -3931,3 +3931,18 @@ func Test_lopen_bwipe() +@@ -3915,3 +3915,18 @@ func Test_lopen_bwipe() delfunc R endfunc @@ -56,16 +52,14 @@ index 2e5fffa..860e417 100644 + augroup END +endfunc + -diff --git a/src/version.c b/src/version.c -index cd174b0..28f8753 100644 --- a/src/version.c +++ b/src/version.c -@@ -791,6 +791,8 @@ static char *(features[]) = - +@@ -792,6 +792,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ -+/**/ -+ 805, /**/ ++ 805, ++/**/ 5024, /**/ + 4214, diff --git a/debian/patches/CVE-2022-4141.patch b/debian/patches/CVE-2022-4141.patch new file mode 100644 index 0000000..e537b7f --- /dev/null +++ b/debian/patches/CVE-2022-4141.patch @@ -0,0 +1,140 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 11 Jun 2023 13:46:58 +0200 +Subject: CVE-2022-4141 + +Bug-Debian: https://bugs.debian.org/1027146 +Origin: https://github.com/vim/vim/commit/cc762a48d42b579fb7bdec2c614636b830342dd5 +--- + src/normal.c | 35 ++++++++++++++++++++++++++--------- + src/proto/normal.pro | 1 + + src/testdir/test_substitute.vim | 20 ++++++++++++++++++++ + src/window.c | 4 +++- + 4 files changed, 50 insertions(+), 10 deletions(-) + +diff --git a/src/normal.c b/src/normal.c +index 8f92b9c..ee2233d 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -523,13 +523,36 @@ check_text_locked(oparg_T *oap) + { + if (text_locked()) + { +- clearopbeep(oap); ++ if (oap != NULL) ++ clearopbeep(oap); + text_locked_msg(); + return TRUE; + } + return FALSE; + } + ++/* ++ * If text is locked, "curbuf_lock" or "allbuf_lock" is set: ++ * Give an error message, possibly beep and return TRUE. ++ * "oap" may be NULL. ++ */ ++ int ++check_text_or_curbuf_locked(oparg_T *oap) ++{ ++ if (check_text_locked(oap)) ++ return TRUE; ++ ++#ifdef FEAT_AUTOCMD ++ if (curbuf_locked()) ++ { ++ if (oap != NULL) ++ clearop(oap); ++ return TRUE; ++ } ++#endif ++ return FALSE; ++} ++ + /* + * Execute a command in Normal mode. + */ +@@ -791,8 +814,7 @@ getcount: + goto normal_end; + } + +- if ((nv_cmds[idx].cmd_flags & NV_NCW) +- && (check_text_locked(oap) || curbuf_locked())) ++ if ((nv_cmds[idx].cmd_flags & NV_NCW) && check_text_or_curbuf_locked(oap)) + /* this command is not allowed now */ + goto normal_end; + +@@ -6173,13 +6195,8 @@ nv_gotofile(cmdarg_T *cap) + char_u *ptr; + linenr_T lnum = -1; + +- if (check_text_locked(cap->oap)) ++ if (check_text_or_curbuf_locked(cap->oap)) + return; +- if (curbuf_locked()) +- { +- clearop(cap->oap); +- return; +- } + + ptr = grab_file_name(cap->count1, &lnum); + +diff --git a/src/proto/normal.pro b/src/proto/normal.pro +index 55d12bb..cc81ff9 100644 +--- a/src/proto/normal.pro ++++ b/src/proto/normal.pro +@@ -1,4 +1,5 @@ + /* normal.c */ ++int check_text_or_curbuf_locked(oparg_T *oap); + void init_normal_cmds(void); + void normal_cmd(oparg_T *oap, int toplevel); + void do_pending_operator(cmdarg_T *cap, int old_col, int gui_yank); +diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim +index 9ab0adb..d78b036 100644 +--- a/src/testdir/test_substitute.vim ++++ b/src/testdir/test_substitute.vim +@@ -565,3 +565,23 @@ func Test_sub_edit_scriptfile() + bwipe! + endfunc + ++" This was editing another file from the expression. ++func Test_sub_expr_goto_other_file() ++ call writefile([''], 'Xfileone', 'D') ++ enew! ++ call setline(1, ['a', 'b', 'c', 'd', ++ \ 'Xfileone zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz']) ++ ++ func g:SplitGotoFile() ++ exe "sil! norm 0\<C-W>gf" ++ return '' ++ endfunc ++ ++ $ ++ s/\%')/\=g:SplitGotoFile() ++ ++ delfunc g:SplitGotoFile ++ bwipe! ++endfunc ++ ++ +diff --git a/src/window.c b/src/window.c +index 7f51c1b..82ece3e 100644 +--- a/src/window.c ++++ b/src/window.c +@@ -478,6 +478,8 @@ newwindow: + case Ctrl_F: + wingotofile: + CHECK_CMDWIN; ++ if (check_text_or_curbuf_locked(NULL)) ++ break; + + ptr = grab_file_name(Prenum1, &lnum); + if (ptr != NULL) +@@ -757,7 +759,7 @@ win_split(int size, int flags) + * When "new_wp" is NULL: split the current window in two. + * When "new_wp" is not NULL: insert this window at the far + * top/left/right/bottom. +- * return FAIL for failure, OK otherwise ++ * Return FAIL for failure, OK otherwise. + */ + int + win_split_ins( diff --git a/debian/patches/CVE-2023-0054.patch b/debian/patches/CVE-2023-0054.patch new file mode 100644 index 0000000..1bb31bb --- /dev/null +++ b/debian/patches/CVE-2023-0054.patch @@ -0,0 +1,26 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 11 Jun 2023 13:48:33 +0200 +Subject: CVE-2023-0054 + +Bug-Debian: https://bugs.debian.org/1031875 +Origin: https://github.com/vim/vim/commit/3ac1d97a1d9353490493d30088256360435f7731 +--- + src/eval.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/eval.c b/src/eval.c +index 659f35c..f22b0ae 100644 +--- a/src/eval.c ++++ b/src/eval.c +@@ -10612,6 +10612,11 @@ do_string_sub( + * - The text after the match. + */ + sublen = vim_regsub(®match, sub, expr, tail, FALSE, TRUE, FALSE); ++ if (sublen <= 0) ++ { ++ ga_clear(&ga); ++ break; ++ } + if (ga_grow(&ga, (int)((end - tail) + sublen - + (regmatch.endp[0] - regmatch.startp[0]))) == FAIL) + { diff --git a/debian/patches/CVE-2023-1175.patch b/debian/patches/CVE-2023-1175.patch new file mode 100644 index 0000000..0bc1497 --- /dev/null +++ b/debian/patches/CVE-2023-1175.patch @@ -0,0 +1,41 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 11 Jun 2023 13:56:10 +0200 +Subject: CVE-2023-1175 + +Origin: https://github.com/vim/vim/commit/c99cbf8f289bdda5d4a77d7ec415850a520330ba +--- + src/ops.c | 2 ++ + src/testdir/test_virtualedit.vim | 10 ++++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/ops.c b/src/ops.c +index 50d5af9..45e6308 100644 +--- a/src/ops.c ++++ b/src/ops.c +@@ -3119,6 +3119,8 @@ op_yank(oparg_T *oap, int deleting, int mess) + * double-count it. */ + bd.startspaces = (ce - cs + 1) + - oap->start.coladd; ++ if (bd.startspaces < 0) ++ bd.startspaces = 0; + startcol++; + } + } +diff --git a/src/testdir/test_virtualedit.vim b/src/testdir/test_virtualedit.vim +index 6b8fdfd..c2a9403 100644 +--- a/src/testdir/test_virtualedit.vim ++++ b/src/testdir/test_virtualedit.vim +@@ -87,3 +87,13 @@ func Test_virtualedit_replace_after_tab() + bwipe! + endfunc + ++func Test_edit_special_char() ++ new ++ se ve=all ++ norm a0 ++ sil! exe "norm o00000\<Nul>k<a0s" ++ ++ bwipe! ++ set virtualedit= ++endfunc ++ diff --git a/debian/patches/CVE-2023-2610.patch b/debian/patches/CVE-2023-2610.patch new file mode 100644 index 0000000..085b7b9 --- /dev/null +++ b/debian/patches/CVE-2023-2610.patch @@ -0,0 +1,68 @@ +From: Markus Koschany <apo@debian.org> +Date: Sun, 11 Jun 2023 13:58:23 +0200 +Subject: CVE-2023-2610 + +Bug-Debian: https://bugs.debian.org/1035955 +Origin: https://github.com/vim/vim/commit/ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a +--- + src/regexp.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/src/regexp.c b/src/regexp.c +index 6939fd1..5630364 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -7150,10 +7150,7 @@ do_Lower(int *d, int c) + regtilde(char_u *source, int magic) + { + char_u *newsub = source; +- char_u *tmpsub; + char_u *p; +- int len; +- int prevlen; + + for (p = newsub; *p; ++p) + { +@@ -7162,24 +7159,34 @@ regtilde(char_u *source, int magic) + if (reg_prev_sub != NULL) + { + /* length = len(newsub) - 1 + len(prev_sub) + 1 */ +- prevlen = (int)STRLEN(reg_prev_sub); +- tmpsub = alloc((unsigned)(STRLEN(newsub) + prevlen)); ++ // Avoid making the text longer than MAXCOL, it will cause ++ // trouble at some point. ++ size_t prevsublen = STRLEN(reg_prev_sub); ++ size_t newsublen = STRLEN(newsub); ++ if (prevsublen > MAXCOL || newsublen > MAXCOL ++ || newsublen + prevsublen > MAXCOL) ++ { ++ break; ++ } ++ ++ char_u *tmpsub = alloc(newsublen + prevsublen); + if (tmpsub != NULL) + { + /* copy prefix */ +- len = (int)(p - newsub); /* not including ~ */ +- mch_memmove(tmpsub, newsub, (size_t)len); ++ size_t prefixlen = p - newsub; // not including ~ ++ mch_memmove(tmpsub, newsub, prefixlen); + /* interpret tilde */ +- mch_memmove(tmpsub + len, reg_prev_sub, (size_t)prevlen); ++ mch_memmove(tmpsub + prefixlen, reg_prev_sub, ++ prevsublen); + /* copy postfix */ + if (!magic) + ++p; /* back off \ */ +- STRCPY(tmpsub + len + prevlen, p + 1); ++ STRCPY(tmpsub + prefixlen + prevsublen, p + 1); + +- if (newsub != source) /* already allocated newsub */ ++ if (newsub != source) // allocated newsub before + vim_free(newsub); + newsub = tmpsub; +- p = newsub + len + prevlen; ++ p = newsub + prefixlen + prevsublen; + } + } + else if (magic) diff --git a/debian/patches/CVE_2022-1968.patch b/debian/patches/CVE_2022-1968.patch index eab9980..eafcba5 100644 --- a/debian/patches/CVE_2022-1968.patch +++ b/debian/patches/CVE_2022-1968.patch @@ -8,8 +8,6 @@ Origin: https://github.com/vim/vim/commit/409510c588b1eec1ae33511ae97a21eb8e1108 src/testdir/test_tagjump.vim | 12 ++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) -diff --git a/src/search.c b/src/search.c -index 4b3f853..9a17918 100644 --- a/src/search.c +++ b/src/search.c @@ -4852,6 +4852,21 @@ linewhite(linenr_T lnum) @@ -61,8 +59,6 @@ index 4b3f853..9a17918 100644 } already = NULL; } -diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim -index da4af2f..7605730 100644 --- a/src/testdir/test_tagjump.vim +++ b/src/testdir/test_tagjump.vim @@ -372,4 +372,16 @@ func Test_getsettagstack() diff --git a/debian/patches/series b/debian/patches/series index acb4b8e..56ef38a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -76,3 +76,7 @@ CVE-2022-2129.patch CVE-2022-3235.patch CVE-2022-3256.patch CVE-2022-3352.patch +CVE-2022-4141.patch +CVE-2023-0054.patch +CVE-2023-1175.patch +CVE-2023-2610.patch |