1 files changed, 64 insertions, 0 deletions

diff --git a/debian/patches/CVE-2021-3872.patch b/debian/patches/CVE-2021-3872.patch
new file mode 100644
index 0000000..ad1ffc3
--- /dev/null
+++ b/debian/patches/CVE-2021-3872.patch
@@ -0,0 +1,64 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 19 Oct 2022 18:47:02 +0200
+Subject: CVE-2021-3872
+
+Origin: https://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b
+---
+ src/screen.c                    | 10 +++++-----
+ src/testdir/test_statusline.vim | 14 ++++++++++++++
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+--- a/src/screen.c
++++ b/src/screen.c
+@@ -6887,13 +6887,13 @@ win_redr_status(win_T *wp, int ignore_pu
+ 	    *(p + len++) = ' ';
+ 	if (bt_help(wp->w_buffer))
+ 	{
+-	    STRCPY(p + len, _("[Help]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #ifdef FEAT_QUICKFIX
+ 	if (wp->w_p_pvw)
+ 	{
+-	    STRCPY(p + len, _("[Preview]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #endif
+@@ -6903,12 +6903,12 @@ win_redr_status(win_T *wp, int ignore_pu
+ #endif
+ 		)
+ 	{
+-	    STRCPY(p + len, "[+]");
+-	    len += 3;
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
++	    len += (int)STRLEN(p + len);
+ 	}
+ 	if (wp->w_buffer->b_p_ro)
+ 	{
+-	    STRCPY(p + len, _("[RO]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ 
+--- a/src/testdir/test_statusline.vim
++++ b/src/testdir/test_statusline.vim
+@@ -341,3 +341,17 @@ func Test_statusline()
+   set laststatus&
+   set splitbelow&
+ endfunc
++
++
++" CVE-2021-3872
++" Used to write beyond allocated memory.  This assumes MAXPATHL is 4096 bytes.
++function Test_statusline_verylong_filename()
++  let fname = repeat('x', 4090)
++  exe "new " . fname
++  set buftype=help
++  set previewwindow
++  redraw
++  bwipe!
++endfunc
++
++