From 1ad87944791274e4dddf2e2769073e48d77dbaf8 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 14 Oct 2025 07:43:47 +0000 Subject: [PATCH] import UBI vim-8.2.2637-22.el9_6.1 --- ...ecurity-path-traversal-issue-in-zip..patch | 70 ++++ ...ecurity-path-traversal-issue-in-tar..patch | 327 ++++++++++++++++++ SPECS/vim.spec | 13 +- 3 files changed, 409 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch create mode 100644 SOURCES/0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch diff --git a/SOURCES/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch b/SOURCES/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch new file mode 100644 index 00000000..2de1c393 --- /dev/null +++ b/SOURCES/0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch @@ -0,0 +1,70 @@ +diff -up vim82/runtime/autoload/zip.vim.CVE-2025-53906 vim82/runtime/autoload/zip.vim +--- vim82/runtime/autoload/zip.vim.CVE-2025-53906 2021-03-22 10:02:41.000000000 +0100 ++++ vim82/runtime/autoload/zip.vim 2025-09-10 19:33:11.491115978 +0200 +@@ -251,6 +251,7 @@ fun! zip#Write(fname) + " call Dfunc("zip#Write(fname<".a:fname.">) zipfile_".winnr()."<".s:zipfile_{winnr()}.">") + let repkeep= &report + set report=10 ++ let need_rename = 0 + + " sanity checks + if !executable(substitute(g:zip_zipcmd,'\s\+.*$','','')) +@@ -261,14 +262,6 @@ fun! zip#Write(fname) + " call Dret("zip#Write") + return + endif +- if !exists("*mkdir") +- redraw! +- echohl Error | echo "***error*** (zip#Write) sorry, mkdir() doesn't work on your system" | echohl None +-" call inputsave()|call input("Press to continue")|call inputrestore() +- let &report= repkeep +-" call Dret("zip#Write") +- return +- endif + + let curdir= getcwd() + let tmpdir= tempname() +@@ -302,6 +295,11 @@ fun! zip#Write(fname) + let zipfile = substitute(a:fname,'^.\{-}zipfile:\(.\{-}\)::[^\\].*$','\1','') + let fname = substitute(a:fname,'^.\{-}zipfile:.\{-}::\([^\\].*\)$','\1','') + endif ++ if fname =~ '^[.]\{1,2}/' ++ call system(g:zip_zipcmd." -d ".s:Escape(fnamemodify(zipfile,":p"),0)." ".s:Escape(fname,0)) ++ let fname = fname->substitute('^\([.]\{1,2}/\)\+', '', 'g') ++ let need_rename = 1 ++ endif + " call Decho("zipfile<".zipfile.">") + " call Decho("fname <".fname.">") + +@@ -318,7 +316,7 @@ fun! zip#Write(fname) + endif + " call Decho("zipfile<".zipfile."> fname<".fname.">") + +- exe "w! ".fnameescape(fname) ++ exe "w ".fnameescape(fname) + if has("win32unix") && executable("cygpath") + let zipfile = substitute(system("cygpath ".s:Escape(zipfile,0)),'\n','','e') + endif +@@ -348,6 +346,10 @@ fun! zip#Write(fname) + let &binary = binkeep + q! + unlet s:zipfile_{winnr()} ++ elseif need_rename ++ exe $"sil keepalt file {fnameescape($"zipfile://{zipfile}::{fname}")}" ++ redraw! ++ echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, dropping relative path" | echohl None + endif + + " cleanup and restore current directory +@@ -383,6 +385,11 @@ fun! zip#Extract() + let &report= repkeep + " call Dret("zip#Extract") + return ++ elseif fname =~ '^[.]\?[.]/' ++ redraw! ++ echohl Error | echo "***error*** (zip#Browse) Path Traversal Attack detected, not extracting!" | echohl None ++ let &report= repkeep ++ return + endif + + " extract the file mentioned under the cursor diff --git a/SOURCES/0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch b/SOURCES/0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch new file mode 100644 index 00000000..1fea077f --- /dev/null +++ b/SOURCES/0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch @@ -0,0 +1,327 @@ +diff -up vim82/runtime/autoload/tar.vim.CVE-2025-53905 vim82/runtime/autoload/tar.vim +--- vim82/runtime/autoload/tar.vim.CVE-2025-53905 2021-03-22 10:02:41.000000000 +0100 ++++ vim82/runtime/autoload/tar.vim 2025-09-10 19:28:55.467111778 +0200 +@@ -37,10 +37,10 @@ set cpo&vim + " --------------------------------------------------------------------- + " Default Settings: {{{1 + if !exists("g:tar_browseoptions") +- let g:tar_browseoptions= "Ptf" ++ let g:tar_browseoptions= "tf" + endif + if !exists("g:tar_readoptions") +- let g:tar_readoptions= "OPxf" ++ let g:tar_readoptions= "Oxf" + endif + if !exists("g:tar_cmd") + let g:tar_cmd= "tar" +@@ -49,6 +49,7 @@ if !exists("g:tar_writeoptions") + let g:tar_writeoptions= "uf" + endif + if !exists("g:tar_delfile") ++ " Note: not supported on BSD + let g:tar_delfile="--delete -f" + endif + if !exists("g:netrw_cygwin") +@@ -98,6 +99,9 @@ if !exists("g:tar_shq") + " call Decho("g:tar_shq<".g:tar_shq.">") + endif + ++let g:tar_secure=' -- ' ++let g:tar_leading_pat='^\%([.]\{,2\}/\)\+' ++ + " ---------------- + " Functions: {{{1 + " ---------------- +@@ -221,6 +225,15 @@ fun! tar#Browse(tarfile) + return + endif + ++ " remove tar: Removing leading '/' from member names ++ " Note: the message could be localized ++ if search('^tar: ') > 0 || search(g:tar_leading_pat) > 0 ++ call append(3,'" Note: Path Traversal Attack detected!') ++ let b:leading_slash = 1 ++ " remove the message output ++ sil g/^tar: /d ++ endif ++ + " set up maps supported for tar + setlocal noma nomod ro + noremap :call TarBrowseSelect() +@@ -242,12 +255,7 @@ fun! s:TarBrowseSelect() + let fname= getline(".") + " call Decho("fname<".fname.">") + +- if !exists("g:tar_secure") && fname =~ '^\s*-\|\s\+-' +- redraw! +- echohl WarningMsg | echo '***warning*** (tar#BrowseSelect) rejecting tarfile member<'.fname.'> because of embedded "-"' +-" call Dret('tar#BrowseSelect : rejecting tarfile member<'.fname.'> because of embedded "-"') +- return +- endif ++ let ls= get(b:, 'leading_slash', 0) + + " sanity check + if fname =~ '^"' +@@ -270,7 +278,8 @@ fun! s:TarBrowseSelect() + wincmd _ + endif + let s:tblfile_{winnr()}= curfile +- call tar#Read("tarfile:".tarfile.'::'.fname,1) ++ let b:leading_slash= ls ++ call tar#Read("tarfile:".tarfile.'::'.fname) + filetype detect + set nomod + exe 'com! -buffer -nargs=? -complete=file TarDiff :call tar#Diff(,"'.fnameescape(fname).'")' +@@ -281,8 +290,8 @@ endfun + + " --------------------------------------------------------------------- + " tar#Read: {{{2 +-fun! tar#Read(fname,mode) +-" call Dfunc("tar#Read(fname<".a:fname.">,mode=".a:mode.")") ++fun! tar#Read(fname) ++" call Dfunc("tar#Read(fname<".a:fname.">)") + let repkeep= &report + set report=10 + let tarfile = substitute(a:fname,'tarfile:\(.\{-}\)::.*$','\1','') +@@ -294,6 +303,8 @@ fun! tar#Read(fname,mode) + " call Decho("tarfile<".tarfile.">") + " call Decho("fname<".fname.">") + ++ let curdir= getcwd() ++ let b:curdir= curdir + if fname =~ '\.bz2$' && executable("bzcat") + let decmp= "|bzcat" + let doro = 1 +@@ -317,16 +328,11 @@ fun! tar#Read(fname,mode) + endif + endif + +- if exists("g:tar_secure") +- let tar_secure= " -- " +- else +- let tar_secure= " " +- endif + + if tarfile =~# '\.bz2$' +- exe "sil! r! bzip2 -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp ++ exe "sil! r! bzip2 -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp + elseif tarfile =~# '\.\(gz\)$' +- exe "sil! r! gzip -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp ++ exe "sil! r! gzip -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp + + elseif tarfile =~# '\(\.tgz\|\.tbz\|\.txz\)' + if has("unix") && executable("file") +@@ -335,28 +341,31 @@ fun! tar#Read(fname,mode) + let filekind= "" + endif + if filekind =~ "bzip2" +- exe "sil! r! bzip2 -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp ++ exe "sil! r! bzip2 -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp + elseif filekind =~ "XZ" +- exe "sil! r! xz -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp ++ exe "sil! r! xz -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp + elseif filekind =~ "Zstandard" +- exe "sil! r! zstd --decompress --stdout -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp ++ exe "sil! r! zstd --decompress --stdout -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp + else +- exe "sil! r! gzip -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp ++ exe "sil! r! gzip -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp + endif + + elseif tarfile =~# '\.lrp$' +- exe "sil! r! cat -- ".shellescape(tarfile,1)." | gzip -d -c - | ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp ++ exe "sil! r! cat -- ".shellescape(tarfile,1)." | gzip -d -c - | ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp + elseif tarfile =~# '\.lzma$' +- exe "sil! r! lzma -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp ++ exe "sil! r! lzma -d -c -- ".shellescape(tarfile,1)."| ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp + elseif tarfile =~# '\.\(xz\|txz\)$' +- exe "sil! r! xz --decompress --stdout -- ".shellescape(tarfile,1)." | ".g:tar_cmd." -".g:tar_readoptions." - ".tar_secure.shellescape(fname,1).decmp ++ exe "sil! r! xz --decompress --stdout -- ".shellescape(tarfile,1)." | ".g:tar_cmd." -".g:tar_readoptions." - ".g:tar_secure.shellescape(fname,1).decmp + else + if tarfile =~ '^\s*-' + " A file name starting with a dash is taken as an option. Prepend ./ to avoid that. + let tarfile = substitute(tarfile, '-', './-', '') + endif +-" call Decho("8: exe silent r! ".g:tar_cmd." -".g:tar_readoptions.tar_secure.shellescape(tarfile,1)." ".shellescape(fname,1).decmp) +- exe "silent r! ".g:tar_cmd." -".g:tar_readoptions.shellescape(tarfile,1)." ".tar_secure.shellescape(fname,1).decmp ++" call Decho("8: exe silent r! ".g:tar_cmd." -".g:tar_readoptions.g:tar_secure.shellescape(tarfile,1)." ".shellescape(fname,1).decmp) ++ exe "silent r! ".g:tar_cmd." -".g:tar_readoptions.shellescape(tarfile,1)." ".g:tar_secure.shellescape(fname,1).decmp ++ endif ++ if get(b:, 'leading_slash', 0) ++ sil g/^tar: /d + endif + + if doro +@@ -365,13 +374,14 @@ fun! tar#Read(fname,mode) + endif + + let b:tarfile= a:fname +- exe "file tarfile::".fnameescape(fname) + + " cleanup + keepj sil! 0d + set nomod + + let &report= repkeep ++ exe "lcd ".fnameescape(curdir) ++ silent exe "file tarfile::". fname->fnameescape() + " call Dret("tar#Read : b:tarfile<".b:tarfile.">") + endfun + +@@ -382,13 +392,6 @@ fun! tar#Write(fname) + let repkeep= &report + set report=10 + +- if !exists("g:tar_secure") && a:fname =~ '^\s*-\|\s\+-' +- redraw! +- echohl WarningMsg | echo '***warning*** (tar#Write) rejecting tarfile member<'.a:fname.'> because of embedded "-"' +-" call Dret('tar#Write : rejecting tarfile member<'.fname.'> because of embedded "-"') +- return +- endif +- + " sanity checks + if !executable(g:tar_cmd) + redraw! +@@ -439,6 +442,13 @@ fun! tar#Write(fname) + let tarfile = substitute(b:tarfile,'tarfile:\(.\{-}\)::.*$','\1','') + let fname = substitute(b:tarfile,'tarfile:.\{-}::\(.*\)$','\1','') + ++ if get(b:, 'leading_slash', 0) ++ redraw! ++ echohl Error | echo "***error*** (tar#Write) sorry, not attempting to update ".tarfile." with ".fname | echohl None ++ let &report= repkeep ++ return ++ endif ++ + " handle compressed archives + if tarfile =~# '\.bz2' + call system("bzip2 -d -- ".shellescape(tarfile,0)) +@@ -497,19 +507,15 @@ fun! tar#Write(fname) + endif + " call Decho("tarfile<".tarfile."> fname<".fname.">") + +- if exists("g:tar_secure") +- let tar_secure= " -- " +- else +- let tar_secure= " " +- endif +- exe "w! ".fnameescape(fname) ++ " don't overwrite a file forcefully ++ exe "w ".fnameescape(fname) + if has("win32unix") && executable("cygpath") + let tarfile = substitute(system("cygpath ".shellescape(tarfile,0)),'\n','','e') + endif + + " delete old file from tarfile + " call Decho("system(".g:tar_cmd." ".g:tar_delfile." ".shellescape(tarfile,0)." -- ".shellescape(fname,0).")") +- call system(g:tar_cmd." ".g:tar_delfile." ".shellescape(tarfile,0).tar_secure.shellescape(fname,0)) ++ call system(g:tar_cmd." ".g:tar_delfile." ".shellescape(tarfile,0).g:tar_secure.shellescape(fname,0)) + if v:shell_error != 0 + redraw! + " call Decho("***error*** (tar#Write) sorry, unable to update ".fnameescape(tarfile)." with ".fnameescape(fname)) +@@ -517,8 +523,8 @@ fun! tar#Write(fname) + else + + " update tarfile with new file +-" call Decho(g:tar_cmd." -".g:tar_writeoptions." ".shellescape(tarfile,0).tar_secure.shellescape(fname,0)) +- call system(g:tar_cmd." -".g:tar_writeoptions." ".shellescape(tarfile,0).tar_secure.shellescape(fname,0)) ++" call Decho(g:tar_cmd." -".g:tar_writeoptions." ".shellescape(tarfile,0).g:tar_secure.shellescape(fname,0)) ++ call system(g:tar_cmd." -".g:tar_writeoptions." ".shellescape(tarfile,0).g:tar_secure.shellescape(fname,0)) + if v:shell_error != 0 + redraw! + " call Decho("***error*** (tar#Write) sorry, unable to update ".fnameescape(tarfile)." with ".fnameescape(fname)) +@@ -568,6 +574,7 @@ fun! tar#Diff(userfname,fname) + if a:userfname != "" + let fname= a:userfname + endif ++ exe "lcd ".fnameescape(b:tmpdir). '/_ZIPVIM_' + if filereadable(fname) + " sets current file (from tarball) for diff'ing + " splits window vertically +@@ -594,13 +601,6 @@ fun! tar#Extract() + let fname= getline(".") + " call Decho("fname<".fname.">") + +- if !exists("g:tar_secure") && fname =~ '^\s*-\|\s\+-' +- redraw! +- echohl WarningMsg | echo '***warning*** (tar#BrowseSelect) rejecting tarfile member<'.fname.'> because of embedded "-"' +-" call Dret('tar#BrowseSelect : rejecting tarfile member<'.fname.'> because of embedded "-"') +- return +- endif +- + " sanity check + if fname =~ '^"' + let &report= repkeep +@@ -621,7 +621,7 @@ fun! tar#Extract() + echohl Error | echo "***error*** ".extractcmd." ".tarbase.".tar ".fname.": failed!" | echohl NONE + " call Decho("***error*** ".extractcmd." ".tarbase.".tar ".fname.": failed!") + else +- echo "***note*** successfully extracted ".fname ++ echo "***note*** successfully extracted ". fname + endif + + elseif filereadable(tarbase.".tgz") +diff -up vim82/runtime/doc/pi_tar.txt.CVE-2025-53905 vim82/runtime/doc/pi_tar.txt +--- vim82/runtime/doc/pi_tar.txt.CVE-2025-53905 2021-03-22 10:02:41.000000000 +0100 ++++ vim82/runtime/doc/pi_tar.txt 2025-09-10 19:30:36.070085946 +0200 +@@ -61,7 +61,7 @@ Copyright 2005-2017: *tar-copyright* + the file mentioned in the tarball. If the current directory is not + correct for that path, :TarDiff will fail to find the associated file. + +- If the [filename] is given, that that filename (and path) will be used ++ If the [filename] is given, that filename (and path) will be used + to specify the associated file. + + +@@ -86,18 +86,6 @@ Copyright 2005-2017: *tar-copyright* + *g:tar_readoptions* "OPxf" used to extract a file from a tarball + *g:tar_cmd* "tar" the name of the tar program + *g:tar_nomax* 0 if true, file window will not be maximized +- *g:tar_secure* undef if exists: +- "--"s will be used to prevent unwanted +- option expansion in tar commands. +- Please be sure that your tar command +- accepts "--"; Posix compliant tar +- utilities do accept them. +- if not exists: +- The tar plugin will reject any tar +- files or member files that begin with +- "-" +- Not all tar's support the "--" which is why +- it isn't default. + *g:tar_writeoptions* "uf" used to update/replace a file + + +diff -up vim82/runtime/doc/tags.CVE-2025-53905 vim82/runtime/doc/tags +--- vim82/runtime/doc/tags.CVE-2025-53905 2021-03-22 10:02:41.000000000 +0100 ++++ vim82/runtime/doc/tags 2025-09-10 19:31:03.339666639 +0200 +@@ -6900,7 +6900,6 @@ g:tar_copycmd pi_tar.txt /*g:tar_copycmd + g:tar_extractcmd pi_tar.txt /*g:tar_extractcmd* + g:tar_nomax pi_tar.txt /*g:tar_nomax* + g:tar_readoptions pi_tar.txt /*g:tar_readoptions* +-g:tar_secure pi_tar.txt /*g:tar_secure* + g:tar_writeoptions pi_tar.txt /*g:tar_writeoptions* + g:terminal_ansi_colors terminal.txt /*g:terminal_ansi_colors* + g:tex_comment_nospell syntax.txt /*g:tex_comment_nospell* +diff -up vim82/runtime/plugin/tarPlugin.vim.CVE-2025-53905 vim82/runtime/plugin/tarPlugin.vim +--- vim82/runtime/plugin/tarPlugin.vim.CVE-2025-53905 2021-03-22 10:02:42.000000000 +0100 ++++ vim82/runtime/plugin/tarPlugin.vim 2025-09-10 19:25:22.726912254 +0200 +@@ -22,14 +22,14 @@ set cpo&vim + " Public Interface: {{{1 + augroup tar + au! +- au BufReadCmd tarfile::* call tar#Read(expand(""), 1) +- au FileReadCmd tarfile::* call tar#Read(expand(""), 0) ++ au BufReadCmd tarfile::* call tar#Read(expand("")) ++ au FileReadCmd tarfile::* call tar#Read(expand("")) + au BufWriteCmd tarfile::* call tar#Write(expand("")) + au FileWriteCmd tarfile::* call tar#Write(expand("")) + + if has("unix") +- au BufReadCmd tarfile::*/* call tar#Read(expand(""), 1) +- au FileReadCmd tarfile::*/* call tar#Read(expand(""), 0) ++ au BufReadCmd tarfile::*/* call tar#Read(expand("")) ++ au FileReadCmd tarfile::*/* call tar#Read(expand("")) + au BufWriteCmd tarfile::*/* call tar#Write(expand("")) + au FileWriteCmd tarfile::*/* call tar#Write(expand("")) + endif diff --git a/SPECS/vim.spec b/SPECS/vim.spec index 982fba3e..d0ac39b9 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -27,7 +27,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 22%{?dist} +Release: 22%{?dist}.1 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: virc @@ -147,6 +147,11 @@ Patch3054: 0001-patch-8.2.3564-invalid-memory-access-when-scrolling-.patch # https://github.com/vim/vim/commit/d979d64fa2 # https://github.com/vim/vim/commit/e2528ae111 Patch3055: vim-CVE-2023-4752.patch +# RHEL-112006 CVE-2025-53905 vim: Vim path traversial +Patch3056: 0001-patch-9.1.1552-security-path-traversal-issue-in-tar..patch +# RHEL-112010 CVE-2025-53906 vim: Vim path traversal +Patch3057: 0001-patch-9.1.1551-security-path-traversal-issue-in-zip..patch + # gcc is no longer in buildroot by default BuildRequires: gcc @@ -389,6 +394,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3053 -p1 -b .cve47024 %patch -P 3054 -p1 -b .cve2021-3903 %patch -P 3055 -p1 -b .CVE-2023-4752 +%patch -P 3056 -p1 -b .CVE-2025-53905 +%patch -P 3057 -p1 -b .CVE-2025-53906 %build cd src @@ -946,6 +953,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %endif %changelog +* Mon Sep 15 2025 Zdenek Dohnal - 2:8.2.2637-22.1 +- RHEL-112006 CVE-2025-53905 vim: Vim path traversial +- RHEL-112010 CVE-2025-53906 vim: Vim path traversal + * Tue Feb 25 2025 Zdenek Dohnal - 2:8.2.2637-22 - RHEL-2159 vim: Heap Use After Free in function ins_compl_get_exp in vim/vim