import vim-8.0.1763-16.el8

SOURCES/vim-cve3778-fix.patch

@@ -0,0 +1,13 @@
+diff -up vim80/src/regexp_nfa.c.cve3796-fix vim80/src/regexp_nfa.c
+--- vim80/src/regexp_nfa.c.cve3796-fix	2021-09-20 08:27:13.752604505 +0200
++++ vim80/src/regexp_nfa.c	2021-09-20 08:29:10.206546910 +0200
+@@ -5493,7 +5493,8 @@ find_match_text(colnr_T startcol, int re
+ 		match = FALSE;
+ 		break;
+ 	    }
+-	    len2 += MB_CHAR2LEN(c2);
++	    len2 += enc_utf8 ? utf_ptr2len(regline + col + len2)
++							     : MB_CHAR2LEN(c2);
+ 	}
+ 	if (match
+ #ifdef FEAT_MBYTE

SOURCES/vim-cve3796.patch

@@ -0,0 +1,51 @@
+diff --git a/src/normal.c b/src/normal.c
+index be0e75e..7d62e20 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -7147,19 +7147,23 @@ nv_replace(cmdarg_T *cap)
+ 	    {
+ 		/*
+ 		 * Get ptr again, because u_save and/or showmatch() will have
+-		 * released the line.  At the same time we let know that the
+-		 * line will be changed.
++		 * released the line.  This may also happen in ins_copychar().
++		 * At the same time we let know that the line will be changed.
+ 		 */
+-		ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ 		if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+ 		{
+ 		  int c = ins_copychar(curwin->w_cursor.lnum
+ 					   + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++		  ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ 		  if (c != NUL)
+ 		    ptr[curwin->w_cursor.col] = c;
+ 		}
+ 		else
++		{
++		    ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ 		    ptr[curwin->w_cursor.col] = cap->nchar;
++		}
+ 		if (p_sm && msg_silent == 0)
+ 		    showmatch(cap->nchar);
+ 		++curwin->w_cursor.col;
+diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
+index 7278bcd..8818805 100644
+--- a/src/testdir/test_edit.vim
++++ b/src/testdir/test_edit.vim
+@@ -1387,3 +1387,15 @@ func Test_edit_quit()
+   only
+ endfunc
+ 
++" Test for getting the character of the line below after "p"
++func Test_edit_put_CTRL_E()
++  set encoding=latin1
++  new
++  let @" = ''
++  sil! norm orggRx
++  sil! norm pr
++  call assert_equal(['r', 'r'], getline(1, 2))
++  bwipe!
++  set encoding=utf-8
++endfunc
++

SPECS/vim.spec

@@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@@ -75,6 +75,10 @@ Patch3019: 0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
 Patch3020: vim-crypto-warning.patch
 # 1842755 - CVE-2019-20807
 Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch
+# 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0]
+Patch3022: vim-cve3796.patch
+# 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]
+Patch3023: vim-cve3778-fix.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -273,6 +277,8 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3019 -p1 -b .cve
 %patch3020 -p1 -b .crypto-warning
 %patch3021 -p1 -b .rvim
+%patch3022 -p1 -b .cve3796
+%patch3023 -p1 -b .cve3778
 
 %build
 %if 0%{?rhel} > 7
@@ -791,6 +797,10 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 
 %changelog
+* Mon Sep 20 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16
+- 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0]
+- 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]
+
 * Tue Jun 02 2020 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-15
 - 1842755 - CVE-2019-20807