import vim-8.0.1763-19.el8_6.4

SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch

@@ -0,0 +1,22 @@
+diff -up vim80/src/regexp.c.cve1154 vim80/src/regexp.c
+--- vim80/src/regexp.c.cve1154	2022-04-09 12:01:30.054452927 +0200
++++ vim80/src/regexp.c	2022-04-09 12:02:48.987999877 +0200
+@@ -4415,8 +4415,17 @@ regmatch(
+ 		int	mark = OPERAND(scan)[0];
+ 		int	cmp = OPERAND(scan)[1];
+ 		pos_T	*pos;
++		size_t	col = REG_MULTI ? reginput - regline : 0;
+ 
+ 		pos = getmark_buf(rex.reg_buf, mark, FALSE);
++
++		// Line may have been freed, get it again.
++		if (REG_MULTI)
++		{
++		    regline = reg_getline(reglnum);
++		    reginput = regline + col;
++		}
++
+ 		if (pos == NULL		     /* mark doesn't exist */
+ 			|| pos->lnum <= 0    /* mark isn't set in reg_buf */
+ 			|| (pos->lnum == reglnum + rex.reg_firstlnum
+diff -up vim80/src/testdir/test_regexp_latin.vim.cve1154 vim80/src/testdir/test_regexp_latin.vim

SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch

@@ -0,0 +1,57 @@
+diff --git a/src/globals.h b/src/globals.h
+index d5320d7..968ba33 100644
+--- a/src/globals.h
++++ b/src/globals.h
+@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL);
+ EXTERN int ctrl_break_was_pressed INIT(= FALSE);
+ #endif
+ 
++#ifdef FEAT_SPELL
++EXTERN char e_illegal_character_in_word[]
++	INIT(= N_("E1280: Illegal character in word"));
++#endif
++
+ /*
+  * Optional Farsi support.  Include it here, so EXTERN and INIT are defined.
+  */
+diff --git a/src/mbyte.c b/src/mbyte.c
+index 6d21f11..a7531f1 100644
+--- a/src/mbyte.c
++++ b/src/mbyte.c
+@@ -4034,7 +4034,7 @@ theend:
+     convert_setup(&vimconv, NULL, NULL);
+ }
+ 
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+  * Return TRUE if string "s" is a valid utf-8 string.
+  * When "end" is NULL stop at the first NUL.
+diff --git a/src/spellfile.c b/src/spellfile.c
+index 496e07f..92997ef 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
+@@ -4441,6 +4441,10 @@ store_word(
+     int		res = OK;
+     char_u	*p;
+ 
++    // Avoid adding illegal bytes to the word tree.
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++	return FAIL;
++
+     (void)spell_casefold(word, len, foldword, MAXWLEN);
+     for (p = pfxlist; res == OK; ++p)
+     {
+@@ -6251,6 +6255,12 @@ spell_add_word(
+     int		i;
+     char_u	*spf;
+ 
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++    {
++	EMSG(_(e_illegal_character_in_word));
++	return;
++    }
++
+     if (idx == 0)	    /* use internal wordlist */
+     {
+ 	if (int_wordlist == NULL)

SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch

@@ -0,0 +1,15 @@
+diff -up vim80/src/search.c.cve1629 vim80/src/search.c
+--- vim80/src/search.c.cve1629	2022-05-24 13:55:06.789859865 +0200
++++ vim80/src/search.c	2022-05-24 13:56:31.889218958 +0200
+@@ -4349,7 +4349,11 @@ find_next_quote(
+ 	if (c == NUL)
+ 	    return -1;
+ 	else if (escape != NULL && vim_strchr(escape, c))
++	{
+ 	    ++col;
++	    if (line[col] == NUL)
++		return -1;
++	}
+ 	else if (c == quotechar)
+ 	    break;
+ #ifdef FEAT_MBYTE

SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch

@@ -0,0 +1,57 @@
+diff -up vim80/src/ex_cmds.c.cve1785 vim80/src/ex_cmds.c
+--- vim80/src/ex_cmds.c.cve1785	2022-06-10 10:46:33.818286626 +0200
++++ vim80/src/ex_cmds.c	2022-06-10 10:58:04.009515524 +0200
+@@ -5486,12 +5486,17 @@ do_sub(exarg_T *eap)
+ 		/* Save flags for recursion.  They can change for e.g.
+ 		 * :s/^/\=execute("s#^##gn") */
+ 		subflags_save = subflags;
++
++		// Disallow changing text or switching window in an expression.
++		++textlock;
+ #endif
+ 		/* get length of substitution part */
+ 		sublen = vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 				    sub, sub_firstline, FALSE, p_magic, TRUE);
+ #ifdef FEAT_EVAL
++		--textlock;
++
+ 		/* Don't keep flags set by a recursive call. */
+ 		subflags = subflags_save;
+ 		if (subflags.do_count)
+@@ -5570,9 +5575,15 @@ do_sub(exarg_T *eap)
+ 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ 		new_end += copy_len;
+ 
++#ifdef FEAT_EVAL
++		++textlock;
++#endif
+ 		(void)vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 					   sub, new_end, TRUE, p_magic, TRUE);
++#ifdef FEAT_EVAL
++		--textlock;
++#endif
+ 		sub_nsubs++;
+ 		did_sub = TRUE;
+ 
+diff -up vim80/src/testdir/test_substitute.vim.cve1785 vim80/src/testdir/test_substitute.vim
+--- vim80/src/testdir/test_substitute.vim.cve1785	2022-06-10 10:46:33.818286626 +0200
++++ vim80/src/testdir/test_substitute.vim	2022-06-10 10:59:17.168437630 +0200
+@@ -500,3 +500,16 @@ func Test_sub_cmd_8()
+   enew!
+   set titlestring&
+ endfunc
++
++" This was switching windows in between computing the length and using it.
++func Test_sub_change_window()
++  silent! lfile
++  sil! norm o0000000000000000000000000000000000000000000000000000
++  func Repl()
++    lopen
++  endfunc
++  silent!  s/\%')/\=Repl()
++  bwipe!
++  bwipe!
++  delfunc Repl
++endfunc

SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch

@@ -0,0 +1,120 @@
+diff -up vim80/src/normal.c.cve1897 vim80/src/normal.c
+--- vim80/src/normal.c.cve1897	2022-06-13 14:50:22.800290132 +0200
++++ vim80/src/normal.c	2022-06-13 14:55:06.082861349 +0200
+@@ -532,6 +532,22 @@ find_command(int cmdchar)
+ }
+ 
+ /*
++ * If currently editing a cmdline or text is locked: beep and give an error
++ * message, return TRUE.
++ */
++    static int
++check_text_locked(oparg_T *oap)
++{
++    if (text_locked())
++    {
++	clearopbeep(oap);
++	text_locked_msg();
++	return TRUE;
++    }
++    return FALSE;
++}
++
++/*
+  * Execute a command in Normal mode.
+  */
+     void
+@@ -792,14 +808,9 @@ getcount:
+ 	goto normal_end;
+     }
+ 
+-    if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+-    {
+-	/* This command is not allowed while editing a cmdline: beep. */
+-	clearopbeep(oap);
+-	text_locked_msg();
+-	goto normal_end;
+-    }
+-    if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
++    if ((nv_cmds[idx].cmd_flags & NV_NCW)
++				&& (check_text_locked(oap) || curbuf_locked()))
++	// this command is not allowed now
+ 	goto normal_end;
+ 
+     /*
+@@ -6234,12 +6245,8 @@ nv_gotofile(cmdarg_T *cap)
+     char_u	*ptr;
+     linenr_T	lnum = -1;
+ 
+-    if (text_locked())
+-    {
+-	clearopbeep(cap->oap);
+-	text_locked_msg();
++    if (check_text_locked(cap->oap))
+ 	return;
+-    }
+     if (curbuf_locked())
+     {
+ 	clearop(cap->oap);
+@@ -8420,14 +8427,7 @@ nv_g_cmd(cmdarg_T *cap)
+ 
+     /* "gQ": improved Ex mode */
+     case 'Q':
+-	if (text_locked())
+-	{
+-	    clearopbeep(cap->oap);
+-	    text_locked_msg();
+-	    break;
+-	}
+-
+-	if (!checkclearopq(oap))
++	if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ 	    do_exmode(TRUE);
+ 	break;
+ 
+diff -up vim80/src/testdir/test_substitute.vim.cve1897 vim80/src/testdir/test_substitute.vim
+--- vim80/src/testdir/test_substitute.vim.cve1897	2022-06-13 14:50:22.849290402 +0200
++++ vim80/src/testdir/test_substitute.vim	2022-06-13 14:55:50.370111134 +0200
+@@ -513,3 +513,26 @@ func Test_sub_change_window()
+   bwipe!
+   delfunc Repl
+ endfunc
++
++" This was undoign a change in between computing the length and using it.
++func Do_Test_sub_undo_change()
++  new
++  norm o0000000000000000000000000000000000000000000000000000
++  silent! s/\%')/\=Repl()
++  bwipe!
++endfunc
++
++func Test_sub_undo_change()
++  func Repl()
++    silent! norm g-
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  func! Repl()
++    silent earlier
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  delfunc Repl
++endfunc
++
+diff -up vim80/src/undo.c.cve1897 vim80/src/undo.c
+--- vim80/src/undo.c.cve1897	2022-06-13 14:50:22.849290402 +0200
++++ vim80/src/undo.c	2022-06-13 14:56:57.916492090 +0200
+@@ -2283,6 +2283,12 @@ undo_time(
+     if (curbuf->b_u_synced == FALSE)
+ 	u_sync(TRUE);
+ 
++    if (text_locked())
++    {
++	text_locked_msg();
++	return;
++    }
++
+     u_newcount = 0;
+     u_oldcount = 0;
+     if (curbuf->b_ml.ml_flags & ML_EMPTY)

SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch

@@ -0,0 +1,85 @@
+diff -up vim80/src/ex_docmd.c.cve1927 vim80/src/ex_docmd.c
+--- vim80/src/ex_docmd.c.cve1927	2022-06-13 16:31:41.841068554 +0200
++++ vim80/src/ex_docmd.c	2022-06-13 16:37:02.789876973 +0200
+@@ -1720,6 +1720,8 @@ do_one_cmd(
+     int			ni;			/* set when Not Implemented */
+     char_u		*cmd;
+     int			address_count = 1;
++    int			need_check_cursor = FALSE;
++    int			ret_addr = FAIL;
+ 
+     vim_memset(&ea, 0, sizeof(ea));
+     ea.line1 = 1;
+@@ -2084,7 +2086,7 @@ do_one_cmd(
+ 	lnum = get_address(&ea, &ea.cmd, ea.addr_type, ea.skip,
+ 					  ea.addr_count == 0, address_count++);
+ 	if (ea.cmd == NULL)		    /* error detected */
+-	    goto doend;
++	    goto addr_end;
+ 	if (lnum == MAXLNUM)
+ 	{
+ 	    if (*ea.cmd == '%')		    /* '%' - all lines */
+@@ -2128,12 +2130,12 @@ do_one_cmd(
+ 			    /* there is no Vim command which uses '%' and
+ 			     * ADDR_WINDOWS or ADDR_TABS */
+ 			    errormsg = (char_u *)_(e_invrange);
+-			    goto doend;
++			    goto addr_end;
+ 			}
+ 			break;
+ 		    case ADDR_TABS_RELATIVE:
+ 			errormsg = (char_u *)_(e_invrange);
+-			goto doend;
++			goto addr_end;
+ 			break;
+ 		    case ADDR_ARGUMENTS:
+ 			if (ARGCOUNT == 0)
+@@ -2163,7 +2165,7 @@ do_one_cmd(
+ 		if (ea.addr_type != ADDR_LINES)
+ 		{
+ 		    errormsg = (char_u *)_(e_invrange);
+-		    goto doend;
++		    goto addr_end;
+ 		}
+ 
+ 		++ea.cmd;
+@@ -2171,11 +2173,11 @@ do_one_cmd(
+ 		{
+ 		    fp = getmark('<', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			goto doend;
++			goto addr_end;
+ 		    ea.line1 = fp->lnum;
+ 		    fp = getmark('>', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			goto doend;
++			goto addr_end;
+ 		    ea.line2 = fp->lnum;
+ 		    ++ea.addr_count;
+ 		}
+@@ -2190,8 +2192,11 @@ do_one_cmd(
+ 	    if (!ea.skip)
+ 	    {
+ 		curwin->w_cursor.lnum = ea.line2;
++
+ 		/* don't leave the cursor on an illegal line or column */
++		// Check the cursor position before returning.
+ 		check_cursor();
++		need_check_cursor = TRUE;
+ 	    }
+ 	}
+ 	else if (*ea.cmd != ',')
+@@ -2208,6 +2213,13 @@ do_one_cmd(
+ 	    ea.addr_count = 0;
+     }
+ 
++    ret_addr = OK;
++
++addr_end:
++    if (need_check_cursor)
++	check_cursor();
++    if (ret_addr == FAIL)
++	goto doend;
+ /*
+  * 5. Parse the command.
+  */

SPECS/vim.spec

@@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 16%{?dist}.12
+Release: 19%{?dist}.4
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@@ -75,9 +75,9 @@ Patch3019: 0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
 Patch3020: vim-crypto-warning.patch
 # 1842755 - CVE-2019-20807
 Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch
-# 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0]
+# 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0]
 Patch3022: vim-cve3796.patch
-# 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]
+# 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0]
 Patch3023: vim-cve3778-fix.patch
 Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
 # 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
@@ -100,6 +100,18 @@ Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
 Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
 # CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
 Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
+# CVE-2022-1154 vim: use after free in utf_ptr2char
+Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
+# CVE-2022-1621 vim: heap buffer overflow
+Patch3036: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+# CVE-2022-1629 vim: buffer over-read
+Patch3037: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
+# CVE-2022-1785 vim: Out-of-bounds Write
+Patch3038: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
+# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+Patch3039: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
+# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -311,6 +323,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3032 -p1 -b .cve0392
 %patch3033 -p1 -b .cve0413
 %patch3034 -p1 -b .cve0361
+%patch3035 -p1 -b .cve1154
+%patch3036 -p1 -b .cve1621
+%patch3037 -p1 -b .cve1629
+%patch3038 -p1 -b .cve1785
+%patch3039 -p1 -b .cve1897
+%patch3040 -p1 -b .cve1927
 
 %build
 %if 0%{?rhel} > 7
@@ -829,54 +847,50 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 
 %changelog
-* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.12
+* Tue Jun 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.4
+- fix issue reported by covscan
+
+* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.3
+- CVE-2022-1785 vim: Out-of-bounds Write
+- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+
+* Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.2
+- CVE-2022-1621 vim: heap buffer overflow
+- CVE-2022-1629 vim: buffer over-read
+
+* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.1
+- CVE-2022-1154 vim: use after free in utf_ptr2char
+
+* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19
 - CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
 
-* Fri Feb 04 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.11
-- CVE-2022-0413 vim: use after free in src/ex_cmds.c
-- Fix specfile problems
-- Resolves: rhbz#2048525
-
-* Thu Feb 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.10
-- CVE-2022-0413 vim: use after free in src/ex_cmds.c
-- Resolves: rhbz#2048525
-
-* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.9
+* Mon Feb 07 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
 - CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
-- Improve fix
-- Resolves: rhbz#2049403
+- CVE-2022-0413 vim: use after free in src/ex_cmds.c
 
-* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.8
-- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
-- Resolves: rhbz#2049403
-
-* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.7
+* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
+- fix test suite after fix for CVE-2022-0318
 - CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
 
-* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.6
-- fix test suite after fix for CVE-2022-0318
-
-* Wed Jan 26 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.5
+* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
 - CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
 
-* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.4
+* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
 - CVE-2021-4192 vim: vulnerable to Use After Free
 
-* Fri Dec 03 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.3
+* Fri Dec 03 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
 - 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
 - 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]
 
-* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.2
-- remove the upstream test - uses a feature which is not presented in RHEL 8
+* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-17
+- 2016201 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0]
 
-* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.1
-- CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0]
-
-* Mon Sep 20 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16
-- 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0]
-- 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0]
+* Thu Sep 23 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16
+- 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0]
+- 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0]
 
 * Tue Jun 02 2020 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-15
 - 1842755 - CVE-2019-20807