From fa892fc4387f354ef824a2a6b3ee0989259b9936 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 27 Sep 2022 16:58:56 -0400 Subject: [PATCH] import vim-8.0.1763-19.el8_6.4 --- ...sing-buffer-line-after-it-has-been-f.patch | 22 ++++ ...can-add-invalid-bytes-with-spellgood.patch | 57 +++++++++ ...railing-backslash-may-cause-reading-.patch | 15 +++ ...emory-access-error-when-substitute-e.patch | 57 +++++++++ ...ubstitute-overwrites-allocated-buffe.patch | 120 ++++++++++++++++++ ...ursor-position-may-be-invalid-after-.patch | 85 +++++++++++++ SPECS/vim.spec | 84 +++++++----- 7 files changed, 405 insertions(+), 35 deletions(-) create mode 100644 SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch create mode 100644 SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch create mode 100644 SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch create mode 100644 SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch create mode 100644 SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch create mode 100644 SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch diff --git a/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch new file mode 100644 index 0000000..a2eb48b --- /dev/null +++ b/SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch @@ -0,0 +1,22 @@ +diff -up vim80/src/regexp.c.cve1154 vim80/src/regexp.c +--- vim80/src/regexp.c.cve1154 2022-04-09 12:01:30.054452927 +0200 ++++ vim80/src/regexp.c 2022-04-09 12:02:48.987999877 +0200 +@@ -4415,8 +4415,17 @@ regmatch( + int mark = OPERAND(scan)[0]; + int cmp = OPERAND(scan)[1]; + pos_T *pos; ++ size_t col = REG_MULTI ? reginput - regline : 0; + + pos = getmark_buf(rex.reg_buf, mark, FALSE); ++ ++ // Line may have been freed, get it again. ++ if (REG_MULTI) ++ { ++ regline = reg_getline(reglnum); ++ reginput = regline + col; ++ } ++ + if (pos == NULL /* mark doesn't exist */ + || pos->lnum <= 0 /* mark isn't set in reg_buf */ + || (pos->lnum == reglnum + rex.reg_firstlnum +diff -up vim80/src/testdir/test_regexp_latin.vim.cve1154 vim80/src/testdir/test_regexp_latin.vim diff --git a/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch new file mode 100644 index 0000000..b887afe --- /dev/null +++ b/SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch @@ -0,0 +1,57 @@ +diff --git a/src/globals.h b/src/globals.h +index d5320d7..968ba33 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL); + EXTERN int ctrl_break_was_pressed INIT(= FALSE); + #endif + ++#ifdef FEAT_SPELL ++EXTERN char e_illegal_character_in_word[] ++ INIT(= N_("E1280: Illegal character in word")); ++#endif ++ + /* + * Optional Farsi support. Include it here, so EXTERN and INIT are defined. + */ +diff --git a/src/mbyte.c b/src/mbyte.c +index 6d21f11..a7531f1 100644 +--- a/src/mbyte.c ++++ b/src/mbyte.c +@@ -4034,7 +4034,7 @@ theend: + convert_setup(&vimconv, NULL, NULL); + } + +-#if defined(FEAT_GUI_GTK) || defined(PROTO) ++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO) + /* + * Return TRUE if string "s" is a valid utf-8 string. + * When "end" is NULL stop at the first NUL. +diff --git a/src/spellfile.c b/src/spellfile.c +index 496e07f..92997ef 100644 +--- a/src/spellfile.c ++++ b/src/spellfile.c +@@ -4441,6 +4441,10 @@ store_word( + int res = OK; + char_u *p; + ++ // Avoid adding illegal bytes to the word tree. ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ return FAIL; ++ + (void)spell_casefold(word, len, foldword, MAXWLEN); + for (p = pfxlist; res == OK; ++p) + { +@@ -6251,6 +6255,12 @@ spell_add_word( + int i; + char_u *spf; + ++ if (enc_utf8 && !utf_valid_string(word, NULL)) ++ { ++ EMSG(_(e_illegal_character_in_word)); ++ return; ++ } ++ + if (idx == 0) /* use internal wordlist */ + { + if (int_wordlist == NULL) diff --git a/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch new file mode 100644 index 0000000..6ce497f --- /dev/null +++ b/SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch @@ -0,0 +1,15 @@ +diff -up vim80/src/search.c.cve1629 vim80/src/search.c +--- vim80/src/search.c.cve1629 2022-05-24 13:55:06.789859865 +0200 ++++ vim80/src/search.c 2022-05-24 13:56:31.889218958 +0200 +@@ -4349,7 +4349,11 @@ find_next_quote( + if (c == NUL) + return -1; + else if (escape != NULL && vim_strchr(escape, c)) ++ { + ++col; ++ if (line[col] == NUL) ++ return -1; ++ } + else if (c == quotechar) + break; + #ifdef FEAT_MBYTE diff --git a/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch new file mode 100644 index 0000000..2391a5f --- /dev/null +++ b/SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch @@ -0,0 +1,57 @@ +diff -up vim80/src/ex_cmds.c.cve1785 vim80/src/ex_cmds.c +--- vim80/src/ex_cmds.c.cve1785 2022-06-10 10:46:33.818286626 +0200 ++++ vim80/src/ex_cmds.c 2022-06-10 10:58:04.009515524 +0200 +@@ -5486,12 +5486,17 @@ do_sub(exarg_T *eap) + /* Save flags for recursion. They can change for e.g. + * :s/^/\=execute("s#^##gn") */ + subflags_save = subflags; ++ ++ // Disallow changing text or switching window in an expression. ++ ++textlock; + #endif + /* get length of substitution part */ + sublen = vim_regsub_multi(®match, + sub_firstlnum - regmatch.startpos[0].lnum, + sub, sub_firstline, FALSE, p_magic, TRUE); + #ifdef FEAT_EVAL ++ --textlock; ++ + /* Don't keep flags set by a recursive call. */ + subflags = subflags_save; + if (subflags.do_count) +@@ -5570,9 +5575,15 @@ do_sub(exarg_T *eap) + mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); + new_end += copy_len; + ++#ifdef FEAT_EVAL ++ ++textlock; ++#endif + (void)vim_regsub_multi(®match, + sub_firstlnum - regmatch.startpos[0].lnum, + sub, new_end, TRUE, p_magic, TRUE); ++#ifdef FEAT_EVAL ++ --textlock; ++#endif + sub_nsubs++; + did_sub = TRUE; + +diff -up vim80/src/testdir/test_substitute.vim.cve1785 vim80/src/testdir/test_substitute.vim +--- vim80/src/testdir/test_substitute.vim.cve1785 2022-06-10 10:46:33.818286626 +0200 ++++ vim80/src/testdir/test_substitute.vim 2022-06-10 10:59:17.168437630 +0200 +@@ -500,3 +500,16 @@ func Test_sub_cmd_8() + enew! + set titlestring& + endfunc ++ ++" This was switching windows in between computing the length and using it. ++func Test_sub_change_window() ++ silent! lfile ++ sil! norm o0000000000000000000000000000000000000000000000000000 ++ func Repl() ++ lopen ++ endfunc ++ silent! s/\%')/\=Repl() ++ bwipe! ++ bwipe! ++ delfunc Repl ++endfunc diff --git a/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch new file mode 100644 index 0000000..5475937 --- /dev/null +++ b/SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch @@ -0,0 +1,120 @@ +diff -up vim80/src/normal.c.cve1897 vim80/src/normal.c +--- vim80/src/normal.c.cve1897 2022-06-13 14:50:22.800290132 +0200 ++++ vim80/src/normal.c 2022-06-13 14:55:06.082861349 +0200 +@@ -532,6 +532,22 @@ find_command(int cmdchar) + } + + /* ++ * If currently editing a cmdline or text is locked: beep and give an error ++ * message, return TRUE. ++ */ ++ static int ++check_text_locked(oparg_T *oap) ++{ ++ if (text_locked()) ++ { ++ clearopbeep(oap); ++ text_locked_msg(); ++ return TRUE; ++ } ++ return FALSE; ++} ++ ++/* + * Execute a command in Normal mode. + */ + void +@@ -792,14 +808,9 @@ getcount: + goto normal_end; + } + +- if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW)) +- { +- /* This command is not allowed while editing a cmdline: beep. */ +- clearopbeep(oap); +- text_locked_msg(); +- goto normal_end; +- } +- if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked()) ++ if ((nv_cmds[idx].cmd_flags & NV_NCW) ++ && (check_text_locked(oap) || curbuf_locked())) ++ // this command is not allowed now + goto normal_end; + + /* +@@ -6234,12 +6245,8 @@ nv_gotofile(cmdarg_T *cap) + char_u *ptr; + linenr_T lnum = -1; + +- if (text_locked()) +- { +- clearopbeep(cap->oap); +- text_locked_msg(); ++ if (check_text_locked(cap->oap)) + return; +- } + if (curbuf_locked()) + { + clearop(cap->oap); +@@ -8420,14 +8427,7 @@ nv_g_cmd(cmdarg_T *cap) + + /* "gQ": improved Ex mode */ + case 'Q': +- if (text_locked()) +- { +- clearopbeep(cap->oap); +- text_locked_msg(); +- break; +- } +- +- if (!checkclearopq(oap)) ++ if (!check_text_locked(cap->oap) && !checkclearopq(oap)) + do_exmode(TRUE); + break; + +diff -up vim80/src/testdir/test_substitute.vim.cve1897 vim80/src/testdir/test_substitute.vim +--- vim80/src/testdir/test_substitute.vim.cve1897 2022-06-13 14:50:22.849290402 +0200 ++++ vim80/src/testdir/test_substitute.vim 2022-06-13 14:55:50.370111134 +0200 +@@ -513,3 +513,26 @@ func Test_sub_change_window() + bwipe! + delfunc Repl + endfunc ++ ++" This was undoign a change in between computing the length and using it. ++func Do_Test_sub_undo_change() ++ new ++ norm o0000000000000000000000000000000000000000000000000000 ++ silent! s/\%')/\=Repl() ++ bwipe! ++endfunc ++ ++func Test_sub_undo_change() ++ func Repl() ++ silent! norm g- ++ endfunc ++ call Do_Test_sub_undo_change() ++ ++ func! Repl() ++ silent earlier ++ endfunc ++ call Do_Test_sub_undo_change() ++ ++ delfunc Repl ++endfunc ++ +diff -up vim80/src/undo.c.cve1897 vim80/src/undo.c +--- vim80/src/undo.c.cve1897 2022-06-13 14:50:22.849290402 +0200 ++++ vim80/src/undo.c 2022-06-13 14:56:57.916492090 +0200 +@@ -2283,6 +2283,12 @@ undo_time( + if (curbuf->b_u_synced == FALSE) + u_sync(TRUE); + ++ if (text_locked()) ++ { ++ text_locked_msg(); ++ return; ++ } ++ + u_newcount = 0; + u_oldcount = 0; + if (curbuf->b_ml.ml_flags & ML_EMPTY) diff --git a/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch new file mode 100644 index 0000000..bd20285 --- /dev/null +++ b/SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch @@ -0,0 +1,85 @@ +diff -up vim80/src/ex_docmd.c.cve1927 vim80/src/ex_docmd.c +--- vim80/src/ex_docmd.c.cve1927 2022-06-13 16:31:41.841068554 +0200 ++++ vim80/src/ex_docmd.c 2022-06-13 16:37:02.789876973 +0200 +@@ -1720,6 +1720,8 @@ do_one_cmd( + int ni; /* set when Not Implemented */ + char_u *cmd; + int address_count = 1; ++ int need_check_cursor = FALSE; ++ int ret_addr = FAIL; + + vim_memset(&ea, 0, sizeof(ea)); + ea.line1 = 1; +@@ -2084,7 +2086,7 @@ do_one_cmd( + lnum = get_address(&ea, &ea.cmd, ea.addr_type, ea.skip, + ea.addr_count == 0, address_count++); + if (ea.cmd == NULL) /* error detected */ +- goto doend; ++ goto addr_end; + if (lnum == MAXLNUM) + { + if (*ea.cmd == '%') /* '%' - all lines */ +@@ -2128,12 +2130,12 @@ do_one_cmd( + /* there is no Vim command which uses '%' and + * ADDR_WINDOWS or ADDR_TABS */ + errormsg = (char_u *)_(e_invrange); +- goto doend; ++ goto addr_end; + } + break; + case ADDR_TABS_RELATIVE: + errormsg = (char_u *)_(e_invrange); +- goto doend; ++ goto addr_end; + break; + case ADDR_ARGUMENTS: + if (ARGCOUNT == 0) +@@ -2163,7 +2165,7 @@ do_one_cmd( + if (ea.addr_type != ADDR_LINES) + { + errormsg = (char_u *)_(e_invrange); +- goto doend; ++ goto addr_end; + } + + ++ea.cmd; +@@ -2171,11 +2173,11 @@ do_one_cmd( + { + fp = getmark('<', FALSE); + if (check_mark(fp) == FAIL) +- goto doend; ++ goto addr_end; + ea.line1 = fp->lnum; + fp = getmark('>', FALSE); + if (check_mark(fp) == FAIL) +- goto doend; ++ goto addr_end; + ea.line2 = fp->lnum; + ++ea.addr_count; + } +@@ -2190,8 +2192,11 @@ do_one_cmd( + if (!ea.skip) + { + curwin->w_cursor.lnum = ea.line2; ++ + /* don't leave the cursor on an illegal line or column */ ++ // Check the cursor position before returning. + check_cursor(); ++ need_check_cursor = TRUE; + } + } + else if (*ea.cmd != ',') +@@ -2208,6 +2213,13 @@ do_one_cmd( + ea.addr_count = 0; + } + ++ ret_addr = OK; ++ ++addr_end: ++ if (need_check_cursor) ++ check_cursor(); ++ if (ret_addr == FAIL) ++ goto doend; + /* + * 5. Parse the command. + */ diff --git a/SPECS/vim.spec b/SPECS/vim.spec index 8bd7a1d..712d5ac 100644 --- a/SPECS/vim.spec +++ b/SPECS/vim.spec @@ -24,7 +24,7 @@ Summary: The VIM editor URL: http://www.vim.org/ Name: vim Version: %{baseversion}.%{patchlevel} -Release: 16%{?dist}.12 +Release: 19%{?dist}.4 License: Vim and MIT Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2 Source1: vim.sh @@ -75,9 +75,9 @@ Patch3019: 0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch Patch3020: vim-crypto-warning.patch # 1842755 - CVE-2019-20807 Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch -# 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0] +# 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0] Patch3022: vim-cve3796.patch -# 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0] +# 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0] Patch3023: vim-cve3778-fix.patch Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch # 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] @@ -100,6 +100,18 @@ Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch # CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch +# CVE-2022-1154 vim: use after free in utf_ptr2char +Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch +# CVE-2022-1621 vim: heap buffer overflow +Patch3036: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch +# CVE-2022-1629 vim: buffer over-read +Patch3037: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch +# CVE-2022-1785 vim: Out-of-bounds Write +Patch3038: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch +# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c +Patch3039: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch +# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c +Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch # gcc is no longer in buildroot by default BuildRequires: gcc @@ -311,6 +323,12 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch3032 -p1 -b .cve0392 %patch3033 -p1 -b .cve0413 %patch3034 -p1 -b .cve0361 +%patch3035 -p1 -b .cve1154 +%patch3036 -p1 -b .cve1621 +%patch3037 -p1 -b .cve1629 +%patch3038 -p1 -b .cve1785 +%patch3039 -p1 -b .cve1897 +%patch3040 -p1 -b .cve1927 %build %if 0%{?rhel} > 7 @@ -829,54 +847,50 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags %{_datadir}/icons/locolor/*/apps/* %changelog -* Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-16.12 +* Tue Jun 14 2022 Zdenek Dohnal - 2:8.0.1763-19.4 +- fix issue reported by covscan + +* Mon Jun 13 2022 Zdenek Dohnal - 2:8.0.1763-19.3 +- CVE-2022-1785 vim: Out-of-bounds Write +- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c +- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c + +* Wed May 25 2022 Zdenek Dohnal - 2:8.0.1763-19.2 +- CVE-2022-1621 vim: heap buffer overflow +- CVE-2022-1629 vim: buffer over-read + +* Sat Apr 09 2022 Zdenek Dohnal - 2:8.0.1763-19.1 +- CVE-2022-1154 vim: use after free in utf_ptr2char + +* Tue Feb 08 2022 Zdenek Dohnal - 2:8.0.1763-19 - CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository -* Fri Feb 04 2022 Tomas Korbar - 2:8.0.1763-16.11 -- CVE-2022-0413 vim: use after free in src/ex_cmds.c -- Fix specfile problems -- Resolves: rhbz#2048525 - -* Thu Feb 03 2022 Tomas Korbar - 2:8.0.1763-16.10 -- CVE-2022-0413 vim: use after free in src/ex_cmds.c -- Resolves: rhbz#2048525 - -* Wed Feb 02 2022 Tomas Korbar - 2:8.0.1763-16.9 +* Mon Feb 07 2022 Zdenek Dohnal - 2:8.0.1763-18 - CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c -- Improve fix -- Resolves: rhbz#2049403 +- CVE-2022-0413 vim: use after free in src/ex_cmds.c -* Wed Feb 02 2022 Tomas Korbar - 2:8.0.1763-16.8 -- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c -- Resolves: rhbz#2049403 - -* Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-16.7 +* Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-18 +- fix test suite after fix for CVE-2022-0318 - CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c -* Thu Jan 27 2022 Zdenek Dohnal - 2:8.0.1763-16.6 -- fix test suite after fix for CVE-2022-0318 - -* Wed Jan 26 2022 Zdenek Dohnal - 2:8.0.1763-16.5 +* Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-18 - CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c - CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c -* Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-16.4 +* Wed Jan 12 2022 Zdenek Dohnal - 2:8.0.1763-18 - CVE-2021-4193 vim: vulnerable to Out-of-bounds Read - CVE-2021-4192 vim: vulnerable to Use After Free -* Fri Dec 03 2021 Zdenek Dohnal - 2:8.0.1763-16.3 +* Fri Dec 03 2021 Zdenek Dohnal - 2:8.0.1763-18 - 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0] - 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0] -* Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-16.2 -- remove the upstream test - uses a feature which is not presented in RHEL 8 +* Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-17 +- 2016201 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0] -* Tue Oct 26 2021 Zdenek Dohnal - 2:8.0.1763-16.1 -- CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0] - -* Mon Sep 20 2021 Zdenek Dohnal - 2:8.0.1763-16 -- 2004974 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.5.0] -- 2004891 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.5.0] +* Thu Sep 23 2021 Zdenek Dohnal - 2:8.0.1763-16 +- 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0] +- 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0] * Tue Jun 02 2020 Zdenek Dohnal - 2:8.0.1763-15 - 1842755 - CVE-2019-20807