RHEL-351 - Enhanced TMT testing for centos-stream

Resolves: CVE-2022-47024

.fmf/version

@@ -0,0 +1 @@
+1

.vim.metadata

@@ -0,0 +1 @@
+8405efdee1d83465651f90edc1173ff69f390aea vim-8.2-2637.tar.bz2

0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch

@@ -0,0 +1,39 @@
+diff -up vim82/src/spellsuggest.c.cve0943 vim82/src/spellsuggest.c
+--- vim82/src/spellsuggest.c.cve0943	2022-03-28 20:48:07.079197805 +0200
++++ vim82/src/spellsuggest.c	2022-03-28 20:48:07.101197522 +0200
+@@ -501,6 +501,10 @@ spell_suggest(int count)
+ 	    curwin->w_cursor.col = VIsual.col;
+ 	++badlen;
+ 	end_visual_mode();
++	// make sure we don't include the NUL at the end of the line
++	line = ml_get_curline();
++	if (badlen > STRLEN(line) - curwin->w_cursor.col)
++	    badlen = STRLEN(line) - curwin->w_cursor.col;
+     }
+     // Find the start of the badly spelled word.
+     else if (spell_move_to(curwin, FORWARD, TRUE, TRUE, NULL) == 0
+diff -up vim82/src/testdir/test_spell.vim.cve0943 vim82/src/testdir/test_spell.vim
+--- vim82/src/testdir/test_spell.vim.cve0943	2022-03-28 20:48:07.102197509 +0200
++++ vim82/src/testdir/test_spell.vim	2022-03-28 20:49:05.038452974 +0200
+@@ -441,6 +441,21 @@ func Test_spellsuggest_expr_errors()
+   delfunc MySuggest3
+ endfunc
+ 
++func Test_spellsuggest_visual_end_of_line()
++  let enc_save = &encoding
++  set encoding=iso8859
++
++  " This was reading beyond the end of the line.
++  norm R00000000000
++  sil norm 0
++  sil! norm i00000)
++  sil! norm i00000)
++  call feedkeys("\<CR>")
++  norm z=
++
++  let &encoding = enc_save
++endfunc
++
+ func Test_spellinfo()
+   new
+   let runtime = substitute($VIMRUNTIME, '\\', '/', 'g')

0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch

@@ -0,0 +1,44 @@
+diff -up vim82/src/regexp_bt.c.cve1154 vim82/src/regexp_bt.c
+--- vim82/src/regexp_bt.c.cve1154	2022-04-25 15:22:28.367621755 +0200
++++ vim82/src/regexp_bt.c	2022-04-25 15:25:13.726340728 +0200
+@@ -3188,8 +3188,17 @@ regmatch(
+ 		int	mark = OPERAND(scan)[0];
+ 		int	cmp = OPERAND(scan)[1];
+ 		pos_T	*pos;
++		size_t	col = REG_MULTI ? rex.input - rex.line : 0;
+ 
+ 		pos = getmark_buf(rex.reg_buf, mark, FALSE);
++
++		// Line may have been freed, get it again.
++		if (REG_MULTI)
++		{
++		    rex.line = reg_getline(rex.lnum);
++		    rex.input = rex.line + col;
++		}
++
+ 		if (pos == NULL		     // mark doesn't exist
+ 			|| pos->lnum <= 0    // mark isn't set in reg_buf
+ 			|| (pos->lnum == rex.lnum + rex.reg_firstlnum
+diff -up vim82/src/testdir/test_regexp_latin.vim.cve1154 vim82/src/testdir/test_regexp_latin.vim
+--- vim82/src/testdir/test_regexp_latin.vim.cve1154	2022-04-25 15:22:28.368621752 +0200
++++ vim82/src/testdir/test_regexp_latin.vim	2022-04-25 15:26:57.515227712 +0200
+@@ -954,4 +954,19 @@ func Test_using_visual_position()
+   bwipe!
+ endfunc
+ 
++func Test_using_mark_position()
++  " this was using freed memory
++  " new engine
++  new
++  norm O0
++  call assert_fails("s/\\%')", 'E486:')
++  bwipe!
++
++  " old engine
++  new
++  norm O0
++  call assert_fails("s/\\%#=1\\%')", 'E486:')
++  bwipe!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab

0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch

@@ -0,0 +1,51 @@
+diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h
+--- vim82/src/errors.h.cve1420	2022-04-25 16:01:03.559985019 +0200
++++ vim82/src/errors.h	2022-04-25 16:01:58.113332024 +0200
+@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_
+ 	INIT(= N_("E1172: Cannot use default values in a lambda"));
+ EXTERN char e_resulting_text_too_long[]
+ 	INIT(= N_("E1240: Resulting text too long"));
++#ifdef FEAT_EVAL
++EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
++	INIT(= N_("E1275: String or function required for ->(expr)"));
++#endif
+diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c
+--- vim82/src/eval.c.cve1420	2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/eval.c	2022-04-25 16:14:11.746600369 +0200
+@@ -3718,13 +3718,20 @@ eval_lambda(
+ 	if (**arg != ')')
+ 	{
+ 	    emsg(_(e_missing_close));
+-	    ret = FAIL;
++	    return FAIL;
++	}
++	if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
++					       && rettv->v_type != VAR_PARTIAL)
++	{
++	    emsg(_(e_string_or_function_required_for_arrow_parens_expr));
++	    return FAIL;
+ 	}
+ 	++*arg;
+     }
+     if (ret != OK)
+ 	return FAIL;
+-    else if (**arg != '(')
++
++    if (**arg != '(')
+     {
+ 	if (verbose)
+ 	{
+diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim
+--- vim82/src/testdir/test_lambda.vim.cve1420	2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/testdir/test_lambda.vim	2022-04-25 16:17:01.694886566 +0200
+@@ -64,6 +64,10 @@ function Test_lambda_fails()
+   call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:')
+   call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:')
+   echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
++  call assert_fails('eval 0->(3)()', "E1275:")
++  call assert_fails('eval 0->([3])()', "E1275:")
++  call assert_fails('eval 0->({"a": 3})()', "E1275:")
++  call assert_fails('eval 0->(xxx)()', "E121:")
+ endfunc
+ 
+ func Test_not_lamda()

0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch

@@ -0,0 +1,50 @@
+diff -up vim82/src/errors.h.cve1621 vim82/src/errors.h
+--- vim82/src/errors.h.cve1621	2022-05-24 13:36:23.883370040 +0200
++++ vim82/src/errors.h	2022-05-24 13:36:47.665487703 +0200
+@@ -387,3 +387,7 @@ EXTERN char e_resulting_text_too_long[]
+ EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
+ 	INIT(= N_("E1275: String or function required for ->(expr)"));
+ #endif
++#ifdef FEAT_SPELL
++EXTERN char e_illegal_character_in_word[]
++	INIT(= N_("E1280: Illegal character in word"));
++#endif
+diff -up vim82/src/mbyte.c.cve1621 vim82/src/mbyte.c
+--- vim82/src/mbyte.c.cve1621	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/mbyte.c	2022-05-24 13:36:23.884370045 +0200
+@@ -4181,7 +4181,7 @@ theend:
+     convert_setup(&vimconv, NULL, NULL);
+ }
+ 
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+  * Return TRUE if string "s" is a valid utf-8 string.
+  * When "end" is NULL stop at the first NUL.
+diff -up vim82/src/spellfile.c.cve1621 vim82/src/spellfile.c
+--- vim82/src/spellfile.c.cve1621	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/spellfile.c	2022-05-24 13:36:23.885370049 +0200
+@@ -4391,6 +4391,10 @@ store_word(
+     int		res = OK;
+     char_u	*p;
+ 
++    // Avoid adding illegal bytes to the word tree.
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++	return FAIL;
++
+     (void)spell_casefold(word, len, foldword, MAXWLEN);
+     for (p = pfxlist; res == OK; ++p)
+     {
+@@ -6191,6 +6195,12 @@ spell_add_word(
+     int		i;
+     char_u	*spf;
+ 
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++    {
++	emsg(_(e_illegal_character_in_word));
++	return;
++    }
++
+     if (idx == 0)	    // use internal wordlist
+     {
+ 	if (int_wordlist == NULL)

0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch

@@ -0,0 +1,33 @@
+From 53a70289c2712808e6d4e88927e03cac01b470dd Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 9 May 2022 13:15:07 +0100
+Subject: [PATCH] patch 8.2.4925: trailing backslash may cause reading past end
+ of line
+
+Problem:    Trailing backslash may cause reading past end of line.
+Solution:   Check for NUL after backslash.
+---
+ src/testdir/test_textobjects.vim | 10 +++++++++-
+ src/textobject.c                 |  4 ++++
+ src/version.c                    |  2 ++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/textobject.c b/src/textobject.c
+index e4a7db38e..edaa64c51 100644
+--- a/src/textobject.c
++++ b/src/textobject.c
+@@ -1664,7 +1664,11 @@ find_next_quote(
+ 	if (c == NUL)
+ 	    return -1;
+ 	else if (escape != NULL && vim_strchr(escape, c))
++	{
+ 	    ++col;
++	    if (line[col] == NUL)
++		return -1;
++	}
+ 	else if (c == quotechar)
+ 	    break;
+ 	if (has_mbyte)
+-- 
+2.36.1
+

0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch

@@ -0,0 +1,59 @@
+diff -up vim82/src/ex_cmds.c.cve1785 vim82/src/ex_cmds.c
+--- vim82/src/ex_cmds.c.cve1785	2022-06-10 10:26:16.883312704 +0200
++++ vim82/src/ex_cmds.c	2022-06-10 10:26:16.910312568 +0200
+@@ -4356,12 +4356,17 @@ ex_substitute(exarg_T *eap)
+ 		// Save flags for recursion.  They can change for e.g.
+ 		// :s/^/\=execute("s#^##gn")
+ 		subflags_save = subflags;
++
++		// Disallow changing text or switching window in an expression.
++		++textwinlock;
+ #endif
+ 		// get length of substitution part
+ 		sublen = vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 			       sub, sub_firstline, FALSE, magic_isset(), TRUE);
+ #ifdef FEAT_EVAL
++		--textwinlock;
++
+ 		// If getting the substitute string caused an error, don't do
+ 		// the replacement.
+ 		// Don't keep flags set by a recursive call.
+@@ -4462,9 +4467,15 @@ ex_substitute(exarg_T *eap)
+ 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ 		new_end += copy_len;
+ 
++#ifdef FEAT_EVAL
++		++textwinlock;
++#endif
+ 		(void)vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 				      sub, new_end, TRUE, magic_isset(), TRUE);
++#ifdef FEAT_EVAL
++		--textwinlock;
++#endif
+ 		sub_nsubs++;
+ 		did_sub = TRUE;
+ 
+diff -up vim82/src/testdir/test_substitute.vim.cve1785 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve1785	2022-06-10 10:26:16.910312568 +0200
++++ vim82/src/testdir/test_substitute.vim	2022-06-10 10:27:02.166084629 +0200
+@@ -942,5 +942,18 @@ func Test_using_old_sub()
+   set nocompatible
+ endfunc
+ 
++" This was switching windows in between computing the length and using it.
++func Test_sub_change_window()
++  silent! lfile
++  sil! norm o0000000000000000000000000000000000000000000000000000
++  func Repl()
++    lopen
++  endfunc
++  silent!  s/\%')/\=Repl()
++  bwipe!
++  bwipe!
++  delfunc Repl
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab

0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch

@@ -0,0 +1,121 @@
+diff -up vim82/src/normal.c.cve1897 vim82/src/normal.c
+--- vim82/src/normal.c.cve1897	2022-06-13 09:31:42.880768567 +0200
++++ vim82/src/normal.c	2022-06-13 09:35:38.560084927 +0200
+@@ -479,6 +479,22 @@ find_command(int cmdchar)
+ }
+ 
+ /*
++ * If currently editing a cmdline or text is locked: beep and give an error
++ * message, return TRUE.
++ */
++    static int
++check_text_locked(oparg_T *oap)
++{
++    if (text_locked())
++    {
++	clearopbeep(oap);
++	text_locked_msg();
++	return TRUE;
++    }
++    return FALSE;
++}
++
++/*
+  * Execute a command in Normal mode.
+  */
+     void
+@@ -742,14 +758,9 @@ getcount:
+ 	goto normal_end;
+     }
+ 
+-    if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+-    {
+-	// This command is not allowed while editing a cmdline: beep.
+-	clearopbeep(oap);
+-	text_locked_msg();
+-	goto normal_end;
+-    }
+-    if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
++    if ((nv_cmds[idx].cmd_flags & NV_NCW)
++				&& (check_text_locked(oap) || curbuf_locked()))
++	// this command is not allowed now
+ 	goto normal_end;
+ 
+     /*
+@@ -4212,12 +4223,8 @@ nv_gotofile(cmdarg_T *cap)
+     char_u	*ptr;
+     linenr_T	lnum = -1;
+ 
+-    if (text_locked())
+-    {
+-	clearopbeep(cap->oap);
+-	text_locked_msg();
++    if (check_text_locked(cap->oap))
+ 	return;
+-    }
+     if (curbuf_locked())
+     {
+ 	clearop(cap->oap);
+@@ -6343,14 +6350,7 @@ nv_g_cmd(cmdarg_T *cap)
+ 
+     // "gQ": improved Ex mode
+     case 'Q':
+-	if (text_locked())
+-	{
+-	    clearopbeep(cap->oap);
+-	    text_locked_msg();
+-	    break;
+-	}
+-
+-	if (!checkclearopq(oap))
++	if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ 	    do_exmode(TRUE);
+ 	break;
+ 
+diff -up vim82/src/testdir/test_substitute.vim.cve1897 vim82/src/testdir/test_substitute.vim
+--- vim82/src/testdir/test_substitute.vim.cve1897	2022-06-13 09:31:42.938768884 +0200
++++ vim82/src/testdir/test_substitute.vim	2022-06-13 09:36:39.013406036 +0200
+@@ -955,5 +955,27 @@ func Test_sub_change_window()
+   delfunc Repl
+ endfunc
+ 
++" This was undoign a change in between computing the length and using it.
++func Do_Test_sub_undo_change()
++  new
++  norm o0000000000000000000000000000000000000000000000000000
++  silent! s/\%')/\=Repl()
++  bwipe!
++endfunc
++
++func Test_sub_undo_change()
++  func Repl()
++    silent! norm g-
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  func! Repl()
++    silent earlier
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  delfunc Repl
++endfunc
++
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+diff -up vim82/src/undo.c.cve1897 vim82/src/undo.c
+--- vim82/src/undo.c.cve1897	2022-06-13 09:31:42.904768698 +0200
++++ vim82/src/undo.c	2022-06-13 09:31:42.938768884 +0200
+@@ -2323,6 +2323,12 @@ undo_time(
+     int		    above = FALSE;
+     int		    did_undo = TRUE;
+ 
++    if (text_locked())
++    {
++	text_locked_msg();
++	return;
++    }
++
+     // First make sure the current undoable change is synced.
+     if (curbuf->b_u_synced == FALSE)
+ 	u_sync(TRUE);

0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch

@@ -0,0 +1,106 @@
+diff -up vim82/src/ex_docmd.c.cve1927 vim82/src/ex_docmd.c
+--- vim82/src/ex_docmd.c.cve1927	2021-03-22 10:02:42.000000000 +0100
++++ vim82/src/ex_docmd.c	2022-06-13 15:29:45.099472751 +0200
+@@ -3081,6 +3081,8 @@ parse_cmd_address(exarg_T *eap, char **e
+ {
+     int		address_count = 1;
+     linenr_T	lnum;
++    int		need_check_cursor = FALSE;
++    int		ret = FAIL;
+ 
+     // Repeat for all ',' or ';' separated addresses.
+     for (;;)
+@@ -3091,7 +3093,7 @@ parse_cmd_address(exarg_T *eap, char **e
+ 	lnum = get_address(eap, &eap->cmd, eap->addr_type, eap->skip, silent,
+ 					eap->addr_count == 0, address_count++);
+ 	if (eap->cmd == NULL)	// error detected
+-	    return FAIL;
++	    goto theend;
+ 	if (lnum == MAXLNUM)
+ 	{
+ 	    if (*eap->cmd == '%')   // '%' - all lines
+@@ -3136,14 +3138,14 @@ parse_cmd_address(exarg_T *eap, char **e
+ 			    // there is no Vim command which uses '%' and
+ 			    // ADDR_WINDOWS or ADDR_TABS
+ 			    *errormsg = _(e_invrange);
+-			    return FAIL;
++			    goto theend;
+ 			}
+ 			break;
+ 		    case ADDR_TABS_RELATIVE:
+ 		    case ADDR_UNSIGNED:
+ 		    case ADDR_QUICKFIX:
+ 			*errormsg = _(e_invrange);
+-			return FAIL;
++			goto theend;
+ 		    case ADDR_ARGUMENTS:
+ 			if (ARGCOUNT == 0)
+ 			    eap->line1 = eap->line2 = 0;
+@@ -3175,7 +3177,7 @@ parse_cmd_address(exarg_T *eap, char **e
+ 		if (eap->addr_type != ADDR_LINES)
+ 		{
+ 		    *errormsg = _(e_invrange);
+-		    return FAIL;
++		    goto theend;
+ 		}
+ 
+ 		++eap->cmd;
+@@ -3183,11 +3185,11 @@ parse_cmd_address(exarg_T *eap, char **e
+ 		{
+ 		    fp = getmark('<', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			return FAIL;
++			goto theend;
+ 		    eap->line1 = fp->lnum;
+ 		    fp = getmark('>', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			return FAIL;
++			goto theend;
+ 		    eap->line2 = fp->lnum;
+ 		    ++eap->addr_count;
+ 		}
+@@ -3202,10 +3204,13 @@ parse_cmd_address(exarg_T *eap, char **e
+ 	    if (!eap->skip)
+ 	    {
+ 		curwin->w_cursor.lnum = eap->line2;
++
+ 		// Don't leave the cursor on an illegal line or column, but do
+ 		// accept zero as address, so 0;/PATTERN/ works correctly.
++		// Check the cursor position before returning.
+ 		if (eap->line2 > 0)
+ 		    check_cursor();
++		need_check_cursor = TRUE;
+ 	    }
+ 	}
+ 	else if (*eap->cmd != ',')
+@@ -3221,7 +3226,12 @@ parse_cmd_address(exarg_T *eap, char **e
+ 	if (lnum == MAXLNUM)
+ 	    eap->addr_count = 0;
+     }
+-    return OK;
++    ret = OK;
++
++theend:
++    if (need_check_cursor)
++	check_cursor();
++    return ret;
+ }
+ 
+ /*
+diff -up vim82/src/testdir/test_excmd.vim.cve1927 vim82/src/testdir/test_excmd.vim
+--- vim82/src/testdir/test_excmd.vim.cve1927	2022-06-13 15:26:53.941517542 +0200
++++ vim82/src/testdir/test_excmd.vim	2022-06-13 15:30:53.972860361 +0200
+@@ -536,4 +536,13 @@ func Test_sandbox()
+   sandbox call Sandbox_tests()
+ endfunc
+ 
++" This was leaving the cursor in line zero
++func Test_using_zero_in_range()
++  new
++  norm o00
++  silent!  0;s/\%')
++  bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab

0001-patch-9.0.0339-no-check-if-the-return-value-of-XChan.patch

@@ -0,0 +1,38 @@
+From a63ad78ed31e36dbdf3a9cd28071dcdbefce7d19 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 31 Aug 2022 12:01:54 +0100
+Subject: [PATCH] patch 9.0.0339: no check if the return value of XChangeGC()
+ is NULL
+
+Problem:    No check if the return value of XChangeGC() is NULL.
+Solution:   Only use the return value when it is not NULL. (closes #11020)
+---
+ src/gui_x11.c | 10 +++++++---
+ src/version.c |  2 ++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/gui_x11.c b/src/gui_x11.c
+index 6e3e903be..7293ac490 100644
+--- a/src/gui_x11.c
++++ b/src/gui_x11.c
+@@ -2231,10 +2231,14 @@ gui_x11_create_blank_mouse(void)
+ {
+     Pixmap blank_pixmap = XCreatePixmap(gui.dpy, gui.wid, 1, 1, 1);
+     GC gc = XCreateGC(gui.dpy, blank_pixmap, (unsigned long)0, (XGCValues*)0);
+-    XDrawPoint(gui.dpy, blank_pixmap, gc, 0, 0);
+-    XFreeGC(gui.dpy, gc);
++
++    if (gc != NULL)
++    {
++	XDrawPoint(gui.dpy, blank_pixmap, gc, 0, 0);
++	XFreeGC(gui.dpy, gc);
++    }
+     return XCreatePixmapCursor(gui.dpy, blank_pixmap, blank_pixmap,
+-	    (XColor*)&gui.norm_pixel, (XColor*)&gui.norm_pixel, 0, 0);
++		     (XColor*)&gui.norm_pixel, (XColor*)&gui.norm_pixel, 0, 0);
+ }
+ 
+ /*
+-- 
+2.39.1
+

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

gating.yaml

@@ -1,8 +1,28 @@
 --- !Policy
 product_versions:
-    - rhel-9
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional}
+
+#Rawhide
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/public.functional}
+
+#gating rhel
+--- !Policy
+product_versions:
+  - rhel-*
 decision_context: osci_compose_gate
 rules:
-    - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
-    - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
-    - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/public.functional}

plans/public.fmf

@@ -0,0 +1,6 @@
+summary: Test plan with all Fedora tests
+discover:
+       how: fmf
+       url: https://src.fedoraproject.org/tests/vim.git
+execute:
+       how: tmt

plans/tier1-internal.fmf

@@ -0,0 +1,12 @@
+summary: CI plan, picks internal Tier1 tests, runs in beakerlib.
+discover:
+  - name: rhel
+    how: fmf
+    filter: 'tier: 1'
+    url: git://pkgs.devel.redhat.com/tests/vim
+execute:
+    how: tmt
+adjust:
+    enabled: false
+    when: distro == centos-stream or distro == fedora
+    because: They don't have access to internal repos.

vim.spec

@@ -27,7 +27,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 16%{?dist}
+Release: 20%{?dist}
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: virc
@@ -116,7 +116,26 @@ Patch3041: 0001-patch-8.2.4359-crash-when-repeatedly-using-retab.patch
 Patch3042: 0001-patch-8.2.4397-crash-when-using-many-composing-chara.patch
 # CVE-2022-0714 vim: buffer overflow [rhel-9]
 Patch3043: 0001-patch-8.2.4436-crash-with-weird-vartabstop-value.patch
+# CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
 Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
+# CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
+Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
+# CVE-2022-1154 vim: use after free in utf_ptr2char
+Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
+# CVE-2022-1420 vim: Out-of-range Pointer Offset
+Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
+# CVE-2022-1621 vim: heap buffer overflow
+Patch3048: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+# CVE-2022-1629 vim: buffer over-read
+Patch3049: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
+# CVE-2022-1785 vim: Out-of-bounds Write
+Patch3050: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
+# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+Patch3051: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
+# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+Patch3052: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
+# CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL
+Patch3053:0001-patch-9.0.0339-no-check-if-the-return-value-of-XChan.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -348,6 +367,15 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3042 -p1 -b .cve0629
 %patch3043 -p1 -b .cve0714
 %patch3044 -p1 -b .cve0554
+%patch3045 -p1 -b .cve0943
+%patch3046 -p1 -b .cve1154
+%patch3047 -p1 -b .cve1420
+%patch3048 -p1 -b .cve1621
+%patch3049 -p1 -b .cve1629
+%patch3050 -p1 -b .cve1785
+%patch3051 -p1 -b .cve1897
+%patch3052 -p1 -b .cve1927
+%patch3053 -p1 -b .cve47024
 
 %build
 cd src
@@ -905,8 +933,25 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %endif
 
 %changelog
+* Thu Feb 09 2023 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-20
+- CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL
+
+* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-19
+- CVE-2022-1785 vim: Out-of-bounds Write
+- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+
+* Tue May 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-18
+- CVE-2022-1621 vim: heap buffer overflow
+- CVE-2022-1629 vim: buffer over-read
+
+* Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-17
+- CVE-2022-1154 vim: use after free in utf_ptr2char
+- CVE-2022-1420 vim: Out-of-range Pointer Offset
+
 * Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16
 - CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior
+- CVE-2022-0943 vim: Heap-based Buffer Overflow occurs in vim
 
 * Thu Feb 24 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-15
 - CVE-2022-0714 vim: buffer overflow [rhel-9]