import vim-8.0.1763-19.el8_6.4

SOURCES/0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch

@@ -0,0 +1,461 @@
+diff --git a/runtime/doc/starting.txt b/runtime/doc/starting.txt
+index 8256152..8320039 100644
+--- a/runtime/doc/starting.txt
++++ b/runtime/doc/starting.txt
+@@ -247,12 +247,18 @@ a slash.  Thus "-R" means recovery and "-/R" readonly.
+ 		changes and writing.
+ 		{not in Vi}
+ 
+-						*-Z* *restricted-mode* *E145*
++					*-Z* *restricted-mode* *E145* *E981*
+ -Z		Restricted mode.  All commands that make use of an external
+ 		shell are disabled.  This includes suspending with CTRL-Z,
+-		":sh", filtering, the system() function, backtick expansion,
+-		delete(), rename(), mkdir(), writefile(), libcall(),
+-		job_start(), etc.
++		":sh", filtering, the system() function, backtick expansion
++		and libcall().
++		Also disallowed are delete(), rename(), mkdir(), job_start(),
++		etc.
++		Interfaces, such as Python, Ruby and Lua, are also disabled,
++		since they could be used to execute shell commands.  Perl uses
++		the Safe module.
++		Note that the user may still find a loophole to execute a
++		shell command, it has only been made difficult.
+ 		{not in Vi}
+ 
+ 							*-g*
+diff --git a/src/evalfunc.c b/src/evalfunc.c
+index dd4462d..3cc305a 100644
+--- a/src/evalfunc.c
++++ b/src/evalfunc.c
+@@ -6446,7 +6446,7 @@ f_histadd(typval_T *argvars UNUSED, typval_T *rettv)
+ #endif
+ 
+     rettv->vval.v_number = FALSE;
+-    if (check_restricted() || check_secure())
++    if (check_secure())
+ 	return;
+ #ifdef FEAT_CMDHIST
+     str = get_tv_string_chk(&argvars[0]);	/* NULL on type error */
+@@ -7456,6 +7456,9 @@ f_luaeval(typval_T *argvars, typval_T *rettv)
+     char_u	*str;
+     char_u	buf[NUMBUFLEN];
+ 
++    if (check_restricted() || check_secure())
++	return;
++
+     str = get_tv_string_buf(&argvars[0], buf);
+     do_luaeval(str, argvars + 1, rettv);
+ }
+@@ -8188,6 +8191,8 @@ f_mzeval(typval_T *argvars, typval_T *rettv)
+     char_u	*str;
+     char_u	buf[NUMBUFLEN];
+ 
++    if (check_restricted() || check_secure())
++	return;
+     str = get_tv_string_buf(&argvars[0], buf);
+     do_mzeval(str, rettv);
+ }
+@@ -8398,6 +8403,9 @@ f_py3eval(typval_T *argvars, typval_T *rettv)
+     char_u	*str;
+     char_u	buf[NUMBUFLEN];
+ 
++    if (check_restricted() || check_secure())
++	return;
++
+     if (p_pyx == 0)
+ 	p_pyx = 3;
+ 
+@@ -8416,6 +8424,9 @@ f_pyeval(typval_T *argvars, typval_T *rettv)
+     char_u	*str;
+     char_u	buf[NUMBUFLEN];
+ 
++    if (check_restricted() || check_secure())
++	return;
++
+     if (p_pyx == 0)
+ 	p_pyx = 2;
+ 
+@@ -8431,6 +8442,9 @@ f_pyeval(typval_T *argvars, typval_T *rettv)
+     static void
+ f_pyxeval(typval_T *argvars, typval_T *rettv)
+ {
++    if (check_restricted() || check_secure())
++	return;
++
+ # if defined(FEAT_PYTHON) && defined(FEAT_PYTHON3)
+     init_pyxversion();
+     if (p_pyx == 2)
+@@ -10272,7 +10286,7 @@ f_setbufvar(typval_T *argvars, typval_T *rettv UNUSED)
+     typval_T	*varp;
+     char_u	nbuf[NUMBUFLEN];
+ 
+-    if (check_restricted() || check_secure())
++    if (check_secure())
+ 	return;
+     (void)get_tv_number(&argvars[0]);	    /* issue errmsg if type error */
+     varname = get_tv_string_chk(&argvars[1]);
+@@ -10792,7 +10806,7 @@ f_settabvar(typval_T *argvars, typval_T *rettv)
+ 
+     rettv->vval.v_number = 0;
+ 
+-    if (check_restricted() || check_secure())
++    if (check_secure())
+ 	return;
+ 
+     tp = find_tabpage((int)get_tv_number_chk(&argvars[0], NULL));
+@@ -13674,7 +13688,7 @@ f_writefile(typval_T *argvars, typval_T *rettv)
+     list_T	*list;
+ 
+     rettv->vval.v_number = -1;
+-    if (check_restricted() || check_secure())
++    if (check_secure())
+ 	return;
+ 
+     if (argvars[0].v_type != VAR_LIST)
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 111fe01..1827fec 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -4693,7 +4693,7 @@ check_restricted(void)
+ {
+     if (restricted)
+     {
+-	EMSG(_("E145: Shell commands not allowed in rvim"));
++	EMSG(_("E145: Shell commands and some functionality not allowed in rvim"));
+ 	return TRUE;
+     }
+     return FALSE;
+diff --git a/src/ex_cmds.h b/src/ex_cmds.h
+index 48b0253..82d6e29 100644
+--- a/src/ex_cmds.h
++++ b/src/ex_cmds.h
+@@ -56,6 +56,7 @@
+ 				 * curbuf_lock is set */
+ #define MODIFY       0x200000L	/* forbidden in non-'modifiable' buffer */
+ #define EXFLAGS      0x400000L	/* allow flags after count in argument */
++#define RESTRICT     0x800000L	/* forbidden in restricted mode */
+ #define FILES	(XFILE | EXTRA)	/* multiple extra files allowed */
+ #define WORD1	(EXTRA | NOSPC)	/* one extra word allowed */
+ #define FILE1	(FILES | NOSPC)	/* 1 file allowed, defaults to current file */
+@@ -860,13 +861,13 @@ EX(CMD_lunmap,		"lunmap",	ex_unmap,
+ 			EXTRA|TRLBAR|NOTRLCOM|USECTRLV|CMDWIN,
+ 			ADDR_LINES),
+ EX(CMD_lua,		"lua",		ex_lua,
+-			RANGE|EXTRA|NEEDARG|CMDWIN,
++			RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_luado,		"luado",	ex_luado,
+-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_luafile,		"luafile",	ex_luafile,
+-			RANGE|FILE1|NEEDARG|CMDWIN,
++			RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_lvimgrep,	"lvimgrep",	ex_vimgrep,
+ 			RANGE|NOTADR|BANG|NEEDARG|EXTRA|NOTRLCOM|TRLBAR|XFILE,
+@@ -929,10 +930,10 @@ EX(CMD_mode,		"mode",		ex_mode,
+ 			WORD1|TRLBAR|CMDWIN,
+ 			ADDR_LINES),
+ EX(CMD_mzscheme,	"mzscheme",	ex_mzscheme,
+-			RANGE|EXTRA|DFLALL|NEEDARG|CMDWIN|SBOXOK,
++			RANGE|EXTRA|DFLALL|NEEDARG|CMDWIN|SBOXOK|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_mzfile,		"mzfile",	ex_mzfile,
+-			RANGE|FILE1|NEEDARG|CMDWIN,
++			RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_next,		"next",		ex_next,
+ 			RANGE|NOTADR|BANG|FILES|EDITCMD|ARGOPT|TRLBAR,
+@@ -1115,37 +1116,37 @@ EX(CMD_pwd,		"pwd",		ex_pwd,
+ 			TRLBAR|CMDWIN,
+ 			ADDR_LINES),
+ EX(CMD_python,		"python",	ex_python,
+-			RANGE|EXTRA|NEEDARG|CMDWIN,
++			RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_pydo,		"pydo",		ex_pydo,
+-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_pyfile,		"pyfile",	ex_pyfile,
+-			RANGE|FILE1|NEEDARG|CMDWIN,
++			RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_py3,		"py3",		ex_py3,
+-			RANGE|EXTRA|NEEDARG|CMDWIN,
++			RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_py3do,		"py3do",	ex_py3do,
+-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_python3,		"python3",	ex_py3,
+-			RANGE|EXTRA|NEEDARG|CMDWIN,
++			RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_py3file,		"py3file",	ex_py3file,
+-			RANGE|FILE1|NEEDARG|CMDWIN,
++			RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_pyx,		"pyx",		ex_pyx,
+-			RANGE|EXTRA|NEEDARG|CMDWIN,
++			RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_pyxdo,		"pyxdo",	ex_pyxdo,
+-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_pythonx,		"pythonx",	ex_pyx,
+-			RANGE|EXTRA|NEEDARG|CMDWIN,
++			RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_pyxfile,		"pyxfile",	ex_pyxfile,
+-			RANGE|FILE1|NEEDARG|CMDWIN,
++			RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_quit,		"quit",		ex_quit,
+ 			BANG|RANGE|COUNT|NOTADR|TRLBAR|CMDWIN,
+@@ -1199,13 +1200,13 @@ EX(CMD_runtime,		"runtime",	ex_runtime,
+ 			BANG|NEEDARG|FILES|TRLBAR|SBOXOK|CMDWIN,
+ 			ADDR_LINES),
+ EX(CMD_ruby,		"ruby",		ex_ruby,
+-			RANGE|EXTRA|NEEDARG|CMDWIN,
++			RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_rubydo,		"rubydo",	ex_rubydo,
+-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_rubyfile,	"rubyfile",	ex_rubyfile,
+-			RANGE|FILE1|NEEDARG|CMDWIN,
++			RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_rundo,		"rundo",	ex_rundo,
+ 			NEEDARG|FILE1,
+@@ -1472,13 +1473,13 @@ EX(CMD_tabs,		"tabs",		ex_tabs,
+ 			TRLBAR|CMDWIN,
+ 			ADDR_TABS),
+ EX(CMD_tcl,		"tcl",		ex_tcl,
+-			RANGE|EXTRA|NEEDARG|CMDWIN,
++			RANGE|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_tcldo,		"tcldo",	ex_tcldo,
+-			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN,
++			RANGE|DFLALL|EXTRA|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_tclfile,		"tclfile",	ex_tclfile,
+-			RANGE|FILE1|NEEDARG|CMDWIN,
++			RANGE|FILE1|NEEDARG|CMDWIN|RESTRICT,
+ 			ADDR_LINES),
+ EX(CMD_tearoff,		"tearoff",	ex_tearoff,
+ 			NEEDARG|EXTRA|TRLBAR|NOTRLCOM|CMDWIN,
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index ef86fc8..aaf2f9d 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -2372,11 +2372,16 @@ do_one_cmd(
+ #ifdef HAVE_SANDBOX
+ 	if (sandbox != 0 && !(ea.argt & SBOXOK))
+ 	{
+-	    /* Command not allowed in sandbox. */
++	    // Command not allowed in sandbox.
+ 	    errormsg = (char_u *)_(e_sandbox);
+ 	    goto doend;
+ 	}
+ #endif
++	if (restricted != 0 && (ea.argt & RESTRICT))
++	{
++	    errormsg = (char_u *)_("E981: Command not allowed in rvim");
++	    goto doend;
++	}
+ 	if (!curbuf->b_p_ma && (ea.argt & MODIFY))
+ 	{
+ 	    /* Command not allowed in non-'modifiable' buffer */
+diff --git a/src/if_perl.xs b/src/if_perl.xs
+index 7b45033..fc8d613 100644
+--- a/src/if_perl.xs
++++ b/src/if_perl.xs
+@@ -930,6 +930,7 @@ VIM_init(void)
+ #ifdef DYNAMIC_PERL
+ static char *e_noperl = N_("Sorry, this command is disabled: the Perl library could not be loaded.");
+ #endif
++static char *e_perlsandbox = N_("E299: Perl evaluation forbidden in sandbox without the Safe module");
+ 
+ /*
+  * ":perl"
+@@ -978,13 +979,12 @@ ex_perl(exarg_T *eap)
+ 	vim_free(script);
+     }
+ 
+-#ifdef HAVE_SANDBOX
+-    if (sandbox)
++    if (sandbox || secure)
+     {
+ 	safe = perl_get_sv("VIM::safe", FALSE);
+ # ifndef MAKE_TEST  /* avoid a warning for unreachable code */
+ 	if (safe == NULL || !SvTRUE(safe))
+-	    EMSG(_("E299: Perl evaluation forbidden in sandbox without the Safe module"));
++	    EMSG(_(e_perlsandbox));
+ 	else
+ # endif
+ 	{
+@@ -996,7 +996,6 @@ ex_perl(exarg_T *eap)
+ 	}
+     }
+     else
+-#endif
+ 	perl_eval_sv(sv, G_DISCARD | G_NOARGS);
+ 
+     SvREFCNT_dec(sv);
+@@ -1259,13 +1258,12 @@ do_perleval(char_u *str, typval_T *rettv)
+ 	ENTER;
+ 	SAVETMPS;
+ 
+-#ifdef HAVE_SANDBOX
+-	if (sandbox)
++	if (sandbox || secure)
+ 	{
+ 	    safe = get_sv("VIM::safe", FALSE);
+ # ifndef MAKE_TEST  /* avoid a warning for unreachable code */
+ 	    if (safe == NULL || !SvTRUE(safe))
+-		EMSG(_("E299: Perl evaluation forbidden in sandbox without the Safe module"));
++		EMSG(_(e_perlsandbox));
+ 	    else
+ # endif
+ 	    {
+@@ -1281,7 +1279,6 @@ do_perleval(char_u *str, typval_T *rettv)
+ 	    }
+ 	}
+ 	else
+-#endif /* HAVE_SANDBOX */
+ 	    sv = eval_pv((char *)str, 0);
+ 
+ 	if (sv) {
+diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak
+index e36089a..5f1c38c 100644
+--- a/src/testdir/Make_all.mak
++++ b/src/testdir/Make_all.mak
+@@ -156,6 +156,7 @@ NEW_TESTS = test_arabic.res \
+ 	    test_quotestar.res \
+ 	    test_regex_char_classes.res \
+ 	    test_registers.res \
++	    test_restricted.res \
+ 	    test_retab.res \
+ 	    test_ruby.res \
+ 	    test_scrollbind.res \
+diff --git a/src/testdir/test_restricted.vim b/src/testdir/test_restricted.vim
+new file mode 100644
+index 0000000..9dd937c
+--- /dev/null
++++ b/src/testdir/test_restricted.vim
+@@ -0,0 +1,107 @@
++" Test for "rvim" or "vim -Z"
++
++source shared.vim
++
++func Test_restricted()
++  let cmd = GetVimCommand('Xrestricted')
++  if cmd == ''
++    return
++  endif
++
++  call writefile([
++	\ "silent !ls",
++	\ "call writefile([v:errmsg], 'Xrestrout')",
++	\ "qa!",
++	\ ], 'Xrestricted')
++  call system(cmd . ' -Z')
++  call assert_match('E145:', join(readfile('Xrestrout')))
++
++  call delete('Xrestricted')
++  call delete('Xrestrout')
++endfunc
++
++func Run_restricted_test(ex_cmd, error)
++  let cmd = GetVimCommand('Xrestricted')
++  if cmd == ''
++    return
++  endif
++
++  call writefile([
++	\ a:ex_cmd,
++	\ "call writefile([v:errmsg], 'Xrestrout')",
++	\ "qa!",
++	\ ], 'Xrestricted')
++  call system(cmd . ' -Z')
++  call assert_match(a:error, join(readfile('Xrestrout')))
++
++  call delete('Xrestricted')
++  call delete('Xrestrout')
++endfunc
++
++func Test_restricted_lua()
++  if !has('lua')
++    throw 'Skipped: Lua is not supported'
++  endif
++  call Run_restricted_test('lua print("Hello, Vim!")', 'E981:')
++  call Run_restricted_test('luado return "hello"', 'E981:')
++  call Run_restricted_test('luafile somefile', 'E981:')
++  call Run_restricted_test('call luaeval("expression")', 'E145:')
++endfunc
++
++func Test_restricted_mzscheme()
++  if !has('mzscheme')
++    throw 'Skipped: MzScheme is not supported'
++  endif
++  call Run_restricted_test('mzscheme statement', 'E981:')
++  call Run_restricted_test('mzfile somefile', 'E981:')
++  call Run_restricted_test('call mzeval("expression")', 'E145:')
++endfunc
++
++func Test_restricted_perl()
++  if !has('perl')
++    throw 'Skipped: Perl is not supported'
++  endif
++  " TODO: how to make Safe mode fail?
++  " call Run_restricted_test('perl system("ls")', 'E981:')
++  " call Run_restricted_test('perldo system("hello")', 'E981:')
++  " call Run_restricted_test('perlfile somefile', 'E981:')
++  " call Run_restricted_test('call perleval("system(\"ls\")")', 'E145:')
++endfunc
++
++func Test_restricted_python()
++  if !has('python')
++    throw 'Skipped: Python is not supported'
++  endif
++  call Run_restricted_test('python print "hello"', 'E981:')
++  call Run_restricted_test('pydo return "hello"', 'E981:')
++  call Run_restricted_test('pyfile somefile', 'E981:')
++  call Run_restricted_test('call pyeval("expression")', 'E145:')
++endfunc
++
++func Test_restricted_python3()
++  if !has('python3')
++    throw 'Skipped: Python3 is not supported'
++  endif
++  call Run_restricted_test('py3 print "hello"', 'E981:')
++  call Run_restricted_test('py3do return "hello"', 'E981:')
++  call Run_restricted_test('py3file somefile', 'E981:')
++  call Run_restricted_test('call py3eval("expression")', 'E145:')
++endfunc
++
++func Test_restricted_ruby()
++  if !has('ruby')
++    throw 'Skipped: Ruby is not supported'
++  endif
++  call Run_restricted_test('ruby print "Hello"', 'E981:')
++  call Run_restricted_test('rubydo print "Hello"', 'E981:')
++  call Run_restricted_test('rubyfile somefile', 'E981:')
++endfunc
++
++func Test_restricted_tcl()
++  if !has('tcl')
++    throw 'Skipped: Tcl is not supported'
++  endif
++  call Run_restricted_test('tcl puts "Hello"', 'E981:')
++  call Run_restricted_test('tcldo puts "Hello"', 'E981:')
++  call Run_restricted_test('tclfile somefile', 'E981:')
++endfunc

SOURCES/0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch

@@ -0,0 +1,35 @@
+diff -up vim80/src/screen.c.cve3872 vim80/src/screen.c
+--- vim80/src/screen.c.cve3872	2021-10-21 13:20:27.694921335 +0200
++++ vim80/src/screen.c	2021-10-21 13:22:42.221732996 +0200
+@@ -6911,13 +6911,13 @@ win_redr_status(win_T *wp)
+ 	    *(p + len++) = ' ';
+ 	if (bt_help(wp->w_buffer))
+ 	{
+-	    STRCPY(p + len, _("[Help]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Help]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #ifdef FEAT_QUICKFIX
+ 	if (wp->w_p_pvw)
+ 	{
+-	    STRCPY(p + len, _("[Preview]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[Preview]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ #endif
+@@ -6927,12 +6927,12 @@ win_redr_status(win_T *wp)
+ #endif
+ 		)
+ 	{
+-	    STRCPY(p + len, "[+]");
+-	    len += 3;
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", "[+]");
++	    len += (int)STRLEN(p + len);
+ 	}
+ 	if (wp->w_buffer->b_p_ro)
+ 	{
+-	    STRCPY(p + len, _("[RO]"));
++	    vim_snprintf((char *)p + len, MAXPATHL - len, "%s", _("[RO]"));
+ 	    len += (int)STRLEN(p + len);
+ 	}
+ 

SOURCES/0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch

@@ -0,0 +1,34 @@
+diff --git a/src/misc1.c b/src/misc1.c
+index de79c8e..1c5867d 100644
+--- a/src/misc1.c
++++ b/src/misc1.c
+@@ -6792,7 +6792,7 @@ find_start_brace(void)	    /* XXX */
+ 		       && (pos = ind_find_start_CORS(NULL)) == NULL) /* XXX */
+ 	    break;
+ 	if (pos != NULL)
+-	    curwin->w_cursor.lnum = pos->lnum;
++	    curwin->w_cursor = *pos;
+     }
+     curwin->w_cursor = cursor_save;
+     return trypos;
+diff --git a/src/testdir/test_cindent.vim b/src/testdir/test_cindent.vim
+index 7c2c5e3..f8c7e57 100644
+--- a/src/testdir/test_cindent.vim
++++ b/src/testdir/test_cindent.vim
+@@ -102,4 +102,16 @@ func Test_cindent_expr()
+   bw!
+ endfunc
+ 
++func Test_find_brace_backwards()
++  " this was looking beyond the end of the line
++  new
++  norm R/*
++  norm o0{
++  norm o//
++  norm V{=
++  call assert_equal(['/*', '   0{', '//'], getline(1, 3))
++  bwipe!
++endfunc
++
++
+ " vim: shiftwidth=2 sts=2 expandtab

SOURCES/0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch

@@ -0,0 +1,14 @@
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index 1827fec..e69fbd3 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -6537,8 +6537,7 @@ find_help_tags(
+ 		    || (vim_strchr((char_u *)"%_z@", arg[1]) != NULL
+ 							   && arg[2] != NUL)))
+ 	{
+-	    STRCPY(d, "/\\\\");
+-	    STRCPY(d + 3, arg + 1);
++	    vim_snprintf((char *)d, IOSIZE, "/\\\\%s", arg + 1);
+ 	    /* Check for "/\\_$", should be "/\\_\$" */
+ 	    if (d[3] == '_' && d[4] == '$')
+ 		STRCPY(d + 4, "\\$");

SOURCES/0001-patch-8.2.3949-using-freed-memory-with-V.patch

@@ -0,0 +1,45 @@
+diff -up vim80/src/regexp.c.cve4192 vim80/src/regexp.c
+--- vim80/src/regexp.c.cve4192	2022-01-12 15:21:44.792239040 +0100
++++ vim80/src/regexp.c	2022-01-12 15:34:35.190425880 +0100
+@@ -4203,9 +4203,9 @@ reg_match_visual(void)
+     if (lnum < top.lnum || lnum > bot.lnum)
+ 	return FALSE;
+ 
++    col = (colnr_T)(reginput - regline);
+     if (mode == 'v')
+     {
+-	col = (colnr_T)(reginput - regline);
+ 	if ((lnum == top.lnum && col < top.col)
+ 		|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e')))
+ 	    return FALSE;
+@@ -4220,7 +4220,12 @@ reg_match_visual(void)
+ 	    end = end2;
+ 	if (top.col == MAXCOL || bot.col == MAXCOL)
+ 	    end = MAXCOL;
+-	cols = win_linetabsize(wp, regline, (colnr_T)(reginput - regline));
++
++	// getvvcol() flushes rex.line, need to get it again
++	regline = reg_getline(reglnum);
++	reginput = regline + col;
++
++	cols = win_linetabsize(wp, regline, col);
+ 	if (cols < start || cols > end - (*p_sel == 'e'))
+ 	    return FALSE;
+     }
+diff -up vim80/src/testdir/test_regexp_latin.vim.cve4192 vim80/src/testdir/test_regexp_latin.vim
+--- vim80/src/testdir/test_regexp_latin.vim.cve4192	2022-01-12 15:21:44.792239040 +0100
++++ vim80/src/testdir/test_regexp_latin.vim	2022-01-12 15:36:12.499693099 +0100
+@@ -80,3 +80,13 @@ func Test_using_invalid_visual_position(
+   /\%V
+   bwipe!
+ endfunc
++
++func Test_using_visual_position()
++  " this was using freed memory
++  new
++  exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
++  /\%V
++  bwipe!
++endfunc
++
++" vim: shiftwidth=2 sts=2 expandtab

SOURCES/0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch

@@ -0,0 +1,38 @@
+diff -up vim80/src/charset.c.cve4193 vim80/src/charset.c
+--- vim80/src/charset.c.cve4193	2022-01-12 14:49:08.710592947 +0100
++++ vim80/src/charset.c	2022-01-12 14:49:47.594705863 +0100
+@@ -1291,10 +1291,15 @@ getvcol(
+ 	posptr = NULL;  /* continue until the NUL */
+     else
+     {
+-	/* Special check for an empty line, which can happen on exit, when
+-	 * ml_get_buf() always returns an empty string. */
+-	if (*ptr == NUL)
+-	    pos->col = 0;
++	colnr_T i;
++
++	// In a few cases the position can be beyond the end of the line.
++	for (i = 0; i < pos->col; ++i)
++	    if (ptr[i] == NUL)
++	    {
++		pos->col = i;
++		break;
++	    }
+ 	posptr = ptr + pos->col;
+ #ifdef FEAT_MBYTE
+ 	if (has_mbyte)
+diff -up vim80/src/testdir/test_regexp_latin.vim.cve4193 vim80/src/testdir/test_regexp_latin.vim
+--- vim80/src/testdir/test_regexp_latin.vim.cve4193	2022-01-12 14:49:08.710592947 +0100
++++ vim80/src/testdir/test_regexp_latin.vim	2022-01-12 14:50:45.186873107 +0100
+@@ -72,3 +72,11 @@ func Test_backref()
+   call assert_fails('call search("\\%#=2\\(e\\1\\)")', 'E65:')
+   bwipe!
+ endfunc
++
++func Test_using_invalid_visual_position()
++  " this was going beyond the end of the line
++  new
++  exe "norm 0o000\<Esc>0\<C-V>$s0"
++  /\%V
++  bwipe!
++endfunc

SOURCES/0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch

@@ -0,0 +1,95 @@
+diff -up vim80/src/ops.c.cve0261 vim80/src/ops.c
+--- vim80/src/ops.c.cve0261	2022-01-26 14:30:27.475308323 +0100
++++ vim80/src/ops.c	2022-01-26 14:34:16.650933713 +0100
+@@ -636,23 +636,30 @@ block_insert(
+ 	    if (b_insert)
+ 	    {
+ 		off = (*mb_head_off)(oldp, oldp + offset + spaces);
++		spaces -= off;
++		count -= off;
+ 	    }
+ 	    else
+ 	    {
+-		off = (*mb_off_next)(oldp, oldp + offset);
+-		offset += off;
++		// spaces fill the gap, the character that's at the edge moves
++		// right
++		off = (*mb_head_off)(oldp, oldp + offset);
++		offset -= off;
+ 	    }
+ 	    spaces -= off;
+ 	    count -= off;
+ 	}
+ #endif
+ 
+-	newp = alloc_check((unsigned)(STRLEN(oldp)) + s_len + count + 1);
++	// Make sure the allocated size matches what is actually copied below.
++	newp = alloc(STRLEN(oldp) + spaces + s_len
++		    + (spaces > 0 && !bdp->is_short ? p_ts - spaces : 0)
++								  + count + 1);
+ 	if (newp == NULL)
+ 	    continue;
+ 
+ 	/* copy up to shifted part */
+-	mch_memmove(newp, oldp, (size_t)(offset));
++	mch_memmove(newp, oldp, (size_t)offset);
+ 	oldp += offset;
+ 
+ 	/* insert pre-padding */
+@@ -662,14 +669,21 @@ block_insert(
+ 	mch_memmove(newp + offset + spaces, s, (size_t)s_len);
+ 	offset += s_len;
+ 
+-	if (spaces && !bdp->is_short)
++	if (spaces > 0 && !bdp->is_short)
+ 	{
+-	    /* insert post-padding */
+-	    vim_memset(newp + offset + spaces, ' ', (size_t)(p_ts - spaces));
+-	    /* We're splitting a TAB, don't copy it. */
+-	    oldp++;
+-	    /* We allowed for that TAB, remember this now */
+-	    count++;
++	    if (*oldp == TAB)
++	    {
++		// insert post-padding
++		vim_memset(newp + offset + spaces, ' ',
++						    (size_t)(p_ts - spaces));
++		// we're splitting a TAB, don't copy it
++		oldp++;
++		// We allowed for that TAB, remember this now
++		count++;
++	    }
++	    else
++		// Not a TAB, no extra spaces
++		count = spaces;
+ 	}
+ 
+ 	if (spaces > 0)
+@@ -2738,9 +2752,9 @@ op_insert(oparg_T *oap, long count1)
+ 		oap->start_vcol = t;
+ 	    }
+ 	    else if (oap->op_type == OP_APPEND
+-		      && oap->end.col
++		      && oap->start.col
+ #ifdef FEAT_VIRTUALEDIT
+-			    + oap->end.coladd
++			    + oap->start.coladd
+ #endif
+ 			>= curbuf->b_op_start_orig.col
+ #ifdef FEAT_VIRTUALEDIT
+diff -up vim80/src/testdir/test_visual.vim.cve0261 vim80/src/testdir/test_visual.vim
+--- vim80/src/testdir/test_visual.vim.cve0261	2022-01-26 14:30:27.476308325 +0100
++++ vim80/src/testdir/test_visual.vim	2022-01-26 14:36:03.482225225 +0100
+@@ -254,3 +254,12 @@ func Test_virtual_replace2()
+   %d_
+   set bs&vim
+ endfunc
++
++func Test_visual_block_append_invalid_char()
++  " this was going over the end of the line
++  new
++  call setline(1, ['	   let xxx', 'xxxxxˆ', 'xxxxxxxxxxx'])
++  exe "normal 0\<C-V>jjA-\<Esc>"
++  call assert_equal(['	-   let xxx', 'xxxxx   -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
++  bwipe!
++endfunc

SOURCES/0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch

@@ -0,0 +1,46 @@
+diff --git a/src/ops.c b/src/ops.c
+index e9cfb1d..e35b033 100644
+--- a/src/ops.c
++++ b/src/ops.c
+@@ -629,26 +629,9 @@ block_insert(
+ 
+ #ifdef FEAT_MBYTE
+ 	if (has_mbyte && spaces > 0)
+-	{
+-	    int off;
++	    // avoid copying part of a multi-byte character
++	    offset -= (*mb_head_off)(oldp, oldp + offset);
+ 
+-	    /* Avoid starting halfway a multi-byte character. */
+-	    if (b_insert)
+-	    {
+-		off = (*mb_head_off)(oldp, oldp + offset + spaces);
+-		spaces -= off;
+-		count -= off;
+-	    }
+-	    else
+-	    {
+-		// spaces fill the gap, the character that's at the edge moves
+-		// right
+-		off = (*mb_head_off)(oldp, oldp + offset);
+-		offset -= off;
+-	    }
+-	    spaces -= off;
+-	    count -= off;
+-	}
+ #endif
+ 
+ 	// Make sure the allocated size matches what is actually copied below.
+diff --git a/src/testdir/test_utf8.vim b/src/testdir/test_utf8.vim
+index 24e3db8..1042720 100644
+--- a/src/testdir/test_utf8.vim
++++ b/src/testdir/test_utf8.vim
+@@ -9,7 +9,7 @@ func Test_visual_block_insert()
+   new
+   call setline(1, ["aaa", "あああ", "bbb"])
+   exe ":norm! gg0l\<C-V>jjIx\<Esc>"
+-  call assert_equal(['axaa', 'xあああ', 'bxbb'], getline(1, '$'))
++  call assert_equal(['axaa', ' xあああ', 'bxbb'], getline(1, '$'))
+   bwipeout!
+ endfunc
+ 

SOURCES/0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch

@@ -0,0 +1,12 @@
+diff -up vim80/src/ex_getln.c.cve0359 vim80/src/ex_getln.c
+--- vim80/src/ex_getln.c.cve0359	2022-01-27 16:55:41.386213891 +0100
++++ vim80/src/ex_getln.c	2022-01-27 17:00:20.330960544 +0100
+@@ -300,7 +300,7 @@ getcmdline(
+     ccline.cmdindent = (firstc > 0 ? indent : 0);
+ 
+     /* alloc initial ccline.cmdbuff */
+-    alloc_cmdbuff(exmode_active ? 250 : indent + 1);
++    alloc_cmdbuff(indent + 50);
+     if (ccline.cmdbuff == NULL)
+ 	return NULL;			    /* out of memory */
+     ccline.cmdlen = ccline.cmdpos = 0;

SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch

@@ -0,0 +1,33 @@
+diff -up vim80/src/ex_cmds.c.cve0361 vim80/src/ex_cmds.c
+--- vim80/src/ex_cmds.c.cve0361	2022-02-08 12:20:51.277666290 +0100
++++ vim80/src/ex_cmds.c	2022-02-08 12:20:51.280666209 +0100
+@@ -983,6 +983,8 @@ ex_copy(linenr_T line1, linenr_T line2,
+     }
+ 
+     appended_lines_mark(n, count);
++    if (VIsual_active)
++	check_pos(curbuf, &VIsual);
+ 
+     msgmore((long)count);
+ }
+diff -up vim80/src/testdir/test_visual.vim.cve0361 vim80/src/testdir/test_visual.vim
+--- vim80/src/testdir/test_visual.vim.cve0361	2022-02-08 12:20:51.280666209 +0100
++++ vim80/src/testdir/test_visual.vim	2022-02-08 12:21:44.530356814 +0100
+@@ -263,3 +263,17 @@ func Test_visual_block_append_invalid_ch
+   call assert_equal(['	-   let xxx', 'xxxxx   -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
+   bwipe!
+ endfunc
++
++" this was leaving the end of the Visual area beyond the end of a line
++func Test_visual_ex_copy_line()
++  new
++  call setline(1, ["aaa", "bbbbbbbbbxbb"])
++  /x
++  exe "normal ggvjfxO"
++  t0
++  normal gNU
++  bwipe!
++endfunc
++
++
++" vim: shiftwidth=2 sts=2 expandtab

SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch

@@ -0,0 +1,85 @@
+commit ec45bc7682fd698d8d39f43732129c4d092355f3
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Wed Feb 2 16:30:11 2022 +0100
+
+    Fix illegal memory access with bracketed paste in Ex mode
+
+diff --git a/src/edit.c b/src/edit.c
+index f29fbc7..57b8dce 100644
+--- a/src/edit.c
++++ b/src/edit.c
+@@ -9519,27 +9519,33 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+     int		ret_char = -1;
+     int		save_allow_keys = allow_keys;
+     int		save_paste = p_paste;
+-    int		save_ai = curbuf->b_p_ai;
+ 
+-    /* If the end code is too long we can't detect it, read everything. */
+-    if (STRLEN(end) >= NUMBUFLEN)
++    // If the end code is too long we can't detect it, read everything.
++    if (end != NULL && STRLEN(end) >= NUMBUFLEN)
+ 	end = NULL;
+     ++no_mapping;
+     allow_keys = 0;
+-    p_paste = TRUE;
+-    curbuf->b_p_ai = FALSE;
++    if (!p_paste)
++	// Also have the side effects of setting 'paste' to make it work much
++	// faster.
++	set_option_value((char_u *)"paste", TRUE, NULL, 0);
+ 
+     for (;;)
+     {
+ 	/* When the end is not defined read everything. */
+ 	if (end == NULL && vpeekc() == NUL)
+ 	    break;
+-	c = plain_vgetc();
+-#ifdef FEAT_MBYTE
++	do
++	    c = vgetc();
++	while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR);
++	if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C))
++	    // When CTRL-C was encountered the typeahead will be flushed and we
++	    // won't get the end sequence.  Except when using ":normal".
++	    break;
++
+ 	if (has_mbyte)
+ 	    idx += (*mb_char2bytes)(c, buf + idx);
+ 	else
+-#endif
+ 	    buf[idx++] = c;
+ 	buf[idx] = NUL;
+ 	if (end != NULL && STRNCMP(buf, end, idx) == 0)
+@@ -9557,7 +9563,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 		    break;
+ 
+ 		case PASTE_EX:
+-		    if (gap != NULL && ga_grow(gap, idx) == OK)
++		    // add one for the NUL that is going to be appended
++		    if (gap != NULL && ga_grow(gap, idx + 1) == OK)
+ 		    {
+ 			mch_memmove((char *)gap->ga_data + gap->ga_len,
+ 							     buf, (size_t)idx);
+@@ -9582,11 +9589,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 		case PASTE_ONE_CHAR:
+ 		    if (ret_char == -1)
+ 		    {
+-#ifdef FEAT_MBYTE
+ 			if (has_mbyte)
+ 			    ret_char = (*mb_ptr2char)(buf);
+ 			else
+-#endif
+ 			    ret_char = buf[0];
+ 		    }
+ 		    break;
+@@ -9597,8 +9602,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 
+     --no_mapping;
+     allow_keys = save_allow_keys;
+-    p_paste = save_paste;
+-    curbuf->b_p_ai = save_ai;
++    if (!save_paste)
++	set_option_value((char_u *)"paste", FALSE, NULL, 0);
+ 
+     return ret_char;
+ }

SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch

@@ -0,0 +1,51 @@
+commit c604f3ad4782fde770617ff688e1ceac0dc1bd7c
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Thu Feb 3 10:14:42 2022 +0100
+
+    Fix using freed memory when substitute with function call
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index e69fbd3..0788573 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -4767,6 +4767,7 @@ do_sub(exarg_T *eap)
+     int		save_do_all;		/* remember user specified 'g' flag */
+     int		save_do_ask;		/* remember user specified 'c' flag */
+     char_u	*pat = NULL, *sub = NULL;	/* init for GCC */
++	char_u	*sub_copy = NULL;
+     int		delimiter;
+     int		sublen;
+     int		got_quit = FALSE;
+@@ -5062,11 +5063,20 @@ do_sub(exarg_T *eap)
+     sub_firstline = NULL;
+ 
+     /*
+-     * ~ in the substitute pattern is replaced with the old pattern.
+-     * We do it here once to avoid it to be replaced over and over again.
+-     * But don't do it when it starts with "\=", then it's an expression.
++     * If the substitute pattern starts with "\=" then it's an expression.
++     * Make a copy, a recursive function may free it.
++     * Otherwise, '~' in the substitute pattern is replaced with the old
++     * pattern.  We do it here once to avoid it to be replaced over and over
++     * again.
+      */
+-    if (!(sub[0] == '\\' && sub[1] == '='))
++    if (sub[0] == '\\' && sub[1] == '=')
++    {
++	sub = vim_strsave(sub);
++	if (sub == NULL)
++	    return;
++	sub_copy = sub;
++    }
++    else
+ 	sub = regtilde(sub, p_magic);
+ 
+     /*
+@@ -5825,6 +5835,7 @@ outofmem:
+ #endif
+ 
+     vim_regfree(regmatch.regprog);
++	vim_free(sub_copy);
+ 
+     /* Restore the flag values, they can be used for ":&&". */
+     subflags.do_all = save_do_all;

SOURCES/0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch

@@ -0,0 +1,22 @@
+diff -up vim80/src/regexp.c.cve1154 vim80/src/regexp.c
+--- vim80/src/regexp.c.cve1154	2022-04-09 12:01:30.054452927 +0200
++++ vim80/src/regexp.c	2022-04-09 12:02:48.987999877 +0200
+@@ -4415,8 +4415,17 @@ regmatch(
+ 		int	mark = OPERAND(scan)[0];
+ 		int	cmp = OPERAND(scan)[1];
+ 		pos_T	*pos;
++		size_t	col = REG_MULTI ? reginput - regline : 0;
+ 
+ 		pos = getmark_buf(rex.reg_buf, mark, FALSE);
++
++		// Line may have been freed, get it again.
++		if (REG_MULTI)
++		{
++		    regline = reg_getline(reglnum);
++		    reginput = regline + col;
++		}
++
+ 		if (pos == NULL		     /* mark doesn't exist */
+ 			|| pos->lnum <= 0    /* mark isn't set in reg_buf */
+ 			|| (pos->lnum == reglnum + rex.reg_firstlnum
+diff -up vim80/src/testdir/test_regexp_latin.vim.cve1154 vim80/src/testdir/test_regexp_latin.vim

SOURCES/0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch

@@ -0,0 +1,57 @@
+diff --git a/src/globals.h b/src/globals.h
+index d5320d7..968ba33 100644
+--- a/src/globals.h
++++ b/src/globals.h
+@@ -1657,6 +1657,11 @@ EXTERN int *eval_lavars_used INIT(= NULL);
+ EXTERN int ctrl_break_was_pressed INIT(= FALSE);
+ #endif
+ 
++#ifdef FEAT_SPELL
++EXTERN char e_illegal_character_in_word[]
++	INIT(= N_("E1280: Illegal character in word"));
++#endif
++
+ /*
+  * Optional Farsi support.  Include it here, so EXTERN and INIT are defined.
+  */
+diff --git a/src/mbyte.c b/src/mbyte.c
+index 6d21f11..a7531f1 100644
+--- a/src/mbyte.c
++++ b/src/mbyte.c
+@@ -4034,7 +4034,7 @@ theend:
+     convert_setup(&vimconv, NULL, NULL);
+ }
+ 
+-#if defined(FEAT_GUI_GTK) || defined(PROTO)
++#if defined(FEAT_GUI_GTK) || defined(FEAT_SPELL) || defined(PROTO)
+ /*
+  * Return TRUE if string "s" is a valid utf-8 string.
+  * When "end" is NULL stop at the first NUL.
+diff --git a/src/spellfile.c b/src/spellfile.c
+index 496e07f..92997ef 100644
+--- a/src/spellfile.c
++++ b/src/spellfile.c
+@@ -4441,6 +4441,10 @@ store_word(
+     int		res = OK;
+     char_u	*p;
+ 
++    // Avoid adding illegal bytes to the word tree.
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++	return FAIL;
++
+     (void)spell_casefold(word, len, foldword, MAXWLEN);
+     for (p = pfxlist; res == OK; ++p)
+     {
+@@ -6251,6 +6255,12 @@ spell_add_word(
+     int		i;
+     char_u	*spf;
+ 
++    if (enc_utf8 && !utf_valid_string(word, NULL))
++    {
++	EMSG(_(e_illegal_character_in_word));
++	return;
++    }
++
+     if (idx == 0)	    /* use internal wordlist */
+     {
+ 	if (int_wordlist == NULL)

SOURCES/0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch

@@ -0,0 +1,15 @@
+diff -up vim80/src/search.c.cve1629 vim80/src/search.c
+--- vim80/src/search.c.cve1629	2022-05-24 13:55:06.789859865 +0200
++++ vim80/src/search.c	2022-05-24 13:56:31.889218958 +0200
+@@ -4349,7 +4349,11 @@ find_next_quote(
+ 	if (c == NUL)
+ 	    return -1;
+ 	else if (escape != NULL && vim_strchr(escape, c))
++	{
+ 	    ++col;
++	    if (line[col] == NUL)
++		return -1;
++	}
+ 	else if (c == quotechar)
+ 	    break;
+ #ifdef FEAT_MBYTE

SOURCES/0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch

@@ -0,0 +1,57 @@
+diff -up vim80/src/ex_cmds.c.cve1785 vim80/src/ex_cmds.c
+--- vim80/src/ex_cmds.c.cve1785	2022-06-10 10:46:33.818286626 +0200
++++ vim80/src/ex_cmds.c	2022-06-10 10:58:04.009515524 +0200
+@@ -5486,12 +5486,17 @@ do_sub(exarg_T *eap)
+ 		/* Save flags for recursion.  They can change for e.g.
+ 		 * :s/^/\=execute("s#^##gn") */
+ 		subflags_save = subflags;
++
++		// Disallow changing text or switching window in an expression.
++		++textlock;
+ #endif
+ 		/* get length of substitution part */
+ 		sublen = vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 				    sub, sub_firstline, FALSE, p_magic, TRUE);
+ #ifdef FEAT_EVAL
++		--textlock;
++
+ 		/* Don't keep flags set by a recursive call. */
+ 		subflags = subflags_save;
+ 		if (subflags.do_count)
+@@ -5570,9 +5575,15 @@ do_sub(exarg_T *eap)
+ 		mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len);
+ 		new_end += copy_len;
+ 
++#ifdef FEAT_EVAL
++		++textlock;
++#endif
+ 		(void)vim_regsub_multi(&regmatch,
+ 				    sub_firstlnum - regmatch.startpos[0].lnum,
+ 					   sub, new_end, TRUE, p_magic, TRUE);
++#ifdef FEAT_EVAL
++		--textlock;
++#endif
+ 		sub_nsubs++;
+ 		did_sub = TRUE;
+ 
+diff -up vim80/src/testdir/test_substitute.vim.cve1785 vim80/src/testdir/test_substitute.vim
+--- vim80/src/testdir/test_substitute.vim.cve1785	2022-06-10 10:46:33.818286626 +0200
++++ vim80/src/testdir/test_substitute.vim	2022-06-10 10:59:17.168437630 +0200
+@@ -500,3 +500,16 @@ func Test_sub_cmd_8()
+   enew!
+   set titlestring&
+ endfunc
++
++" This was switching windows in between computing the length and using it.
++func Test_sub_change_window()
++  silent! lfile
++  sil! norm o0000000000000000000000000000000000000000000000000000
++  func Repl()
++    lopen
++  endfunc
++  silent!  s/\%')/\=Repl()
++  bwipe!
++  bwipe!
++  delfunc Repl
++endfunc

SOURCES/0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch

@@ -0,0 +1,120 @@
+diff -up vim80/src/normal.c.cve1897 vim80/src/normal.c
+--- vim80/src/normal.c.cve1897	2022-06-13 14:50:22.800290132 +0200
++++ vim80/src/normal.c	2022-06-13 14:55:06.082861349 +0200
+@@ -532,6 +532,22 @@ find_command(int cmdchar)
+ }
+ 
+ /*
++ * If currently editing a cmdline or text is locked: beep and give an error
++ * message, return TRUE.
++ */
++    static int
++check_text_locked(oparg_T *oap)
++{
++    if (text_locked())
++    {
++	clearopbeep(oap);
++	text_locked_msg();
++	return TRUE;
++    }
++    return FALSE;
++}
++
++/*
+  * Execute a command in Normal mode.
+  */
+     void
+@@ -792,14 +808,9 @@ getcount:
+ 	goto normal_end;
+     }
+ 
+-    if (text_locked() && (nv_cmds[idx].cmd_flags & NV_NCW))
+-    {
+-	/* This command is not allowed while editing a cmdline: beep. */
+-	clearopbeep(oap);
+-	text_locked_msg();
+-	goto normal_end;
+-    }
+-    if ((nv_cmds[idx].cmd_flags & NV_NCW) && curbuf_locked())
++    if ((nv_cmds[idx].cmd_flags & NV_NCW)
++				&& (check_text_locked(oap) || curbuf_locked()))
++	// this command is not allowed now
+ 	goto normal_end;
+ 
+     /*
+@@ -6234,12 +6245,8 @@ nv_gotofile(cmdarg_T *cap)
+     char_u	*ptr;
+     linenr_T	lnum = -1;
+ 
+-    if (text_locked())
+-    {
+-	clearopbeep(cap->oap);
+-	text_locked_msg();
++    if (check_text_locked(cap->oap))
+ 	return;
+-    }
+     if (curbuf_locked())
+     {
+ 	clearop(cap->oap);
+@@ -8420,14 +8427,7 @@ nv_g_cmd(cmdarg_T *cap)
+ 
+     /* "gQ": improved Ex mode */
+     case 'Q':
+-	if (text_locked())
+-	{
+-	    clearopbeep(cap->oap);
+-	    text_locked_msg();
+-	    break;
+-	}
+-
+-	if (!checkclearopq(oap))
++	if (!check_text_locked(cap->oap) && !checkclearopq(oap))
+ 	    do_exmode(TRUE);
+ 	break;
+ 
+diff -up vim80/src/testdir/test_substitute.vim.cve1897 vim80/src/testdir/test_substitute.vim
+--- vim80/src/testdir/test_substitute.vim.cve1897	2022-06-13 14:50:22.849290402 +0200
++++ vim80/src/testdir/test_substitute.vim	2022-06-13 14:55:50.370111134 +0200
+@@ -513,3 +513,26 @@ func Test_sub_change_window()
+   bwipe!
+   delfunc Repl
+ endfunc
++
++" This was undoign a change in between computing the length and using it.
++func Do_Test_sub_undo_change()
++  new
++  norm o0000000000000000000000000000000000000000000000000000
++  silent! s/\%')/\=Repl()
++  bwipe!
++endfunc
++
++func Test_sub_undo_change()
++  func Repl()
++    silent! norm g-
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  func! Repl()
++    silent earlier
++  endfunc
++  call Do_Test_sub_undo_change()
++
++  delfunc Repl
++endfunc
++
+diff -up vim80/src/undo.c.cve1897 vim80/src/undo.c
+--- vim80/src/undo.c.cve1897	2022-06-13 14:50:22.849290402 +0200
++++ vim80/src/undo.c	2022-06-13 14:56:57.916492090 +0200
+@@ -2283,6 +2283,12 @@ undo_time(
+     if (curbuf->b_u_synced == FALSE)
+ 	u_sync(TRUE);
+ 
++    if (text_locked())
++    {
++	text_locked_msg();
++	return;
++    }
++
+     u_newcount = 0;
+     u_oldcount = 0;
+     if (curbuf->b_ml.ml_flags & ML_EMPTY)

SOURCES/0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch

@@ -0,0 +1,85 @@
+diff -up vim80/src/ex_docmd.c.cve1927 vim80/src/ex_docmd.c
+--- vim80/src/ex_docmd.c.cve1927	2022-06-13 16:31:41.841068554 +0200
++++ vim80/src/ex_docmd.c	2022-06-13 16:37:02.789876973 +0200
+@@ -1720,6 +1720,8 @@ do_one_cmd(
+     int			ni;			/* set when Not Implemented */
+     char_u		*cmd;
+     int			address_count = 1;
++    int			need_check_cursor = FALSE;
++    int			ret_addr = FAIL;
+ 
+     vim_memset(&ea, 0, sizeof(ea));
+     ea.line1 = 1;
+@@ -2084,7 +2086,7 @@ do_one_cmd(
+ 	lnum = get_address(&ea, &ea.cmd, ea.addr_type, ea.skip,
+ 					  ea.addr_count == 0, address_count++);
+ 	if (ea.cmd == NULL)		    /* error detected */
+-	    goto doend;
++	    goto addr_end;
+ 	if (lnum == MAXLNUM)
+ 	{
+ 	    if (*ea.cmd == '%')		    /* '%' - all lines */
+@@ -2128,12 +2130,12 @@ do_one_cmd(
+ 			    /* there is no Vim command which uses '%' and
+ 			     * ADDR_WINDOWS or ADDR_TABS */
+ 			    errormsg = (char_u *)_(e_invrange);
+-			    goto doend;
++			    goto addr_end;
+ 			}
+ 			break;
+ 		    case ADDR_TABS_RELATIVE:
+ 			errormsg = (char_u *)_(e_invrange);
+-			goto doend;
++			goto addr_end;
+ 			break;
+ 		    case ADDR_ARGUMENTS:
+ 			if (ARGCOUNT == 0)
+@@ -2163,7 +2165,7 @@ do_one_cmd(
+ 		if (ea.addr_type != ADDR_LINES)
+ 		{
+ 		    errormsg = (char_u *)_(e_invrange);
+-		    goto doend;
++		    goto addr_end;
+ 		}
+ 
+ 		++ea.cmd;
+@@ -2171,11 +2173,11 @@ do_one_cmd(
+ 		{
+ 		    fp = getmark('<', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			goto doend;
++			goto addr_end;
+ 		    ea.line1 = fp->lnum;
+ 		    fp = getmark('>', FALSE);
+ 		    if (check_mark(fp) == FAIL)
+-			goto doend;
++			goto addr_end;
+ 		    ea.line2 = fp->lnum;
+ 		    ++ea.addr_count;
+ 		}
+@@ -2190,8 +2192,11 @@ do_one_cmd(
+ 	    if (!ea.skip)
+ 	    {
+ 		curwin->w_cursor.lnum = ea.line2;
++
+ 		/* don't leave the cursor on an illegal line or column */
++		// Check the cursor position before returning.
+ 		check_cursor();
++		need_check_cursor = TRUE;
+ 	    }
+ 	}
+ 	else if (*ea.cmd != ',')
+@@ -2208,6 +2213,13 @@ do_one_cmd(
+ 	    ea.addr_count = 0;
+     }
+ 
++    ret_addr = OK;
++
++addr_end:
++    if (need_check_cursor)
++	check_cursor();
++    if (ret_addr == FAIL)
++	goto doend;
+ /*
+  * 5. Parse the command.
+  */

SOURCES/vim-crypto-warning.patch

@@ -0,0 +1,86 @@
+diff --git a/src/config.h.in b/src/config.h.in
+index 7d61220..ca0b1a8 100644
+--- a/src/config.h.in
++++ b/src/config.h.in
+@@ -478,3 +478,12 @@
+ 
+ /* Define to inline symbol or empty */
+ #undef inline
++
++/* Do we need FIPS warning? */
++#undef HAVE_FIPS_WARNING
++
++/* Link to system-fips file */
++#undef SYSTEM_FIPS_FILE_LINK
++
++/* Link to fips_enabled file */
++#undef FIPS_ENABLED_FILE_LINK
+diff --git a/src/configure.ac b/src/configure.ac
+index 1e7d444..5e45762 100644
+--- a/src/configure.ac
++++ b/src/configure.ac
+@@ -525,6 +525,38 @@ else
+   AC_MSG_RESULT(yes)
+ fi
+ 
++dnl Checking if we want FIPS warning
++
++AC_MSG_CHECKING(--enable-fips-warning)
++AC_ARG_ENABLE([fips-warning],
++              AS_HELP_STRING([--enable-fips-warning], [Enable FIPS warning]),
++              ,[enable_fips_warning="no"])
++
++if test "$enable_fips_warning" = "yes"; then
++  AC_MSG_RESULT(yes)
++  AC_DEFINE([HAVE_FIPS_WARNING])
++
++  dnl Setting path for system-fips file
++
++  AC_MSG_CHECKING(--with-system-fips-file argument)
++  AC_ARG_WITH([system-fips-file], [  --with-system-fips-file=PATH       Link to system-fips file (default: /etc/system-fips)],
++	with_system_fips_file=$withval,
++       with_system_fips_file="/etc/system-fips")
++  AC_MSG_RESULT([$with_system_fips_file])
++  AC_DEFINE_UNQUOTED([SYSTEM_FIPS_FILE_LINK], ["$with_system_fips_file"])
++
++  dnl Setting link to fips_enabled file
++
++  AC_MSG_CHECKING(--with-fips-enabled-file argument)
++  AC_ARG_WITH([fips-enabled-file], [  --with-fips-enabled-file=PATH       Link to fibs_enabled file (default: /proc/sys/crypto/fips_enabled)],
++	with_fips_enabled_file=$withval,
++       with_fips_enabled_file="/proc/sys/crypto/fips_enabled")
++  AC_MSG_RESULT([$with_fips_enabled_file])
++  AC_DEFINE_UNQUOTED([FIPS_ENABLED_FILE_LINK], ["$with_fips_enabled_file"])
++else
++  AC_MSG_RESULT(no)
++fi
++
+ dnl Check for Lua feature.
+ AC_MSG_CHECKING(--enable-luainterp argument)
+ AC_ARG_ENABLE(luainterp,
+diff --git a/src/crypt.c b/src/crypt.c
+index dfbf02c..c935bc0 100644
+--- a/src/crypt.c
++++ b/src/crypt.c
+@@ -501,6 +501,21 @@ crypt_check_method(int method)
+ 	msg_scroll = TRUE;
+ 	MSG(_("Warning: Using a weak encryption method; see :help 'cm'"));
+     }
++#ifdef HAVE_FIPS_WARNING
++    FILE *fips_enable_fd = fopen(FIPS_ENABLED_FILE_LINK, "r");
++    if (fips_enable_fd == NULL)
++      return;
++
++    int enabled = fgetc(fips_enable_fd);
++
++    if ( access(SYSTEM_FIPS_FILE_LINK, F_OK) != -1 && enabled == '1')
++    {
++	msg_scroll = TRUE;
++	MSG(_("Warning: This cryptography is not FIPS 140-2 compliant."));
++    }
++
++    fclose(fips_enable_fd);
++#endif
+ }
+ 
+     void

SOURCES/vim-cve3778-fix.patch

@@ -0,0 +1,13 @@
+diff -up vim80/src/regexp_nfa.c.cve3796-fix vim80/src/regexp_nfa.c
+--- vim80/src/regexp_nfa.c.cve3796-fix	2021-09-20 08:27:13.752604505 +0200
++++ vim80/src/regexp_nfa.c	2021-09-20 08:29:10.206546910 +0200
+@@ -5493,7 +5493,8 @@ find_match_text(colnr_T startcol, int re
+ 		match = FALSE;
+ 		break;
+ 	    }
+-	    len2 += MB_CHAR2LEN(c2);
++	    len2 += enc_utf8 ? utf_ptr2len(regline + col + len2)
++							     : MB_CHAR2LEN(c2);
+ 	}
+ 	if (match
+ #ifdef FEAT_MBYTE

SOURCES/vim-cve3796.patch

@@ -0,0 +1,51 @@
+diff --git a/src/normal.c b/src/normal.c
+index be0e75e..7d62e20 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -7147,19 +7147,23 @@ nv_replace(cmdarg_T *cap)
+ 	    {
+ 		/*
+ 		 * Get ptr again, because u_save and/or showmatch() will have
+-		 * released the line.  At the same time we let know that the
+-		 * line will be changed.
++		 * released the line.  This may also happen in ins_copychar().
++		 * At the same time we let know that the line will be changed.
+ 		 */
+-		ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ 		if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+ 		{
+ 		  int c = ins_copychar(curwin->w_cursor.lnum
+ 					   + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++		  ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ 		  if (c != NUL)
+ 		    ptr[curwin->w_cursor.col] = c;
+ 		}
+ 		else
++		{
++		    ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ 		    ptr[curwin->w_cursor.col] = cap->nchar;
++		}
+ 		if (p_sm && msg_silent == 0)
+ 		    showmatch(cap->nchar);
+ 		++curwin->w_cursor.col;
+diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
+index 7278bcd..8818805 100644
+--- a/src/testdir/test_edit.vim
++++ b/src/testdir/test_edit.vim
+@@ -1387,3 +1387,15 @@ func Test_edit_quit()
+   only
+ endfunc
+ 
++" Test for getting the character of the line below after "p"
++func Test_edit_put_CTRL_E()
++  set encoding=latin1
++  new
++  let @" = ''
++  sil! norm orggRx
++  sil! norm pr
++  call assert_equal(['r', 'r'], getline(1, 2))
++  bwipe!
++  set encoding=utf-8
++endfunc
++

SPECS/vim.spec

@@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 11%{?dist}
+Release: 19%{?dist}.4
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@@ -71,6 +71,47 @@ Patch3017: vim-python3-tests.patch
 Patch3018: vim-covscan.patch
 # 1719812 - CVE-2019-12735 vim: vim/neovim: arbitrary command execution in getchar.c [rhel-8.1.0]
 Patch3019: 0001-patch-8.1.1365-source-command-doesn-t-check-for-the-.patch
+# 1605095 - vim: should not re-implement crypto
+Patch3020: vim-crypto-warning.patch
+# 1842755 - CVE-2019-20807
+Patch3021: 0001-patch-8.1.0881-can-execute-shell-commands-in-rvim-th.patch
+# 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0]
+Patch3022: vim-cve3796.patch
+# 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0]
+Patch3023: vim-cve3778-fix.patch
+Patch3024: 0001-patch-8.2.3487-illegal-memory-access-if-buffer-name-.patch
+# 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
+Patch3025: 0001-patch-8.2.3625-illegal-memory-access-when-C-indentin.patch
+# 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]
+Patch3026: 0001-patch-8.2.3669-buffer-overflow-with-long-help-argume.patch
+# CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
+Patch3027: 0001-patch-8.2.3950-going-beyond-the-end-of-the-line-with.patch
+# CVE-2021-4192 vim: vulnerable to Use After Free
+Patch3028: 0001-patch-8.2.3949-using-freed-memory-with-V.patch
+# CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
+Patch3029: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
+# CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
+Patch3030: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
+# CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
+Patch3031: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch
+# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
+Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
+# CVE-2022-0413 vim: use after free in src/ex_cmds.c
+Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
+# CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
+Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
+# CVE-2022-1154 vim: use after free in utf_ptr2char
+Patch3035: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
+# CVE-2022-1621 vim: heap buffer overflow
+Patch3036: 0001-patch-8.2.4919-can-add-invalid-bytes-with-spellgood.patch
+# CVE-2022-1629 vim: buffer over-read
+Patch3037: 0001-patch-8.2.4925-trailing-backslash-may-cause-reading-.patch
+# CVE-2022-1785 vim: Out-of-bounds Write
+Patch3038: 0001-patch-8.2.4977-memory-access-error-when-substitute-e.patch
+# CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+Patch3039: 0001-patch-8.2.5023-substitute-overwrites-allocated-buffe.patch
+# CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+Patch3040: 0001-patch-8.2.5037-cursor-position-may-be-invalid-after-.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -267,6 +308,27 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3017 -p1
 %patch3018 -p1
 %patch3019 -p1 -b .cve
+%patch3020 -p1 -b .crypto-warning
+%patch3021 -p1 -b .rvim
+%patch3022 -p1 -b .cve3796
+%patch3023 -p1 -b .cve3778
+%patch3024 -p1 -b .cve3872
+%patch3025 -p1 -b .cve3984
+%patch3026 -p1 -b .cve4019
+%patch3027 -p1 -b .cve4193
+%patch3028 -p1 -b .cve4192
+%patch3029 -p1 -b .cve0261
+%patch3030 -p1 -b .cve0318
+%patch3031 -p1 -b .cve0359
+%patch3032 -p1 -b .cve0392
+%patch3033 -p1 -b .cve0413
+%patch3034 -p1 -b .cve0361
+%patch3035 -p1 -b .cve1154
+%patch3036 -p1 -b .cve1621
+%patch3037 -p1 -b .cve1629
+%patch3038 -p1 -b .cve1785
+%patch3039 -p1 -b .cve1897
+%patch3040 -p1 -b .cve1927
 
 %build
 %if 0%{?rhel} > 7
@@ -296,6 +358,7 @@ perl -pi -e "s/vimrc/virc/"  os_unix.h
 %endif
   --disable-pythoninterp --disable-perlinterp --disable-tclinterp \
   --with-tlib=ncurses --enable-gui=no --disable-gpm --exec-prefix=/ \
+  --enable-fips-warning \
   --with-compiledby="<bugzilla@redhat.com>" \
   --with-modified-by="<bugzilla@redhat.com>"
 
@@ -314,6 +377,7 @@ mv -f ex_cmds.c.save ex_cmds.c
   --enable-xim --enable-multibyte \
   --with-tlib=ncurses \
   --enable-gtk3-check --enable-gui=gtk3 \
+  --enable-fips-warning \
   --with-compiledby="<bugzilla@redhat.com>" --enable-cscope \
   --with-modified-by="<bugzilla@redhat.com>" \
 %if "%{withnetbeans}" == "1"
@@ -351,6 +415,7 @@ make clean
  --enable-gui=no --exec-prefix=%{_prefix} --enable-multibyte \
  --enable-cscope --with-modified-by="<bugzilla@redhat.com>" \
  --with-tlib=ncurses \
+  --enable-fips-warning \
  --with-compiledby="<bugzilla@redhat.com>" \
 %if "%{withnetbeans}" == "1"
   --enable-netbeans \
@@ -543,16 +608,6 @@ rm -f %{buildroot}/%{_datadir}/vim/%{vimdir}/macros/maze/maze*.c
 rm -rf %{buildroot}/%{_datadir}/vim/%{vimdir}/tools
 rm -rf %{buildroot}/%{_datadir}/vim/%{vimdir}/doc/vim2html.pl
 rm -f %{buildroot}/%{_datadir}/vim/%{vimdir}/tutor/tutor.gr.utf-8~
-( cd %{buildroot}/%{_mandir}
-  for i in `find ??/ -type f`; do
-    if [[ "`file $i`" == *UTF-8\ Unicode\ text* ]]; then
-      continue
-    fi
-    bi=`basename $i`
-    iconv -f latin1 -t UTF8 $i > %{buildroot}/$bi
-    mv -f %{buildroot}/$bi $i
-  done
-)
 
 # Remove not UTF-8 manpages
 for i in pl.ISO8859-2 it.ISO8859-1 ru.KOI8-R fr.ISO8859-1; do
@@ -792,6 +847,63 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 
 %changelog
+* Tue Jun 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.4
+- fix issue reported by covscan
+
+* Mon Jun 13 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.3
+- CVE-2022-1785 vim: Out-of-bounds Write
+- CVE-2022-1897 vim: out-of-bounds write in vim_regsub_both() in regexp.c
+- CVE-2022-1927 vim: buffer over-read in utf_ptr2char() in mbyte.c
+
+* Wed May 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.2
+- CVE-2022-1621 vim: heap buffer overflow
+- CVE-2022-1629 vim: buffer over-read
+
+* Sat Apr 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19.1
+- CVE-2022-1154 vim: use after free in utf_ptr2char
+
+* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-19
+- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
+
+* Mon Feb 07 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
+- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
+- CVE-2022-0413 vim: use after free in src/ex_cmds.c
+
+* Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
+- fix test suite after fix for CVE-2022-0318
+- CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
+
+* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
+- CVE-2022-0261 vim: Heap-based Buffer Overflow in block_insert() in src/ops.c
+- CVE-2022-0318 vim: heap-based buffer overflow in utf_head_off() in mbyte.c
+
+* Wed Jan 12 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
+- CVE-2021-4193 vim: vulnerable to Out-of-bounds Read
+- CVE-2021-4192 vim: vulnerable to Use After Free
+
+* Fri Dec 03 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-18
+- 2028341 - CVE-2021-3984 vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow [rhel-8.6.0]
+- 2028430 - CVE-2021-4019 vim: heap-based buffer overflow in find_help_tags() in src/help.c [rhel-8.6.0]
+
+* Tue Oct 26 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-17
+- 2016201 - CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c [rhel-8.6.0]
+
+* Thu Sep 23 2021 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16
+- 2004975 - CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c [rhel-8.6.0]
+- 2004892 - CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c [rhel-8.6.0]
+
+* Tue Jun 02 2020 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-15
+- 1842755 - CVE-2019-20807
+
+* Mon Feb 10 2020 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-14
+- 1745476 - manpage of vim is garbled in Japanese locale
+
+* Tue Jul 23 2019 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-13
+- fixing covscan issues raised by previous commit
+
+* Tue Jul 23 2019 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-12
+- 1605095 - vim: should not re-implement crypto
+
 * Fri Jun 14 2019 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-11
 - 1719812 - CVE-2019-12735 vim: vim/neovim: arbitrary command execution in getchar.c [rhel-8.1.0]