Wed Aug 17 20:41:53 UTC 202220220817204153_15.0

patches/packages/vim-8.2.4649-x86_64-2_slack15.0.txz:  Rebuilt.
  Fix use after free, out-of-bounds read, and heap based buffer overflow.
  Thanks to marav for the heads-up.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2816
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2817
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2819
  (* Security fix *)
patches/packages/vim-gvim-8.2.4649-x86_64-2_slack15.0.txz:  Rebuilt.

7 files changed, 147 insertions, 2 deletions

diff --git a/patches/packages/vim-8.2.4649-x86_64-1_slack15.0.txt b/patches/packages/vim-8.2.4649-x86_64-2_slack15.0.txt
index 4a843388..4a843388 100644
--- a/patches/packages/vim-8.2.4649-x86_64-1_slack15.0.txt
+++ b/patches/packages/vim-8.2.4649-x86_64-2_slack15.0.txt
diff --git a/patches/packages/vim-gvim-8.2.4649-x86_64-1_slack15.0.txt b/patches/packages/vim-gvim-8.2.4649-x86_64-2_slack15.0.txt
index 3b81553b..3b81553b 100644
--- a/patches/packages/vim-gvim-8.2.4649-x86_64-1_slack15.0.txt
+++ b/patches/packages/vim-gvim-8.2.4649-x86_64-2_slack15.0.txt
diff --git a/patches/source/vim/CVE-2022-2816.patch b/patches/source/vim/CVE-2022-2816.patch
new file mode 100644
index 00000000..da790fb6
--- /dev/null
+++ b/patches/source/vim/CVE-2022-2816.patch
@@ -0,0 +1,26 @@
+From dbdd16b62560413abcc3c8e893cc3010ccf31666 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 14 Aug 2022 21:46:07 +0100
+Subject: [PATCH] patch 9.0.0212: invalid memory access when compiling :unlet
+
+Problem:    Invalid memory access when compiling :unlet.
+Solution:   Don't read past the end of the line.
+---
+
+diff --git a/src/vim9cmds.c b/src/vim9cmds.c
+index 35a382138bf3..93032d6bf154 100644
+--- a/src/vim9cmds.c
++++ b/src/vim9cmds.c
+@@ -92,6 +92,12 @@ free_locals(cctx_T *cctx)
+     int
+ check_vim9_unlet(char_u *name)
+ {
++    if (*name == NUL)
++    {
++	semsg(_(e_argument_required_for_str), "unlet");
++	return FAIL;
++    }
++
+     if (name[1] != ':' || vim_strchr((char_u *)"gwtb", *name) == NULL)
+     {
+ 	// "unlet s:var" is allowed in legacy script.
diff --git a/patches/source/vim/CVE-2022-2817.patch b/patches/source/vim/CVE-2022-2817.patch
new file mode 100644
index 00000000..d9bfc1a6
--- /dev/null
+++ b/patches/source/vim/CVE-2022-2817.patch
@@ -0,0 +1,69 @@
+From 249e1b903a9c0460d618f6dcc59aeb8c03b24b20 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 14 Aug 2022 22:23:02 +0100
+Subject: [PATCH] patch 9.0.0213: using freed memory with error in assert
+ argument
+
+Problem:    Using freed memory with error in assert argument.
+Solution:   Make a copy of the error.
+---
+
+diff --git a/src/testdir/test_assert.vim b/src/testdir/test_assert.vim
+index 27b2d73fbfc8..7c9d090b39df 100644
+--- a/src/testdir/test_assert.vim
++++ b/src/testdir/test_assert.vim
+@@ -291,6 +291,10 @@ func Test_assert_fail_fails()
+     let exp = v:exception
+   endtry
+   call assert_match("E1174: String required for argument 5", exp)
++
++  call assert_equal(1, assert_fails('c0', ['', '\1']))
++  call assert_match("Expected '\\\\\\\\1' but got 'E939: Positive count required: c0': c0", v:errors[0])
++  call remove(v:errors, 0)
+ endfunc
+ 
+ func Test_assert_fails_in_try_block()
+diff --git a/src/testing.c b/src/testing.c
+index f2355f5dac13..21eb9c18e6e2 100644
+--- a/src/testing.c
++++ b/src/testing.c
+@@ -597,6 +597,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
+     int		save_trylevel = trylevel;
+     int		called_emsg_before = called_emsg;
+     char	*wrong_arg_msg = NULL;
++    char_u	*tofree = NULL;
+ 
+     if (check_for_string_or_number_arg(argvars, 0) == FAIL
+ 	    || check_for_opt_string_or_list_arg(argvars, 1) == FAIL
+@@ -660,13 +661,17 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
+ 	    }
+ 	    else if (list->lv_len == 2)
+ 	    {
+-		tv = &list->lv_u.mat.lv_last->li_tv;
+-		actual = get_vim_var_str(VV_ERRMSG);
+-		expected = tv_get_string_buf_chk(tv, buf);
+-		if (!pattern_match(expected, actual, FALSE))
++		// make a copy, an error in pattern_match() may free it
++		tofree = actual = vim_strsave(get_vim_var_str(VV_ERRMSG));
++		if (actual != NULL)
+ 		{
+-		    error_found = TRUE;
+-		    expected_str = expected;
++		    tv = &list->lv_u.mat.lv_last->li_tv;
++		    expected = tv_get_string_buf_chk(tv, buf);
++		    if (!pattern_match(expected, actual, FALSE))
++		    {
++			error_found = TRUE;
++			expected_str = expected;
++		    }
+ 		}
+ 	    }
+ 	}
+@@ -749,6 +754,7 @@ f_assert_fails(typval_T *argvars, typval_T *rettv)
+     msg_scrolled = 0;
+     lines_left = Rows;
+     VIM_CLEAR(emsg_assert_fails_msg);
++    vim_free(tofree);
+     set_vim_var_string(VV_ERRMSG, NULL, 0);
+     if (wrong_arg_msg != NULL)
+ 	emsg(_(wrong_arg_msg));
diff --git a/patches/source/vim/CVE-2022-2819.patch b/patches/source/vim/CVE-2022-2819.patch
new file mode 100644
index 00000000..59c25d8c
--- /dev/null
+++ b/patches/source/vim/CVE-2022-2819.patch
@@ -0,0 +1,40 @@
+From d1d8f6bacb489036d0fd479c9dd3c0102c988889 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sun, 14 Aug 2022 21:28:32 +0100
+Subject: [PATCH] patch 9.0.0211: invalid memory access when compiling :lockvar
+
+Problem:    Invalid memory access when compiling :lockvar.
+Solution:   Don't read past the end of the line.
+---
+
+diff --git a/src/vim9cmds.c b/src/vim9cmds.c
+index ad32c32ff7cb..35a382138bf3 100644
+--- a/src/vim9cmds.c
++++ b/src/vim9cmds.c
+@@ -188,10 +188,17 @@ compile_lock_unlock(
+     size_t	len;
+     char_u	*buf;
+     isntype_T	isn = ISN_EXEC;
++    char	*cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar";
+ 
+     if (cctx->ctx_skip == SKIP_YES)
+ 	return OK;
+ 
++    if (*p == NUL)
++    {
++	semsg(_(e_argument_required_for_str), cmd);
++	return FAIL;
++    }
++
+     // Cannot use :lockvar and :unlockvar on local variables.
+     if (p[1] != ':')
+     {
+@@ -223,8 +230,6 @@ compile_lock_unlock(
+ 	ret = FAIL;
+     else
+     {
+-	char *cmd = eap->cmdidx == CMD_lockvar ? "lockvar" : "unlockvar";
+-
+ 	if (deep < 0)
+ 	    vim_snprintf((char *)buf, len, "%s! %s", cmd, p);
+ 	else
diff --git a/patches/source/vim/vim-gvim.SlackBuild b/patches/source/vim/vim-gvim.SlackBuild
index 6eb01708..175391c1 100755
--- a/patches/source/vim/vim-gvim.SlackBuild
+++ b/patches/source/vim/vim-gvim.SlackBuild
@@ -32,7 +32,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=vim-gvim
 VIMBRANCH=8.2
 VERSION=$(echo vim-${VIMBRANCH}*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)
-BUILD=${BUILD:-1_slack15.0}
+BUILD=${BUILD:-2_slack15.0}
 
 # The possible settings for this are yes/no/dynamic.
 PERLINTERP=${PERLINTERP:-dynamic}
@@ -111,6 +111,11 @@ find . \
   \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
   -exec chmod 644 {} \+
 
+# Fix security issues:
+zcat $CWD/CVE-2022-2816.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2022-2817.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2022-2819.patch.gz | patch -p1 --verbose || exit 1
+
 config_vim --with-x --enable-gui=gtk3 || exit 1
 make $NUMJOBS || make || exit 1
 make install DESTDIR=$PKG || exit 1
diff --git a/patches/source/vim/vim.SlackBuild b/patches/source/vim/vim.SlackBuild
index 0b4f8132..6b20386d 100755
--- a/patches/source/vim/vim.SlackBuild
+++ b/patches/source/vim/vim.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 PKGNAM=vim
 VIMBRANCH=8.2
 CTAGSVER=5.8
-BUILD=${BUILD:-1_slack15.0}
+BUILD=${BUILD:-2_slack15.0}
 
 # The possible settings for this are yes/no/dynamic.
 PERLINTERP=${PERLINTERP:-dynamic}
@@ -152,6 +152,11 @@ find . \
   \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
   -exec chmod 644 {} \+
 
+# Fix security issues:
+zcat $CWD/CVE-2022-2816.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2022-2817.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2022-2819.patch.gz | patch -p1 --verbose || exit 1
+
 config_vim --without-x --disable-gui || exit 1
 make $NUMJOBS || make || exit 1
 make install DESTDIR=$PKG || exit 1