Package "vim-gtk"

  vim (2:8.2.3995-1ubuntu2.10) jammy-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer overflow
    - debian/patches/CVE-2022-2182.patch: When on line zero check the
      column is valid for line one.
    - debian/patches/CVE-2022-2264.patch: Adjust the end mark position.
    - debian/patches/CVE-2022-2284.patch: Stop Visual mode when closing a
      window.
    - CVE-2022-2182
    - CVE-2022-2264
    - CVE-2022-2284
  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-2208.patch: Recompute diffs later. Skip
      window without a valid buffer.
    - debian/patches/CVE-2022-2231.patch: Do not use the NULL pointer.
    - CVE-2022-2208
    - CVE-2022-2231
  * SECURITY UPDATE: out-of-bounds write issue
    - debian/patches/CVE-2022-2210.patch: Use zero offset when change
      removes all lines in a diff block
    - CVE-2022-2210
  * SECURITY UPDATE: out-of-bounds read issue
    - debian/patches/CVE-2022-2257.patch: Check for NUL.
    - debian/patches/CVE-2022-2286.patch: Check the length of the string
    - debian/patches/CVE-2022-2287.patch: Disallow adding a word with
      control characters or a trailing slash.
    - CVE-2022-2257
    - CVE-2022-2286
    - CVE-2022-2287
  * SECURITY UPDATE: integer overflow issue
    - debian/patches/CVE-2022-2285.patch: Put a NUL after the typeahead.
    - CVE-2022-2285
  * SECURITY UPDATE: use after free memory issue
    - debian/patches/CVE-2022-2289.patch: Bail out when diff pointer is no
      longer valid
    - CVE-2022-2289
  * debian/patches/skip_some_tests.patch: skip some failing test

 -- Nishit Majithia <email address hidden> Tue, 01 Aug 2023 11:07:49 +0530

  vim (2:8.2.3995-1ubuntu2.9) jammy-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read when finding an ex command by name
    - debian/patches/CVE-2022-0128.patch: check for the NUL byte first before
      reading.
    - CVE-2022-0128
  * SECURITY UPDATE: use of freed memory when managing line buffers
    - debian/patches/CVE-2022-0156-1.patch: tracking and keeping individual
      lines until the end before freeing.
    - debian/patches/CVE-2022-0156-2.patch: use growing array for tracking
      lines to free when executing instructions.
    - CVE-2022-0156
  * SECURITY UPDATE: heap-based buffer overflow when reading line containing
    "$" on its own
    - debian/patches/CVE-2022-0158.patch: handle environment variable with
      adjusted error reporting.
    - CVE-2022-0158
  * SECURITY UPDATE: out-of-bounds read when recording and using select mode
    - debian/patches/CVE-2022-0393.patch: check last recorded character exists
      before deleting.
    - CVE-2022-0393
  * SECURITY UPDATE: heap-based buffer overflow when performing a visual block
    yank
    - debian/patches/CVE-2022-0407.patch: check line boundary before reading
      character.
    - CVE-2022-0407
  * SECURITY UPDATE: NULL pointer dereference when switching tabpage in
    cmdline window
    - debian/patches/CVE-2022-0696.patch: deny switching tabpage in cmdline
      window.
    - CVE-2022-0696

 -- Evan Caville <email address hidden> Thu, 22 Jun 2023 14:08:04 +1000

  vim (2:8.2.3995-1ubuntu2.8) jammy-security; urgency=medium

  * SECURITY UPDATE: use of out-of-range pointer offset when fuzzy matching
    - debian/patches/CVE-2023-2426.patch: initialize the arrays used to store
      match positions.
    - CVE-2023-2426
  * SECURITY UPDATE: NULL pointer dereference when processing register content
    - debian/patches/CVE-2023-2609.patch: check "y_array" is not NULL.
    - CVE-2023-2609
  * SECURITY UPDATE: integer overflow and excessive memory consumption when
    allocating memory for tilde processing in pattern
    - debian/patches/CVE-2023-2610.patch: limit the text length to MAXCOL.
    - CVE-2023-2610

 -- Camila Camargo de Matos <email address hidden> Wed, 24 May 2023 11:27:53 -0300

  vim (2:8.2.3995-1ubuntu2.7) jammy-security; urgency=medium

  * SECURITY UPDATE: heap buffer overflow when processing long file names
    - debian/patches/CVE-2022-0213.patch: check length when appending a space.
    - CVE-2022-0213
  * SECURITY UPDATE: heap-based buffer overflow when performing a block insert
    - debian/patches/CVE-2022-0261.patch: handle invalid byte better. Fix
      inserting the wrong text.
    - debian/patches/CVE-2022-0318-1.patch: for block insert only use the
      offset for correcting the length.
    - debian/patches/CVE-2022-0318-2.patch: adjust the expected output for
      utf8 block insert test.
    - CVE-2022-0261
    - CVE-2022-0318
  * SECURITY UPDATE: out-of-bounds read when exchanging windows in visual mode
    - debian/patches/CVE-2022-0319.patch: correct end of Visual area when
      entering another buffer.
    - CVE-2022-0319
  * SECURITY UPDATE: stack pointer corruption when parsing too many brackets
    in expression
    - debian/patches/CVE-2022-0351.patch: limit recursion to 1000.
    - CVE-2022-0351
  * SECURITY UPDATE: illegal memory access when processing large indent in ex
    mode
    - debian/patches/CVE-2022-0359.patch: allocate enough memory.
    - CVE-2022-0359
  * SECURITY UPDATE: illegal memory access when copying lines in visual mode
    - debian/patches/CVE-2022-0361.patch: adjust the Visual position after
      copying lines.
    - CVE-2022-0361
  * SECURITY UPDATE: illegal memory access when undo makes visual area invalid
    in visual mode
    - debian/patches/CVE-2022-0368.patch: correct the Visual area after undo.
    - CVE-2022-0368
  * SECURITY UPDATE: stack corruption when looking for spelling suggestions
    - debian/patches/CVE-2022-0408.patch: prevent the depth increased too
      much. Add a five second time limit to finding suggestions.
    - CVE-2022-0408
  * SECURITY UPDATE: use of freed memory when managing buffers
    - debian/patches/CVE-2022-0443.patch: do not use wiped out buffer.
    - CVE-2022-0443
  * SECURITY UPDATE: heap buffer overflow when processing vim buffers
    - debian/patches/CVE-2022-0554.patch: when deleting the current buffer to
      not pick a quickfix buffer as the new current buffer.
    - CVE-2022-0554
  * SECURITY UPDATE: heap buffer overflow when repeatedly using :retab
    - debian/patches/CVE-2022-0572.patch: bail out when the line is getting
      too long.
    - CVE-2022-0572
  * SECURITY UPDATE: stack buffer overflow vulnerability
    - debian/patches/CVE-2022-0629.patch: crash when using many composing
      characters in error message
    - CVE-2022-0629
  * SECURITY UPDATE: out-of-range pointer offset when using special multi-byte
    character
    - debian/patches/CVE-2022-0685.patch: don't use isalpha() for an arbitrary
      character.
    - CVE-2022-0685
  * SECURITY UPDATE: heap buffer overflow when processing anomalous
    'vartabstop' value
    - debian/patches/CVE-2022-0714.patch: check for running into the end of
      the line.
    - CVE-2022-0714
  * SECURITY UPDATE: out-of-range pointer offset when processing specific
    regexp pattern and string
    - debian/patches/CVE-2022-0729.patch: stop at the start of the string.
    - CVE-2022-0729
  * SECURITY UPDATE: heap-based buffer overflow
    - debian/patches/CVE-2022-2207.patch: adds a check to see if the cursor
      column is great than zero.
    - CVE-2022-2207

 -- Nishit Majithia <email address hidden> Tue, 18 Apr 2023 17:10:57 +0530

  vim (2:8.2.3995-1ubuntu2.5) jammy-security; urgency=medium

  * SECURITY UPDATE: use after free
    - debian/patches/CVE-2022-0413.patch: make a copy of the substitute pattern
      that starts with "\=" in do_sub() in src/ex_cmds.c and free it at the end
      of the method and add test case Test_using_old_sub in
      src/testdir/test_CVE.vim.
    - debian/patches/CVE-2022-1796.patch: make a copy of the pattern to search
      for as it could get freed in do_window() in src/window.c and add test
      case Test_define_search in src/testdir/test_CVE.vim.
    - debian/patches/CVE-2022-1898.patch: make a copy of the string as it could
      get freed in nv_brackets() in src/normal.c, and add a test inside the
      Test_define_search test case in src/testdir/test_CVE.vim.
    - debian/patches/CVE-2022-1968.patch: mitigates the potential for a use
      after free scenario by making a copy of a buffer to use for future
      reference
    - debian/patches/CVE-2022-2946.patch: using freed memory when 'tagfunc'
      deletes the buffer
    - CVE-2022-0413
    - CVE-2022-1796
    - CVE-2022-1898
    - CVE-2022-1968
    - CVE-2022-2946
  * SECURITY UPDATE: buffer over-read
    - debian/patches/CVE-2022-1629.patch: add a check for null after a
      backslash in find_next_quote() in src/search.c and add test case
      Test_string_html_objects in src/testdir/test_CVE.vim.
    - debian/patches/CVE-2022-1720.patch: reading past end of line with "gf" in
      Visual block mode
    - debian/patches/CVE-2022-1733.patch: add a check for null when checking
      for trailing ' in skip_string() in src/misc1.c and add test case
      Test_cindent_check_funcdecl in src/testdir/test_CVE.vim.
    - debian/patches/CVE-2022-1735.patch: add a new function, check_visual_pos
      in src/misc2.c and invoke it in src/change.c and src/edit.c. Add the new
      function header in src/proto/misc2.pro and add test case
      Test_visual_block_with_substitute in src/testdir/test_visual.vim.
    - debian/patches/CVE-2022-1851.patch: add a call to check_cursor() after
      formatting in op_format() in src/ops.c and add test case
      Test_correct_cursor_position in src/testdir/test_CVE.vim.
    - debian/patches/CVE-2022-1927.patch: cursor position may be invalid after
      "0;" range
    - debian/patches/CVE-2022-2845.patch: reading before the start of the line
    - CVE-2022-1629
    - CVE-2022-1720
    - CVE-2022-1733
    - CVE-2022-1735
    - CVE-2022-1851
    - CVE-2022-1927
    - CVE-2022-2845
  * SECURITY UPDATE: crash when matching buffer with invalid pattern
    - debian/patches/CVE-2022-1674.patch: check for NULL regprog
    - CVE-2022-1674
  * SECURITY UPDATE: buffer over-write
    - debian/patches/CVE-2022-1785.patch: add textlock flag to disallow
      changing text or switching window before calling vim_regsub_multi() in
      src/ex_cmds.c.
    - CVE-2022-1785
  * SECURITY UPDATE: heap-based buffer overflow
    - debian/patches/CVE-2022-1942.patch: adds a control to disallow the
      opening of a command line window when text or buffer is locked.
    - debian/patches/CVE-2022-2344.patch: reading past end of completion with
      duplicate match
    - debian/patches/CVE-2022-2571.patch: reading past end of line with insert
      mode completion
    - debian/patches/CVE-2022-2849.patch: invalid memory access with for loop
      over NULL string
    - CVE-2022-1942
    - CVE-2022-2344
    - CVE-2022-2571
    - CVE-2022-2849
  * SECURITY UPDATE: searching for quotes may go over the end of the line
    - debian/patches/CVE-2022-2124.patch: check for running into the NULL
    - CVE-2022-2124
  * SECURITY UPDATE: lisp indenting my run over the end of the line
    - debian/patches/CVE-2022-2125.patch: check for NULL earlier
    - CVE-2022-2125
  * SECURITY UPDATE: using invalid index when looking for spell suggestions
    - debian/patches/CVE-2022-2126.patch: do not decrement the index when it
      is zero
    - CVE-2022-2126
  * SECURITY UPDATE: out-of-bounds write
    - debian/patches/CVE-2022-2129.patch: prevents the editing of another file
      when either curbuf_lock or textlock is set.
    - CVE-2022-2129
  * SECURITY UPDATE: invalid memory access when using an expression on the
    command line
    - debian/patches/CVE-2022-2175-1.patch: make sure the position does not
      go negative
    - debian/patches/CVE-2022-2175-2.patch: add missing #ifdef FEAT_EVAL
    - debian/patches/fix_Test_cmdwin_jump_to_win.patch: fix
      Test_cmdwin_jump_to_win() test case
    - CVE-2022-2175
  * SECURITY UPDATE: reading beyond the end of the line with lisp indenting
    - debian/patches/CVE-2022-2183.patch: avoid going over the NUL at the end
      of the line
    - CVE-2022-2183
  * SECURITY UPDATE: accessing invalid memory after changing terminal size
    - debian/patches/CVE-2022-2206.patch: adjust cmdline_row and msg_row to
      the value of Rows
    - CVE-2022-2206
  * SECURITY UPDATE: spell dump may go beyond end of an array
    - debian/patches/CVE-2022-2304.patch: limit the word length
    - CVE-2022-2304
  * SECURITY UPDATE: using freed memory with recursive substitution
    - debian/patches/CVE-2022-2345.patch: always make a copy of
      reg_prev_sub
    - CVE-2022-2345
  * SECURITY UPDATE: illegal memory access when pattern starts with
    illegal byte
    - debian/patches/CVE-2022-2581.patch: do not match a character with an
      illegal byte
    - CVE-2022-2581
  * SECURITY UPDATE: null pointer dereference issue
    - debian/patches/CVE-2022-2923.patch: crash when using ":mkspell" with an
      empty .dic file
    - debian/patches/CVE-2022-2980.patch: crash with mouse click when not
      initialized
    - CVE-2022-2923
    - CVE-2022-2980

 -- Nishit Majithia <email address hidden> Mon, 03 Apr 2023 13:15:49 +0530