src/main.c | 23 22 + 1 - 0 !
src/os_unix.h | 3 3 + 0 - 0 !
src/structs.h | 3 3 + 0 - 0 !
3 files changed, 28 insertions(+), 1 deletion(-)

 support sourcing a vimrc.tiny when vim is invoked as vi

This is used only in the vim-tiny package to allow a specific
configuration for vim-tiny's vi.  The vim-tiny package is substantially

runtime/autoload/dist/script.vim | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 detect the rst filetype using the contents of the file

Closes: #382541

runtime/autoload/dist/ft.vim | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 add recognition of more latex commands for tex filetype detection

Since filetype detection of TeX files defaults to plaintex, we've added
detection of some additional LaTeX commands to help sway the detection
to LaTeX.

Closes: #384479
Signed-off-by: James McCoy <jamessan@debian.org>

runtime/doc/options.txt | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 document debian's decision to disable modelines by default

Modelines have historically been a source of vulnerabilities in Vim.
As long as it remains a "blacklist suspected/proven dangerous options"
instead of a "whitelist allowed options" piece of functionality,
Debian's system-wide vimrc will maintain this setting.  As such, the
documentation needs to be updated to reflect the induced behavior.

Closes: #472522
Signed-off-by: James McCoy <jamessan@debian.org>

src/quickfix.c | 5 4 + 1 - 0 !
src/search.c | 17 7 + 10 - 0 !
src/testdir/test_matchfuzzy.vim | 27 27 + 0 - 0 !
src/version.c | 2 2 + 0 - 0 !
4 files changed, 40 insertions(+), 11 deletions(-)

 patch 9.0.1499: using uninitialized memory with fuzzy matching

Problem:    Using uninitialized memory with fuzzy matching.
Solution:   Initialize the arrays used to store match positions.

Closes: #1035323

runtime/indent/perl.vim | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix gh#267 where indent after a sub would not work

Closes: #1034529
Signed-off-by: James McCoy <jamessan@debian.org>

src/regexp.c | 30 19 + 11 - 0 !
src/version.c | 2 2 + 0 - 0 !
2 files changed, 21 insertions(+), 11 deletions(-)

 patch 9.0.1532: crash when expanding "~" in substitute causes very
 long text

Problem:    Crash when expanding "~" in substitute causes very long text.
Solution:   Limit the text length to MAXCOL.
(cherry picked from commit ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a)

src/ex_cmds.c | 3 3 + 0 - 0 !
src/regexp.c | 3 2 + 1 - 0 !
src/testdir/crash/vim_regsub_both | 10 10 + 0 - 0 !
src/version.c | 2 2 + 0 - 0 !
4 files changed, 17 insertions(+), 1 deletion(-)

 patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()

Problem:  buffer-overflow in vim_regsub_both()
Solution: Check remaining space

Signed-off-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit ced2c7394aafdc90fb7845e09b3a3fee23d48cb1)

src/insexpand.c | 2 1 + 1 - 0 !
src/testdir/crash/poc_tagfunc.vim | 6 6 + 0 - 0 !
src/version.c | 2 2 + 0 - 0 !
3 files changed, 9 insertions(+), 1 deletion(-)

 patch 9.0.1858: [security] heap use after free in
 ins_compl_get_exp()

Problem:  heap use after free in ins_compl_get_exp()
Solution: validate buffer before accessing it

Signed-off-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit ee9166eb3b41846661a39b662dc7ebe8b5e15139)

src/ex_cmds.c | 3 3 + 0 - 0 !
src/testdir/crash/vim_regsub_both_poc | 23 23 + 0 - 0 !
src/version.c | 2 2 + 0 - 0 !
src/window.c | 5 5 + 0 - 0 !
4 files changed, 33 insertions(+)

 patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both

Problem:  heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active

Signed-off-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit f6d28fe2c95c678cc3202cc5dc825a3fcc709e93)

src/message.c | 2 1 + 1 - 0 !
src/version.c | 2 2 + 0 - 0 !
2 files changed, 3 insertions(+), 1 deletion(-)

 patch 9.0.1969: [security] buffer-overflow in trunc_string()

Problem:  buffer-overflow in trunc_string()
Solution: Add NULL at end of buffer

Currently trunc_string() assumes that when the string is too long,
buf[e-1] will always be writeable. But that assumption may not always be
true. The condition currently looks like this

    else if (e + 3 < buflen)
    [...]
    else
    {
	// can't fit in the "...", just truncate it
	buf[e - 1] = NUL;
    }

but this means, we may run into the last else clause with e still being
larger than buflen. So a buffer overflow occurs.

So instead of using `buf[e - 1]`, let's just always
truncate at `buf[buflen - 1]` which should always be writable.

Signed-off-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 3bd7fa12e146c6051490d048a4acbfba974eeb04)

src/map.c | 2 1 + 1 - 0 !
src/option.c | 14 8 + 6 - 0 !
src/option.h | 2 2 + 0 - 0 !
src/optionstr.c | 59 37 + 22 - 0 !
src/proto/optionstr.pro | 4 2 + 2 - 0 !
src/structs.h | 2 2 + 0 - 0 !
src/testdir/crash/poc_did_set_langmap | 1 1 + 0 - 0 !
src/version.c | 2 2 + 0 - 0 !
8 files changed, 55 insertions(+), 31 deletions(-)

 patch 9.0.2142: [security]: stack-buffer-overflow in option callback
 functions

Problem:  [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
          instead of sprintf()

We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.

So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.

Reported by @henices, thanks!

Signed-off-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit b39b240c386a5a29241415541f1c99e2e6b8ce47)

src/getchar.c | 15 12 + 3 - 0 !
src/testdir/crash/heap_overflow3 | 44 44 + 0 - 0 !
2 files changed, 56 insertions(+), 3 deletions(-)

 patch 9.1.0697: [security]: heap-buffer-overflow in ins_typebuf

Problem:  heap-buffer-overflow in ins_typebuf
          (SuyueGuo)
Solution: When flushing the typeahead buffer, validate that there
          is enough space left

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh

Signed-off-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 322ba9108612bead5eb7731ccb66763dec69ef1b)

src/buffer.c | 6 6 + 0 - 0 !
src/ex_cmds.c | 12 12 + 0 - 0 !
src/proto/buffer.pro | 1 1 + 0 - 0 !
3 files changed, 19 insertions(+)

 patch 9.1.0764: [security]: use-after-free when closing a buffer

Problem:  [security]: use-after-free when closing a buffer
Solution: When splitting the window and editing a new buffer,
          check whether the newly to be edited buffer has been marked
          for deletion and abort in this case

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg

Signed-off-by: Christian Brabandt <cb@256bit.org>
(cherry picked from commit 51b62387be93c65fa56bbabe1c3c1ea5df187641)