Bug#1019590: vim: CVE-2022-2946 CVE-2022-2982 CVE-2022-3037 CVE-2022-3099 CVE-2022-3134

[Moritz Mühlenhoff]

Source: vim
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for vim.

CVE-2022-2946[0]:
| Use After Free in GitHub repository vim/vim prior to 9.0.0246.

https://huntr.dev/bounties/5d389a18-5026-47df-a5d0-1548a9b555d5
https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e7515762c 
(v9.0.0246)

CVE-2022-2982[1]:
| Use After Free in GitHub repository vim/vim prior to 9.0.0260.

https://huntr.dev/bounties/53f53d9a-ba8a-4985-b7ba-23efbe6833be
https://github.com/vim/vim/commit/d6c67629ed05aae436164eec474832daf8ba7420 
(v9.0.0260)

CVE-2022-3037[2]:
| Use After Free in GitHub repository vim/vim prior to 9.0.0322.

https://huntr.dev/bounties/af4c2f2d-d754-4607-b565-9e92f3f717b5
https://github.com/vim/vim/commit/4f1b083be43f351bc107541e7b0c9655a5d2c0bb 
(v9.0.0322)

CVE-2022-3099[3]:
| Use After Free in GitHub repository vim/vim prior to 9.0.0360.

https://huntr.dev/bounties/403210c7-6cc7-4874-8934-b57f88bd4f5e
https://github.com/vim/vim/commit/35d21c6830fc2d68aca838424a0e786821c5891c 
(v9.0.0360)

CVE-2022-3134[4]:
| Use After Free in GitHub repository vim/vim prior to 9.0.0389.

https://huntr.dev/bounties/6ec79e49-c7ab-4cd6-a517-e7934c2eb9dc
https://github.com/vim/vim/commit/ccfde4d028e891a41e3548323c3d47b06fb0b83e 
(v9.0.0389)


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-2946
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2946
[1] https://security-tracker.debian.org/tracker/CVE-2022-2982
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2982
[2] https://security-tracker.debian.org/tracker/CVE-2022-3037
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3037
[3] https://security-tracker.debian.org/tracker/CVE-2022-3099
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3099
[4] https://security-tracker.debian.org/tracker/CVE-2022-3134
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3134

Please adjust the affected versions in the BTS as needed.