diff --git a/SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch b/SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
new file mode 100644
index 0000000..604a8ff
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
@@ -0,0 +1,33 @@
+diff -up vim80/src/ex_cmds.c.cve0361 vim80/src/ex_cmds.c
+--- vim80/src/ex_cmds.c.cve0361	2022-02-08 12:20:51.277666290 +0100
++++ vim80/src/ex_cmds.c	2022-02-08 12:20:51.280666209 +0100
+@@ -983,6 +983,8 @@ ex_copy(linenr_T line1, linenr_T line2,
+     }
+ 
+     appended_lines_mark(n, count);
++    if (VIsual_active)
++	check_pos(curbuf, &VIsual);
+ 
+     msgmore((long)count);
+ }
+diff -up vim80/src/testdir/test_visual.vim.cve0361 vim80/src/testdir/test_visual.vim
+--- vim80/src/testdir/test_visual.vim.cve0361	2022-02-08 12:20:51.280666209 +0100
++++ vim80/src/testdir/test_visual.vim	2022-02-08 12:21:44.530356814 +0100
+@@ -263,3 +263,17 @@ func Test_visual_block_append_invalid_ch
+   call assert_equal(['	-   let xxx', 'xxxxx   -ˆ', 'xxxxxxxx-xxx'], getline(1, 3))
+   bwipe!
+ endfunc
++
++" this was leaving the end of the Visual area beyond the end of a line
++func Test_visual_ex_copy_line()
++  new
++  call setline(1, ["aaa", "bbbbbbbbbxbb"])
++  /x
++  exe "normal ggvjfxO"
++  t0
++  normal gNU
++  bwipe!
++endfunc
++
++
++" vim: shiftwidth=2 sts=2 expandtab
diff --git a/SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch b/SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
new file mode 100644
index 0000000..8cb7a44
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
@@ -0,0 +1,85 @@
+commit ec45bc7682fd698d8d39f43732129c4d092355f3
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Wed Feb 2 16:30:11 2022 +0100
+
+    Fix illegal memory access with bracketed paste in Ex mode
+
+diff --git a/src/edit.c b/src/edit.c
+index f29fbc7..57b8dce 100644
+--- a/src/edit.c
++++ b/src/edit.c
+@@ -9519,27 +9519,33 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+     int		ret_char = -1;
+     int		save_allow_keys = allow_keys;
+     int		save_paste = p_paste;
+-    int		save_ai = curbuf->b_p_ai;
+ 
+-    /* If the end code is too long we can't detect it, read everything. */
+-    if (STRLEN(end) >= NUMBUFLEN)
++    // If the end code is too long we can't detect it, read everything.
++    if (end != NULL && STRLEN(end) >= NUMBUFLEN)
+ 	end = NULL;
+     ++no_mapping;
+     allow_keys = 0;
+-    p_paste = TRUE;
+-    curbuf->b_p_ai = FALSE;
++    if (!p_paste)
++	// Also have the side effects of setting 'paste' to make it work much
++	// faster.
++	set_option_value((char_u *)"paste", TRUE, NULL, 0);
+ 
+     for (;;)
+     {
+ 	/* When the end is not defined read everything. */
+ 	if (end == NULL && vpeekc() == NUL)
+ 	    break;
+-	c = plain_vgetc();
+-#ifdef FEAT_MBYTE
++	do
++	    c = vgetc();
++	while (c == K_IGNORE || c == K_VER_SCROLLBAR || c == K_HOR_SCROLLBAR);
++	if (c == NUL || got_int || (ex_normal_busy > 0 && c == Ctrl_C))
++	    // When CTRL-C was encountered the typeahead will be flushed and we
++	    // won't get the end sequence.  Except when using ":normal".
++	    break;
++
+ 	if (has_mbyte)
+ 	    idx += (*mb_char2bytes)(c, buf + idx);
+ 	else
+-#endif
+ 	    buf[idx++] = c;
+ 	buf[idx] = NUL;
+ 	if (end != NULL && STRNCMP(buf, end, idx) == 0)
+@@ -9557,7 +9563,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 		    break;
+ 
+ 		case PASTE_EX:
+-		    if (gap != NULL && ga_grow(gap, idx) == OK)
++		    // add one for the NUL that is going to be appended
++		    if (gap != NULL && ga_grow(gap, idx + 1) == OK)
+ 		    {
+ 			mch_memmove((char *)gap->ga_data + gap->ga_len,
+ 							     buf, (size_t)idx);
+@@ -9582,11 +9589,9 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 		case PASTE_ONE_CHAR:
+ 		    if (ret_char == -1)
+ 		    {
+-#ifdef FEAT_MBYTE
+ 			if (has_mbyte)
+ 			    ret_char = (*mb_ptr2char)(buf);
+ 			else
+-#endif
+ 			    ret_char = buf[0];
+ 		    }
+ 		    break;
+@@ -9597,8 +9602,8 @@ bracketed_paste(paste_mode_T mode, int drop, garray_T *gap)
+ 
+     --no_mapping;
+     allow_keys = save_allow_keys;
+-    p_paste = save_paste;
+-    curbuf->b_p_ai = save_ai;
++    if (!save_paste)
++	set_option_value((char_u *)"paste", FALSE, NULL, 0);
+ 
+     return ret_char;
+ }
diff --git a/SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch b/SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
new file mode 100644
index 0000000..b37d821
--- /dev/null
+++ b/SOURCES/0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
@@ -0,0 +1,51 @@
+commit c604f3ad4782fde770617ff688e1ceac0dc1bd7c
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Thu Feb 3 10:14:42 2022 +0100
+
+    Fix using freed memory when substitute with function call
+
+diff --git a/src/ex_cmds.c b/src/ex_cmds.c
+index e69fbd3..0788573 100644
+--- a/src/ex_cmds.c
++++ b/src/ex_cmds.c
+@@ -4767,6 +4767,7 @@ do_sub(exarg_T *eap)
+     int		save_do_all;		/* remember user specified 'g' flag */
+     int		save_do_ask;		/* remember user specified 'c' flag */
+     char_u	*pat = NULL, *sub = NULL;	/* init for GCC */
++	char_u	*sub_copy = NULL;
+     int		delimiter;
+     int		sublen;
+     int		got_quit = FALSE;
+@@ -5062,11 +5063,20 @@ do_sub(exarg_T *eap)
+     sub_firstline = NULL;
+ 
+     /*
+-     * ~ in the substitute pattern is replaced with the old pattern.
+-     * We do it here once to avoid it to be replaced over and over again.
+-     * But don't do it when it starts with "\=", then it's an expression.
++     * If the substitute pattern starts with "\=" then it's an expression.
++     * Make a copy, a recursive function may free it.
++     * Otherwise, '~' in the substitute pattern is replaced with the old
++     * pattern.  We do it here once to avoid it to be replaced over and over
++     * again.
+      */
+-    if (!(sub[0] == '\\' && sub[1] == '='))
++    if (sub[0] == '\\' && sub[1] == '=')
++    {
++	sub = vim_strsave(sub);
++	if (sub == NULL)
++	    return;
++	sub_copy = sub;
++    }
++    else
+ 	sub = regtilde(sub, p_magic);
+ 
+     /*
+@@ -5825,6 +5835,7 @@ outofmem:
+ #endif
+ 
+     vim_regfree(regmatch.regprog);
++	vim_free(sub_copy);
+ 
+     /* Restore the flag values, they can be used for ":&&". */
+     subflags.do_all = save_do_all;
diff --git a/SPECS/vim.spec b/SPECS/vim.spec
index ad1194c..8bd7a1d 100644
--- a/SPECS/vim.spec
+++ b/SPECS/vim.spec
@@ -24,7 +24,7 @@ Summary: The VIM editor
 URL:     http://www.vim.org/
 Name: vim
 Version: %{baseversion}.%{patchlevel}
-Release: 16%{?dist}.7
+Release: 16%{?dist}.12
 License: Vim and MIT
 Source0: ftp://ftp.vim.org/pub/vim/unix/vim-%{baseversion}-%{patchlevel}.tar.bz2
 Source1: vim.sh
@@ -94,6 +94,12 @@ Patch3029: 0001-patch-8.2.4120-block-insert-goes-over-the-end-of-the.patch
 Patch3030: 0001-patch-8.2.4151-reading-beyond-the-end-of-a-line.patch
 # CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c
 Patch3031: 0001-patch-8.2.4214-illegal-memory-access-with-large-tabs.patch
+# CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
+Patch3032: 0001-patch-8.2.4218-illegal-memory-access-with-bracketed-.patch
+# CVE-2022-0413 vim: use after free in src/ex_cmds.c
+Patch3033: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
+# CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
+Patch3034: 0001-patch-8.2.4215-illegal-memory-access-when-copying-li.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -302,6 +308,9 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3029 -p1 -b .cve0261
 %patch3030 -p1 -b .cve0318
 %patch3031 -p1 -b .cve0359
+%patch3032 -p1 -b .cve0392
+%patch3033 -p1 -b .cve0413
+%patch3034 -p1 -b .cve0361
 
 %build
 %if 0%{?rhel} > 7
@@ -820,6 +829,27 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %{_datadir}/icons/locolor/*/apps/*
 
 %changelog
+* Tue Feb 08 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.12
+- CVE-2022-0361 vim: Heap-based Buffer Overflow in GitHub repository
+
+* Fri Feb 04 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.11
+- CVE-2022-0413 vim: use after free in src/ex_cmds.c
+- Fix specfile problems
+- Resolves: rhbz#2048525
+
+* Thu Feb 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.10
+- CVE-2022-0413 vim: use after free in src/ex_cmds.c
+- Resolves: rhbz#2048525
+
+* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.9
+- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
+- Improve fix
+- Resolves: rhbz#2049403
+
+* Wed Feb 02 2022 Tomas Korbar <tkorbar@redhat.com> - 2:8.0.1763-16.8
+- CVE-2022-0392 vim: heap-based buffer overflow in getexmodeline() in ex_getln.c
+- Resolves: rhbz#2049403
+
 * Thu Jan 27 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.0.1763-16.7
 - CVE-2022-0359 vim: heap-based buffer overflow in init_ccline() in ex_getln.c