main/vim: security fix for CVE-2019-12735

Arbitrary code execution has been found in vim modelines. Upstream patch
has been applied:

https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040.patch

2 files changed, 64 insertions, 2 deletions

diff --git a/main/vim/APKBUILD b/main/vim/APKBUILD
index af0651a78c..09037792c4 100644
--- a/main/vim/APKBUILD
+++ b/main/vim/APKBUILD
@@ -4,7 +4,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=vim
 pkgver=8.0.1359
-pkgrel=0
+pkgrel=1
 pkgdesc="advanced text editor"
 url="http://www.vim.org"
 arch="all"
@@ -15,6 +15,7 @@ makedepends="ncurses-dev lua5.2-dev python3-dev"
 subpackages="$pkgname-doc ${pkgname}diff::noarch"
 source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz
 	vimrc
+	vim-modeline-ace-fix.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
@@ -66,4 +67,5 @@ vimdiff() {
 }
 
 sha512sums="4166a5ef190f62a09fad15cb2a3daf9a5e1df4eb788d9ef8ca0024731a0e6afc205f4bdb3111ff9e8685907fbbb7cf97238f83a5e6db3a33de60fac757908340  vim-8.0.1359.tar.gz
-d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02  vimrc"
+d9586b777881973cb5e48e18750336a522ed72c3127b2d6b6991e2b943468ca5b694476e7fa39ab469178c1375fc8f52627484e0fe377aea5811a513e35a7b02  vimrc
+9ffd4b88720308c94a1a5c015501f5818a9c8e671b9b10a36177eb15eb3730ab9463d031030b18033d058f303ba46029c622540d10fc33c8415a9394f4770a1e  vim-modeline-ace-fix.patch"
diff --git a/main/vim/vim-modeline-ace-fix.patch b/main/vim/vim-modeline-ace-fix.patch
new file mode 100644
index 0000000000..86c9f5b9b4
--- /dev/null
+++ b/main/vim/vim-modeline-ace-fix.patch
@@ -0,0 +1,60 @@
+From 53575521406739cf20bbe4e384d88e7dca11f040 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 22 May 2019 22:38:25 +0200
+Subject: [PATCH] patch 8.1.1365: source command doesn't check for the sandbox
+
+Problem:    Source command doesn't check for the sandbox. (Armin Razmjou)
+Solution:   Check for the sandbox when sourcing a file.
+---
+ src/getchar.c               | 6 ++++++
+ src/testdir/test_source.vim | 9 +++++++++
+ src/version.c               | 2 ++
+ 3 files changed, 17 insertions(+)
+
+diff --git a/src/getchar.c b/src/getchar.c
+index 9379a6a8d4..debad7efd2 100644
+--- a/src/getchar.c
++++ b/src/getchar.c
+@@ -1407,6 +1407,12 @@ openscript(
+ 	emsg(_(e_nesting));
+ 	return;
+     }
++
++    // Disallow sourcing a file in the sandbox, the commands would be executed
++    // later, possibly outside of the sandbox.
++    if (check_secure())
++	return;
++
+ #ifdef FEAT_EVAL
+     if (ignore_script)
+ 	/* Not reading from script, also don't open one.  Warning message? */
+diff --git a/src/testdir/test_source.vim b/src/testdir/test_source.vim
+index a33d286e75..5166bafb15 100644
+--- a/src/testdir/test_source.vim
++++ b/src/testdir/test_source.vim
+@@ -36,3 +36,12 @@ func Test_source_cmd()
+   au! SourcePre
+   au! SourcePost
+ endfunc
++
++func Test_source_sandbox()
++  new
++  call writefile(["Ohello\<Esc>"], 'Xsourcehello')
++  source! Xsourcehello | echo
++  call assert_equal('hello', getline(1))
++  call assert_fails('sandbox source! Xsourcehello', 'E48:')
++  bwipe!
++endfunc
+diff --git a/src/version.c b/src/version.c
+index b0736df46a..b2fcbfb14c 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -767,6 +767,8 @@ static char *(features[]) =
+ 
+ static int included_patches[] =
+ {   /* Add new patch number below this line */
++/**/
++    1365,
+ /**/
+     1364,
+ /**/