diff --git a/gnutls-2.6.6-cve-2009-2730.patch b/gnutls-2.6.6-cve-2009-2730.patch
new file mode 100644
index 0000000..deb174d
--- /dev/null
+++ b/gnutls-2.6.6-cve-2009-2730.patch
@@ -0,0 +1,232 @@
+diff -up gnutls-2.6.6/lib/gnutls_str.c.decoding gnutls-2.6.6/lib/gnutls_str.c
+--- gnutls-2.6.6/lib/gnutls_str.c.decoding	2009-04-24 00:01:23.000000000 +0200
++++ gnutls-2.6.6/lib/gnutls_str.c	2009-08-14 13:55:31.000000000 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2002, 2004, 2005, 2007, 2008  Free Software Foundation
++ * Copyright (C) 2002, 2004, 2005, 2007, 2008, 2009  Free Software Foundation
+  *
+  * Author: Nikos Mavrogiannopoulos
+  *
+@@ -330,17 +330,22 @@ _gnutls_hex2bin (const opaque * hex_data
+ 
+ /* compare hostname against certificate, taking account of wildcards
+  * return 1 on success or 0 on error
++ *
++ * note: certnamesize is required as X509 certs can contain embedded NULs in
++ * the strings such as CN or subjectAltName
+  */
+ int
+-_gnutls_hostname_compare (const char *certname, const char *hostname)
++_gnutls_hostname_compare (const char *certname,
++			  size_t certnamesize,
++			  const char *hostname)
+ {
+   /* find the first different character */
+   for (; *certname && *hostname && toupper (*certname) == toupper (*hostname);
+-       certname++, hostname++)
++       certname++, hostname++, certnamesize--)
+     ;
+ 
+   /* the strings are the same */
+-  if (strlen (certname) == 0 && strlen (hostname) == 0)
++  if (certnamesize == 0 && *hostname == '\0')
+     return 1;
+ 
+   if (*certname == '*')
+@@ -348,15 +353,16 @@ _gnutls_hostname_compare (const char *ce
+       /* a wildcard certificate */
+ 
+       certname++;
++      certnamesize--;
+ 
+       while (1)
+ 	{
+ 	  /* Use a recursive call to allow multiple wildcards */
+-	  if (_gnutls_hostname_compare (certname, hostname))
+-	    {
+-	      return 1;
+-	    }
+-	  /* wildcards are only allowed to match a single domain component or component fragment */
++	  if (_gnutls_hostname_compare (certname, certnamesize, hostname))
++	    return 1;
++
++	  /* wildcards are only allowed to match a single domain
++	     component or component fragment */
+ 	  if (*hostname == '\0' || *hostname == '.')
+ 	    break;
+ 	  hostname++;
+diff -up gnutls-2.6.6/lib/gnutls_str.h.decoding gnutls-2.6.6/lib/gnutls_str.h
+--- gnutls-2.6.6/lib/gnutls_str.h.decoding	2009-04-24 00:01:23.000000000 +0200
++++ gnutls-2.6.6/lib/gnutls_str.h	2009-08-14 13:54:25.000000000 +0200
+@@ -68,7 +68,7 @@ char *_gnutls_bin2hex (const void *old, 
+ int _gnutls_hex2bin (const opaque * hex_data, int hex_size, opaque * bin_data,
+ 		     size_t * bin_size);
+ 
+-int _gnutls_hostname_compare (const char *certname, const char *hostname);
++int _gnutls_hostname_compare (const char *certname, size_t certnamesize, const char *hostname);
+ #define MAX_CN 256
+ 
+ #endif
+diff -up gnutls-2.6.6/lib/openpgp/pgp.c.decoding gnutls-2.6.6/lib/openpgp/pgp.c
+--- gnutls-2.6.6/lib/openpgp/pgp.c.decoding	2009-04-18 13:09:50.000000000 +0200
++++ gnutls-2.6.6/lib/openpgp/pgp.c	2009-08-14 13:54:25.000000000 +0200
+@@ -570,7 +570,7 @@ gnutls_openpgp_crt_check_hostname (gnutl
+ 
+       if (ret == 0)
+ 	{
+-	  if (_gnutls_hostname_compare (dnsname, hostname))
++	  if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ 	    return 1;
+ 	}
+     }
+diff -up gnutls-2.6.6/lib/x509/common.c.decoding gnutls-2.6.6/lib/x509/common.c
+--- gnutls-2.6.6/lib/x509/common.c.decoding	2009-04-24 00:01:23.000000000 +0200
++++ gnutls-2.6.6/lib/x509/common.c	2009-08-14 13:48:53.000000000 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation
++ * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation
+  *
+  * Author: Nikos Mavrogiannopoulos
+  *
+@@ -242,6 +242,10 @@ _gnutls_x509_oid_data2string (const char
+     {
+       str[len] = 0;
+ 
++      /* Refuse to deal with strings containing NULs. */
++      if (strlen (str) != len)
++	return GNUTLS_E_ASN1_DER_ERROR;
++
+       if (res)
+ 	_gnutls_str_cpy (res, *res_size, str);
+       *res_size = len;
+@@ -291,25 +295,27 @@ _gnutls_x509_oid_data2string (const char
+ 	    non_printable = 0;
+ 	}
+ 
+-      if (res)
++      if (non_printable == 0)
+ 	{
+-	  if (non_printable == 0)
+-	    {
+-	      str[len] = 0;
+-	      _gnutls_str_cpy (res, *res_size, str);
+-	      *res_size = len;
+-	    }
+-	  else
++	  str[len] = 0;
++
++	  /* Refuse to deal with strings containing NULs. */
++	  if (strlen (str) != len)
++	    return GNUTLS_E_ASN1_DER_ERROR;
++
++	  if (res)
++	    _gnutls_str_cpy (res, *res_size, str);
++	  *res_size = len;
++	}
++      else
++	{
++	  result = _gnutls_x509_data2hex (str, len, res, res_size);
++	  if (result < 0)
+ 	    {
+-	      result = _gnutls_x509_data2hex (str, len, res, res_size);
+-	      if (result < 0)
+-		{
+-		  gnutls_assert ();
+-		  return result;
+-		}
++	      gnutls_assert ();
++	      return result;
+ 	    }
+ 	}
+-
+     }
+ 
+   return 0;
+diff -up gnutls-2.6.6/lib/x509/output.c.decoding gnutls-2.6.6/lib/x509/output.c
+--- gnutls-2.6.6/lib/x509/output.c.decoding	2009-04-24 00:01:23.000000000 +0200
++++ gnutls-2.6.6/lib/x509/output.c	2009-08-14 13:53:19.000000000 +0200
+@@ -319,6 +319,17 @@ print_crldist (gnutls_string * str, gnut
+ 	  return;
+ 	}
+ 
++      if ((err == GNUTLS_SAN_DNSNAME
++	   || err == GNUTLS_SAN_RFC822NAME
++	   || err == GNUTLS_SAN_URI) &&
++	  strlen (buffer) != size)
++	{
++	  adds (str, _("warning: distributionPoint contains an embedded NUL, "
++		       "replacing with '!'\n"));
++	  while (strlen (buffer) < size)
++	    buffer[strlen (buffer)] = '!';
++	}
++
+       switch (err)
+ 	{
+ 	case GNUTLS_SAN_DNSNAME:
+@@ -476,6 +487,17 @@ print_san (gnutls_string * str, gnutls_x
+ 	  return;
+ 	}
+ 
++      if ((err == GNUTLS_SAN_DNSNAME
++	   || err == GNUTLS_SAN_RFC822NAME
++	   || err == GNUTLS_SAN_URI) &&
++	  strlen (buffer) != size)
++	{
++	  adds (str, _("warning: SAN contains an embedded NUL, "
++		       "replacing with '!'\n"));
++	  while (strlen (buffer) < size)
++	    buffer[strlen (buffer)] = '!';
++	}
++
+       switch (err)
+ 	{
+ 	case GNUTLS_SAN_DNSNAME:
+@@ -534,7 +556,16 @@ print_san (gnutls_string * str, gnutls_x
+ 	      }
+ 
+ 	    if (err == GNUTLS_SAN_OTHERNAME_XMPP)
++	      {
++		if (strlen (buffer) != size)
++		  {
++		    adds (str, _("warning: SAN contains an embedded NUL, "
++				 "replacing with '!'\n"));
++		    while (strlen (buffer) < size)
++		      buffer[strlen (buffer)] = '!';
++		  }
+ 	      addf (str, _("\t\t\tXMPP Address: %.*s\n"), size, buffer);
++	      }
+ 	    else
+ 	      {
+ 		addf (str, _("\t\t\totherName OID: %.*s\n"), oidsize, oid);
+diff -up gnutls-2.6.6/lib/x509/rfc2818_hostname.c.decoding gnutls-2.6.6/lib/x509/rfc2818_hostname.c
+--- gnutls-2.6.6/lib/x509/rfc2818_hostname.c.decoding	2009-04-18 13:09:50.000000000 +0200
++++ gnutls-2.6.6/lib/x509/rfc2818_hostname.c	2009-08-14 13:54:25.000000000 +0200
+@@ -74,7 +74,7 @@ gnutls_x509_crt_check_hostname (gnutls_x
+       if (ret == GNUTLS_SAN_DNSNAME)
+ 	{
+ 	  found_dnsname = 1;
+-	  if (_gnutls_hostname_compare (dnsname, hostname))
++	  if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ 	    {
+ 	      return 1;
+ 	    }
+@@ -84,7 +84,7 @@ gnutls_x509_crt_check_hostname (gnutls_x
+ 	  found_dnsname = 1;	/* RFC 2818 is unclear whether the CN
+ 				   should be compared for IP addresses
+ 				   too, but we won't do it.  */
+-	  if (_gnutls_hostname_compare (dnsname, hostname))
++	  if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ 	    {
+ 	      return 1;
+ 	    }
+@@ -104,7 +104,7 @@ gnutls_x509_crt_check_hostname (gnutls_x
+ 	  return 0;
+ 	}
+ 
+-      if (_gnutls_hostname_compare (dnsname, hostname))
++      if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname))
+ 	{
+ 	  return 1;
+ 	}
diff --git a/gnutls.spec b/gnutls.spec
index 349928a..fd8d28e 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,7 +1,7 @@
 Summary: A TLS protocol implementation
 Name: gnutls
 Version: 2.6.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 # The libgnutls library is LGPLv2+, utilities and remaining libraries are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
@@ -16,6 +16,7 @@ URL: http://www.gnutls.org/
 Source0: %{name}-%{version}-nosrp.tar.bz2
 Source1: libgnutls-config
 Patch1: gnutls-2.6.2-nosrp.patch
+Patch2: gnutls-2.6.6-cve-2009-2730.patch
 
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: libgcrypt >= 1.2.2
@@ -68,6 +69,7 @@ This package contains Guile bindings for the library.
 %prep
 %setup -q
 %patch1 -p1 -b .nosrp
+%patch2 -p1 -b .decoding
 
 for i in auth_srp_rsa.c auth_srp_sb64.c auth_srp_passwd.c auth_srp.c gnutls_srp.c ext_srp.c; do
     touch lib/$i
@@ -149,6 +151,10 @@ fi
 %{_datadir}/guile/site/gnutls.scm
 
 %changelog
+* Fri Aug 14 2009 Tomas Mraz <tmraz@redhat.com> 2.6.6-2
+- fix CVE-2009-2730 - handling of NUL chars in certificate
+  CNs and SANs
+
 * Mon May  4 2009 Tomas Mraz <tmraz@redhat.com> 2.6.6-1
 - upgrade to a new upstream version - security fixes