diff --git a/patch-CVE-2010-4651.patch b/patch-CVE-2010-4651.patch
new file mode 100644
index 0000000..d7556b6
--- /dev/null
+++ b/patch-CVE-2010-4651.patch
@@ -0,0 +1,132 @@
+diff -U0 patch-2.6.1/ChangeLog.CVE-2010-4651 patch-2.6.1/ChangeLog
+diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in
+--- patch-2.6.1/Makefile.in.CVE-2010-4651	2011-02-08 11:26:21.782503673 +0000
++++ patch-2.6.1/Makefile.in	2011-02-08 11:26:56.004078346 +0000
+@@ -192,6 +192,7 @@ installcheck::
+ TESTS = \
+ 	tests/asymmetric-hunks \
+ 	tests/backup-prefix-suffix \
++	tests/bad-filenames \
+ 	tests/corrupt-reject-files \
+ 	tests/create-delete \
+ 	tests/crlf-handling \
+diff -up patch-2.6.1/NEWS.CVE-2010-4651 patch-2.6.1/NEWS
+diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c
+--- patch-2.6.1/src/pch.c.CVE-2010-4651	2009-12-30 12:56:30.000000000 +0000
++++ patch-2.6.1/src/pch.c	2011-02-08 11:25:53.821034698 +0000
+@@ -3,7 +3,7 @@
+ /* Copyright (C) 1986, 1987, 1988 Larry Wall
+ 
+    Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
+-   2002, 2003, 2006, 2009 Free Software Foundation, Inc.
++   2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc.
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -194,11 +194,31 @@ grow_hunkmax (void)
+     return false;
+ }
+ 
++static void
++validate_target_name (char const *n)
++{
++  char const *p = n;
++  if (IS_ABSOLUTE_FILE_NAME (p))
++    fatal ("rejecting absolute target file name: %s", quotearg (p));
++  while (*p)
++    {
++      if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p)))
++	fatal ("rejecting target file name with \"..\" component: %s",
++	       quotearg (n));
++      while (*p && ! ISSLASH (*p))
++	p++;
++      while (ISSLASH (*p))
++	p++;
++    }
++}
++
+ static bool
+ maybe_reverse (char const *name, bool nonexistent, bool is_empty)
+ {
+   bool looks_reversed = (! is_empty) < p_says_nonexistent[reverse ^ is_empty];
+ 
++  validate_target_name (name);
++
+   if (looks_reversed)
+     reverse ^=
+       ok_to_reverse ("The next patch%s would %s the file %s,\nwhich %s!",
+@@ -725,6 +745,7 @@ intuit_diff_type (bool need_header)
+ 	inerrno = stat_errno[i];
+ 	invc = version_controlled[i];
+ 	instat = st[i];
++	validate_target_name (inname);
+       }
+ 
+     return retval;
+diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-filenames
+--- patch-2.6.1/tests/bad-filenames.CVE-2010-4651	2011-02-08 11:24:57.517092060 +0000
++++ patch-2.6.1/tests/bad-filenames	2011-02-08 11:24:57.518092076 +0000
+@@ -0,0 +1,63 @@
++# Copyright (C) 2011 Free Software Foundation, Inc.
++#
++# Copying and distribution of this file, with or without modification,
++# in any medium, are permitted without royalty provided the copyright
++# notice and this notice are preserved.
++
++. $srcdir/test-lib.sh
++
++use_local_patch
++use_tmpdir
++
++# ================================================================
++
++emit_2()
++{
++cat <<EOF
++--- $1
+++++ $2
++@@ -0,0 +1 @@
+++x
++EOF
++}
++
++emit_patch() { emit_2 /dev/null "$1"; }
++
++# Ensure that patch rejects an output file name that is absolute
++# or that contains a ".." component.
++
++check 'emit_patch /absolute/path | patch -p0; echo status: $?' <<EOF
++$PATCH: **** rejecting absolute target file name: /absolute/path
++status: 2
++EOF
++
++check 'emit_patch a/../z | patch -p0; echo status: $?' <<EOF
++$PATCH: **** rejecting target file name with ".." component: a/../z
++status: 2
++EOF
++
++check 'emit_patch a/../z | patch -p1; echo status: $?' <<EOF
++$PATCH: **** rejecting target file name with ".." component: ../z
++status: 2
++EOF
++
++check 'emit_patch a/.. | patch -p0; echo status: $?' <<EOF
++$PATCH: **** rejecting target file name with ".." component: a/..
++status: 2
++EOF
++
++check 'emit_patch ../z | patch -p0; echo status: $?' <<EOF
++$PATCH: **** rejecting target file name with ".." component: ../z
++status: 2
++EOF
++
++check 'emit_2 /abs/path target | patch -p0; echo status: $?' <<EOF
++patching file target
++status: 0
++EOF
++
++echo x > target
++check 'emit_2 /abs/path target | patch -R -p0; echo status: $?' <<EOF
++patching file target
++status: 0
++EOF
diff --git a/patch-selinux.patch b/patch-selinux.patch
index 45ed818..904539c 100644
--- a/patch-selinux.patch
+++ b/patch-selinux.patch
@@ -1,6 +1,6 @@
 diff -up patch-2.6.1/Makefile.in.selinux patch-2.6.1/Makefile.in
---- patch-2.6.1/Makefile.in.selinux	2009-12-30 12:56:30.000000000 +0000
-+++ patch-2.6.1/Makefile.in	2010-08-16 17:36:31.778174077 +0100
+--- patch-2.6.1/Makefile.in.selinux	2011-02-08 11:29:34.590271489 +0000
++++ patch-2.6.1/Makefile.in	2011-02-08 11:29:34.602271607 +0000
 @@ -40,7 +40,7 @@ EXEEXT = @EXEEXT@
  LDFLAGS = @LDFLAGS@
  LIBOBJDIR = gl/lib/
@@ -12,7 +12,7 @@ diff -up patch-2.6.1/Makefile.in.selinux patch-2.6.1/Makefile.in
  PACKAGE_VERSION = @PACKAGE_VERSION@
 diff -up patch-2.6.1/src/common.h.selinux patch-2.6.1/src/common.h
 --- patch-2.6.1/src/common.h.selinux	2009-12-30 12:56:30.000000000 +0000
-+++ patch-2.6.1/src/common.h	2010-08-16 17:36:31.779174533 +0100
++++ patch-2.6.1/src/common.h	2011-02-08 11:29:34.602271607 +0000
 @@ -32,6 +32,8 @@
  #include <sys/types.h>
  #include <time.h>
@@ -31,8 +31,8 @@ diff -up patch-2.6.1/src/common.h.selinux patch-2.6.1/src/common.h
  XTERN bool posixly_correct;
  
 diff -up patch-2.6.1/src/inp.c.selinux patch-2.6.1/src/inp.c
---- patch-2.6.1/src/inp.c.selinux	2010-08-16 17:36:31.767177911 +0100
-+++ patch-2.6.1/src/inp.c	2010-08-16 17:36:59.356174175 +0100
+--- patch-2.6.1/src/inp.c.selinux	2011-02-08 11:29:34.576271352 +0000
++++ patch-2.6.1/src/inp.c	2011-02-08 11:29:34.604271627 +0000
 @@ -152,8 +152,18 @@ get_input_file (char const *filename, ch
      char *diffbuf;
      char *getbuf;
@@ -72,8 +72,8 @@ diff -up patch-2.6.1/src/inp.c.selinux patch-2.6.1/src/inp.c
      else if (! S_ISREG (instat.st_mode))
        fatal ("File %s is not a regular file -- can't patch",
 diff -up patch-2.6.1/src/patch.c.selinux patch-2.6.1/src/patch.c
---- patch-2.6.1/src/patch.c.selinux	2010-08-16 17:36:31.775174023 +0100
-+++ patch-2.6.1/src/patch.c	2010-08-16 17:36:31.782174240 +0100
+--- patch-2.6.1/src/patch.c.selinux	2011-02-08 11:29:34.586271450 +0000
++++ patch-2.6.1/src/patch.c	2011-02-08 11:29:34.606271646 +0000
 @@ -421,6 +421,21 @@ main (int argc, char **argv)
  			      /* Fails if we are not in group instat.st_gid.  */
  			      chown (outname, -1, instat.st_gid);
@@ -97,9 +97,9 @@ diff -up patch-2.6.1/src/patch.c.selinux patch-2.6.1/src/patch.c
  			}
  		    }
 diff -up patch-2.6.1/src/pch.c.selinux patch-2.6.1/src/pch.c
---- patch-2.6.1/src/pch.c.selinux	2009-12-30 12:56:30.000000000 +0000
-+++ patch-2.6.1/src/pch.c	2010-08-16 17:36:31.786174283 +0100
-@@ -287,7 +287,12 @@ there_is_another_patch (bool need_header
+--- patch-2.6.1/src/pch.c.selinux	2011-02-08 11:29:34.591271499 +0000
++++ patch-2.6.1/src/pch.c	2011-02-08 11:30:08.810621570 +0000
+@@ -307,7 +307,12 @@ there_is_another_patch (bool need_header
  	    inname[t - buf - 1] = 0;
  	    if (stat (inname, &instat) == 0)
  	      {
@@ -113,7 +113,7 @@ diff -up patch-2.6.1/src/pch.c.selinux patch-2.6.1/src/pch.c
  		invc = -1;
  	      }
  	    else
-@@ -661,7 +666,7 @@ intuit_diff_type (bool need_header)
+@@ -681,7 +686,7 @@ intuit_diff_type (bool need_header)
  			  if (cs)
  			    {
  			      if (version_get (p_name[i], cs, false, readonly,
@@ -122,17 +122,17 @@ diff -up patch-2.6.1/src/pch.c.selinux patch-2.6.1/src/pch.c
  				stat_errno[i] = 0;
  			      else
  				version_controlled[i] = 0;
-@@ -725,6 +730,7 @@ intuit_diff_type (bool need_header)
- 	inerrno = stat_errno[i];
+@@ -746,6 +751,7 @@ intuit_diff_type (bool need_header)
  	invc = version_controlled[i];
  	instat = st[i];
+ 	validate_target_name (inname);
 +	getfilecon (inname, &incontext);
        }
  
      return retval;
 diff -up patch-2.6.1/src/util.c.selinux patch-2.6.1/src/util.c
 --- patch-2.6.1/src/util.c.selinux	2009-11-02 19:09:57.000000000 +0000
-+++ patch-2.6.1/src/util.c	2010-08-16 17:36:31.794173938 +0100
++++ patch-2.6.1/src/util.c	2011-02-08 11:29:34.613271715 +0000
 @@ -574,7 +574,8 @@ version_controller (char const *filename
     Return true if successful.  */
  bool
@@ -159,7 +159,7 @@ diff -up patch-2.6.1/src/util.c.selinux patch-2.6.1/src/util.c
    return 1;
 diff -up patch-2.6.1/src/util.h.selinux patch-2.6.1/src/util.h
 --- patch-2.6.1/src/util.h.selinux	2009-11-02 19:09:57.000000000 +0000
-+++ patch-2.6.1/src/util.h	2010-08-16 17:36:31.795173993 +0100
++++ patch-2.6.1/src/util.h	2011-02-08 11:29:34.614271726 +0000
 @@ -51,7 +51,7 @@ char *fetchname (char *, int, char **, t
  char *savebuf (char const *, size_t);
  char *savestr (char const *);
diff --git a/patch.spec b/patch.spec
index e64cf94..8b90678 100644
--- a/patch.spec
+++ b/patch.spec
@@ -1,13 +1,14 @@
 Summary: Utility for modifying/upgrading files
 Name: patch
 Version: 2.6.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 URL: http://www.gnu.org/software/patch/patch.html
 Group: Development/Tools
 Source: ftp://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
 Patch1: patch-2.5.4-sigsegv.patch
 Patch2: patch-get-arg.patch
+Patch3: patch-CVE-2010-4651.patch
 Patch100: patch-selinux.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -33,6 +34,11 @@ applications.
 # Fixed argument type for --get (bug #553624).
 %patch2 -p1 -b .get-arg
 
+# Applied upstream patch to fix CVE-2010-4651 so that malicious
+# patches cannot create files above the current directory
+# (bug #667529).
+%patch3 -p1 -b .CVE-2010-4651
+
 # SELinux support.
 %patch100 -p1 -b .selinux
 
@@ -61,6 +67,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/*
 
 %changelog
+* Tue Feb  8 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-7
+- Applied upstream patch to fix CVE-2010-4651 so that malicious
+  patches cannot create files above the current directory
+  (bug #667529).
+
 * Tue Jan  4 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-6
 - Use smp_mflags correctly (bug #665770).