diff --git a/gnome-shell-CVE-2010-4000.patch b/gnome-shell-CVE-2010-4000.patch
new file mode 100644
index 0000000..d0ac268
--- /dev/null
+++ b/gnome-shell-CVE-2010-4000.patch
@@ -0,0 +1,35 @@
+commit 7beb7e0f65c6f66daebd307c492381249ddd41be
+Author: Vincent Untz <vuntz@gnome.org>
+Date:   Wed Jan 5 10:32:44 2011 +0100
+
+    gnome-shell.in: Really never add empty elements to LD_LIBRARY_PATH
+    
+    This complements the fix from c6eb2761, to make sure that we don't use
+    the pre-existing $LD_LIBRARY_PATH if it's set but empty.
+    
+    Both commits fix CVE-2010-4000.
+    
+    https://bugzilla.gnome.org/show_bug.cgi?id=638728
+
+diff --git a/src/gnome-shell.in b/src/gnome-shell.in
+index 2abd7d5..e422adb 100755
+--- a/src/gnome-shell.in
++++ b/src/gnome-shell.in
+@@ -152,7 +152,7 @@ def start_dconf_await_service():
+     # dconf is linked without libtool, so unlike other GNOME modules,
+     # won't have an embedded rpath for its library directory.
+     env = dict(os.environ)
+-    if 'LD_LIBRARY_PATH' in env:
++    if 'LD_LIBRARY_PATH' in env and env['LD_LIBRARY_PATH']:
+         ld_library_path = '@libdir@:' + env['LD_LIBRARY_PATH']
+     else:
+         ld_library_path = '@libdir@'
+@@ -246,7 +246,7 @@ def start_shell(perf_output=None):
+     if pkgconfig.returncode == 0:
+         mozjs_libdir = re.sub('-(sdk|devel)', '', mozjs_sdkdir)
+         if os.path.exists(mozjs_libdir + '/libmozjs.so'):
+-            if 'LD_LIBRARY_PATH' in env:
++            if 'LD_LIBRARY_PATH' in env and env['LD_LIBRARY_PATH']:
+                 ld_library_path = env['LD_LIBRARY_PATH'] + ':' + mozjs_libdir
+             else:
+                 ld_library_path = mozjs_libdir
diff --git a/gnome-shell.changes b/gnome-shell.changes
index 5636f43..2324883 100644
--- a/gnome-shell.changes
+++ b/gnome-shell.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jan  5 11:01:48 CET 2011 - vuntz@opensuse.org
+
+- Add gnome-shell-CVE-2010-4000.patch to really safely set
+  LD_LIBRARY_PATH. Fix bnc#642827 and CVE-2010-4000.
+
 -------------------------------------------------------------------
 Wed Dec 15 13:16:11 CET 2010 - vuntz@opensuse.org
 
diff --git a/gnome-shell.spec b/gnome-shell.spec
index 62d6ed9..4610fdf 100644
--- a/gnome-shell.spec
+++ b/gnome-shell.spec
@@ -32,6 +32,8 @@ Source2:        gnome3.desktop
 Patch0:         gnome-shell-fix-include.patch
 # PATCH-FIX-UPSTREAM gnome-shell-gtk3-2.91.6.patch vuntz@opensuse.org -- Fix build with recent gtk3, taken from git
 Patch1:         gnome-shell-gtk3-2.91.6.patch
+# PATCH-FIX-UPSTREAM gnome-shell-CVE-2010-4000.patch bnc#642827 bgo#638728 CVE-2010-4000 vuntz@opensuse.org -- Really safely set LD_LIBRARY_PATH
+Patch2:         gnome-shell-CVE-2010-4000.patch
 BuildRequires:  intltool
 BuildRequires:  update-desktop-files
 BuildRequires:  pkgconfig(clutter-1.0)
@@ -69,6 +71,7 @@ documents, and organizing open windows in GNOME.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %configure \