diff --git a/ksh.changes b/ksh.changes
index 03a21a3..994f5c9 100644
--- a/ksh.changes
+++ b/ksh.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug  1 14:04:27 CEST 2024 - mls@suse.de
+
+- fix segfault in variable substitution [bsc#1129288]
+  new patch: ksh93-putval.dif
+- fix untrusted environment execution [bsc#1160796] [CVE-2019-14868]
+  new patch: ksh93-untrustedenv.dif
+
 -------------------------------------------------------------------
 Mon May 13 16:38:57 CEST 2024 - mls@suse.de
 
diff --git a/ksh.spec b/ksh.spec
index c574a12..c3465b7 100644
--- a/ksh.spec
+++ b/ksh.spec
@@ -153,6 +153,8 @@ Patch54:        ksh93-edpredict.dif
 Patch55:        ksh93-spawnlock.dif
 Patch56:        ksh93-filedefined.dif
 Patch57:        ksh93-no-sysctl.dif
+Patch58:        ksh93-putval.dif
+Patch59:        ksh93-untrustedenv.dif
 Patch62:        ksh-locale.patch
 Patch63:        cpp.patch
 
@@ -265,6 +267,8 @@ fi
 %patch -P 55
 %patch -P 56
 %patch -P 57
+%patch -P 58
+%patch -P 59
 
 %patch -P 63 -p 1
 
diff --git a/ksh93-putval.dif b/ksh93-putval.dif
new file mode 100644
index 0000000..5cd63e5
--- /dev/null
+++ b/ksh93-putval.dif
@@ -0,0 +1,15 @@
+--- ./src/cmd/ksh93/sh/name.c.orig	2019-04-04 14:28:17.044667686 +0000
++++ ./src/cmd/ksh93/sh/name.c	2019-04-04 14:28:32.472629455 +0000
+@@ -1986,8 +1986,11 @@ void nv_putval(register Namval_t *np, co
+ 		up->cp = cp;
+ 		if(sp)
+ 		{
++			size_t splen = strlen(sp);
+ 			int c = cp[dot+append];
+-			memmove(cp+append,sp,dot);
++			memmove(cp+append,sp,dot>splen?splen:dot);
++			if (dot>splen)
++				memset(cp+append+splen,0,dot-splen);
+ 			cp[dot+append] = c;
+ 			if(nv_isattr(np, NV_RJUST) && nv_isattr(np, NV_ZFILL))
+ 				rightjust(cp,size,'0');
diff --git a/ksh93-untrustedenv.dif b/ksh93-untrustedenv.dif
new file mode 100644
index 0000000..358849b
--- /dev/null
+++ b/ksh93-untrustedenv.dif
@@ -0,0 +1,51 @@
+--- src/cmd/ksh93/sh/arith.c.orig
++++ src/cmd/ksh93/sh/arith.c
+@@ -513,21 +513,34 @@ Sfdouble_t sh_strnum(register const char *str, char** ptr, int mode)
+ 	char base=(shp->inarith?0:10), *last;
+ 	if(*str==0)
+ 	{
+-		if(ptr)
+-			*ptr = (char*)str;
+-		return(0);
+-	}
+-	errno = 0;
+-	d = strtonll(str,&last,&base,-1);
+-	if(*last || errno)
+-	{
+-		if(!last || *last!='.' || last[1]!='.')
+-			d = strval(shp,str,&last,arith,mode);
+-		if(!ptr && *last && mode>0)
+-			errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++		d = 0.0;
++		last = (char*)str;
++	} else {
++		errno = 0;
++		d = strtonll(str,&last,&base,-1);
++		if (*last && !shp->inarith && sh_isstate(SH_INIT)) {
++			// This call is to handle "base#value" literals if we're importing untrusted env vars.
++			errno = 0;
++			d = strtonll(str, &last, NULL, -1);
++		}
++
++		if(*last || errno)
++		{
++			if (sh_isstate(SH_INIT)) {
++				// Initializing means importing untrusted env vars. Since the string does not appear
++				// to be a recognized numeric literal give up. We can't safely call strval() since
++				// that allows arbitrary expressions which would create a security vulnerability.
++				d = 0.0;
++			} else {
++				if(!last || *last!='.' || last[1]!='.')
++					d = strval(shp,str,&last,arith,mode);
++				if(!ptr && *last && mode>0)
++					errormsg(SH_DICT,ERROR_exit(1),e_lexbadchar,*last,str);
++			}
++		} else if (!d && *str=='-') {
++			d = -0.0;
++		}
+ 	}
+-	else if (!d && *str=='-')
+-		d = -0.0;
+ 	if(ptr)
+ 		*ptr = last;
+ 	return(d);