diff --git a/tar-1.29-extract_pathname_bypass.patch b/tar-1.29-extract_pathname_bypass.patch
new file mode 100644
index 0000000..2e00dac
--- /dev/null
+++ b/tar-1.29-extract_pathname_bypass.patch
@@ -0,0 +1,29 @@
+Index: lib/paxnames.c
+===================================================================
+--- lib/paxnames.c.orig
++++ lib/paxnames.c
+@@ -18,6 +18,7 @@
+ #include <system.h>
+ #include <hash.h>
+ #include <paxlib.h>
++#include <quotearg.h>
+ 
+ 
+ /* Hash tables of strings.  */
+@@ -114,7 +115,15 @@ safer_name_suffix (char const *file_name
+       for (p = file_name + prefix_len; *p; )
+ 	{
+           if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
+-	    prefix_len = p + 2 - file_name;
++            {
++	      static char const *const diagnostic[] =
++	      {
++		N_("%s: Member name contains '..'"),
++		N_("%s: Hard link target contains '..'")
++	      };
++	      FATAL_ERROR ((0, 0, _(diagnostic[link_target]),
++	                    quotearg_colon (file_name)));
++	    }
+ 
+ 	  do
+ 	    {
diff --git a/tar.changes b/tar.changes
index 4f042e4..3d20bd6 100644
--- a/tar.changes
+++ b/tar.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Nov  8 17:50:44 UTC 2016 - kstreitova@suse.com
+
+- add tar-1.29-extract_pathname_bypass.patch to fix POINTYFEATHER
+  vulnerability - GNU tar archiver can be tricked into extracting 
+  files and directories in the given destination, regardless of the 
+  path name(s) specified on the command line [bsc#1007188] 
+  [CVE-2016-6321] 
+
 -------------------------------------------------------------------
 Sat May 28 19:06:33 UTC 2016 - astieger@suse.com
 
diff --git a/tar.spec b/tar.spec
index 83af999..90f0b62 100644
--- a/tar.spec
+++ b/tar.spec
@@ -47,6 +47,8 @@ Patch20:        add_readme-tests.patch
 # add return values to the backup scripts for better results monitoring.
 # https://savannah.gnu.org/patch/?8953
 Patch21:        add-return-values-to-backup-scripts.patch
+# PATCH-FIX-UPSTREAM bnc#1007188 CVE-2016-6321 kstreitova@suse.com -- fix POINTYFEATHER vulnerability
+Patch22:        tar-1.29-extract_pathname_bypass.patch
 %if 0%{?suse_version} >= %min_suse_ver
 BuildRequires:  automake
 BuildRequires:  help2man
@@ -97,6 +99,7 @@ Upstream testsuite for the package
 #%patch12 -p1
 %patch20 -p1
 %patch21 -p1
+%patch22 -p0
 
 %build
 %define my_cflags -W -Wall -Wpointer-arith -Wstrict-prototypes -Wformat-security -Wno-unused-parameter -fPIE