diff --git a/cgit-CVE-2013-2117-disallow-directory-traversal.patch b/cgit-CVE-2013-2117-disallow-directory-traversal.patch
new file mode 100644
index 0000000..d26bc6e
--- /dev/null
+++ b/cgit-CVE-2013-2117-disallow-directory-traversal.patch
@@ -0,0 +1,58 @@
+From babf94e04e74123eb658a823213c062663cdadd6 Mon Sep 17 00:00:00 2001
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+Date: Sat, 25 May 2013 17:47:15 +0000
+Subject: ui-summary: Disallow directory traversal
+
+Using the url= query string, it was possible request arbitrary files
+from the filesystem if the readme for a given page was set to a
+filesystem file. The following request would return my /etc/passwd file:
+
+http://git.zx2c4.com/?url=/somerepo/about/../../../../etc/passwd
+http://data.zx2c4.com/cgit-directory-traversal.png
+
+This fix uses realpath(3) to canonicalize all paths, and then compares
+the base components.
+
+This fix introduces a subtle timing attack, whereby a client can check
+whether or not strstr is called using timing measurements in order
+to determine if a given file exists on the filesystem.
+
+This fix also does not account for filesystem race conditions (TOCTOU)
+in resolving symlinks.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+---
+---
+ ui-summary.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/ui-summary.c
++++ b/ui-summary.c
+@@ -96,6 +96,7 @@ void cgit_print_repo_readme(char *path)
+ 	 * to the directory containing the configured readme.
+ 	 */
+ 	if (path) {
++		char *resolved_base, *resolved_full;
+ 		slash = strrchr(ctx.repo->readme, '/');
+ 		if (!slash) {
+ 			if (!colon)
+@@ -104,7 +105,19 @@ void cgit_print_repo_readme(char *path)
+ 		}
+ 		tmp = xmalloc(slash - ctx.repo->readme + 1 + strlen(path) + 1);
+ 		strncpy(tmp, ctx.repo->readme, slash - ctx.repo->readme + 1);
++		if (!ref)
++			resolved_base = realpath(tmp, NULL);
+ 		strcpy(tmp + (slash - ctx.repo->readme + 1), path);
++		if (!ref) {
++			resolved_full = realpath(tmp, NULL);
++			if (!resolved_base || !resolved_full ||
++			    strstr(resolved_full, resolved_base) != resolved_full) {
++				free(tmp);
++				return;
++			}
++			free(resolved_base);
++			free(resolved_full);
++		}
+ 	} else
+ 		tmp = ctx.repo->readme;
+ 
diff --git a/cgit.changes b/cgit.changes
index 8169d60..0381161 100644
--- a/cgit.changes
+++ b/cgit.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Jul  5 17:05:04 CEST 2013 - tiwai@suse.de
+
+- Fix VUL-0: cgit: remote file disclosure flaw (CVE-2013-2117,
+  bnc#822166)
+
 -------------------------------------------------------------------
 Tue Nov 20 13:51:05 UTC 2012 - vjt@openssl.it
 
diff --git a/cgit.spec b/cgit.spec
index e870d13..c4494e2 100644
--- a/cgit.spec
+++ b/cgit.spec
@@ -34,6 +34,7 @@ Patch:          cgit-optflags.diff
 Patch1:         cgit-git-1.7.6_build_fix.patch
 Patch3:         cgit-fix-print-tree.diff
 Patch4:         cgit-fix-more-read_tree_recursive-invocations.diff
+Patch5:         cgit-CVE-2013-2117-disallow-directory-traversal.patch
 # Requirements for cgit
 BuildRequires:  gnu-crypto libopenssl-devel libzip-devel
 # Requirements for cgitrc man page generation
@@ -55,6 +56,7 @@ Authors:
 %patch1 -p1
 %patch3
 %patch4
+%patch5 -p1
 rm -rf git
 mv git-%{git_version} git