diff --git a/CVE-2008-0386.diff b/CVE-2008-0386.diff
new file mode 100644
index 0000000..8b231e8
--- /dev/null
+++ b/CVE-2008-0386.diff
@@ -0,0 +1,63 @@
+--- scripts/xdg-open
++++ scripts/xdg-open
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ #---------------------------------------------
+ #   xdg-open
+ #
+@@ -382,7 +382,8 @@ open_generic()
+     for browser in $BROWSER; do
+         if [ x"$browser" != x"" ]; then
+ 
+-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
++            IFS=' '
++            browser_with_arg=${browser//'%s'/"$1"}
+ 
+             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
+             else $browser_with_arg;
+--- scripts/xdg-email
++++ scripts/xdg-email
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ #---------------------------------------------
+ #   xdg-email
+ #
+@@ -435,7 +435,8 @@ open_generic()
+     for browser in $BROWSER; do
+         if [ x"$browser" != x"" ]; then
+ 
+-            browser_with_arg=`echo "$browser" | sed s#%s#"$1"#`
++            IFS=' '
++            browser_with_arg=${browser//'%s'/"$1"}
+ 
+             if [ x"$browser_with_arg" = x"$browser" ]; then "$browser" "$1";
+             else $browser_with_arg;
+@@ -495,7 +496,7 @@ while [ $# -gt 0 ] ; do
+             exit_failure_syntax "email address argument missing for --to"
+         fi
+         url_encode "$1"
+-        options="${options}to=${result}&" 
++        options="${options}to=${result}&"
+         shift
+         ;;
+ 
+@@ -531,7 +532,7 @@ while [ $# -gt 0 ] ; do
+             exit_failure_syntax "text argument missing for --body option"
+         fi
+         url_encode "$1"
+-        options="${options}body=${result}&" 
++        options="${options}body=${result}&"
+         shift
+         ;;
+ 
+@@ -575,7 +576,7 @@ done
+ 
+ if [ -z "${mailto}" ] ; then
+     # TO address is optional
+-    mailto="mailto:?"    
++    mailto="mailto:?"
+ fi
+ 
+ case $mailto in
diff --git a/xdg-utils.changes b/xdg-utils.changes
index bbd9dad..f388de1 100644
--- a/xdg-utils.changes
+++ b/xdg-utils.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Feb  7 13:13:48 CET 2008 - dmueller@suse.de
+
+- fix command injection (#bnc355061, CVE-2008-0386)
+
 -------------------------------------------------------------------
 Mon Oct 22 14:25:40 CEST 2007 - stbinner@suse.de
 
diff --git a/xdg-utils.spec b/xdg-utils.spec
index f1cccc8..41ea202 100644
--- a/xdg-utils.spec
+++ b/xdg-utils.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package xdg-utils (Version 1.0.2)
 #
-# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
@@ -11,18 +11,19 @@
 # norootforbuild
 
 Name:           xdg-utils
-BuildRequires:  make xmlto
+BuildRequires:  make
 License:        X11/MIT
 Group:          System/GUI/Other
 Summary:        Utilities to uniformly interface desktop environments
 Version:        1.0.2
-Release:        1
+Release:        36
 BuildArch:      noarch
 Url:            http://portland.freedesktop.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Source0:        %name-%{version}.tar.bz2
 Patch0:         xdg-su.diff
 Patch1:         xfce-su.diff
+Patch2:         CVE-2008-0386.diff
 
 %description
 The xdg-utils package is a set of simple scripts that provide basic
@@ -45,6 +46,7 @@ these utilities work properly in their environment.
 %setup -q -n %name-%{version}
 %patch0
 %patch1
+%patch2
 
 %build
 %configure
@@ -80,29 +82,32 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/xdg-open.1.gz
 %{_mandir}/man1/xdg-su.1.gz
 %{_mandir}/man1/xdg-screensaver.1.gz
+
 %changelog
-* Mon Oct 22 2007 - stbinner@suse.de
+* Thu Feb 07 2008 dmueller@suse.de
+- fix command injection (#bnc355061, CVE-2008-0386)
+* Mon Oct 22 2007 stbinner@suse.de
 - update to 1.0.2:
   * SVG icons are not supported but doc still mentioned SVG
   * xdg-email can now be used without any e-mail address
   * do not use mktemp without arguments, it breaks on systems with
   certain older versions of mktemp
-* Thu Sep 20 2007 - dmueller@suse.de
+* Thu Sep 20 2007 dmueller@suse.de
 - fix xdg-su outside KDE/GNOME (#309164)
-* Thu Aug 30 2007 - dmueller@suse.de
+* Thu Aug 30 2007 dmueller@suse.de
 - fix xdg-su for XFCE (#304753)
-* Tue May 22 2007 - dmueller@suse.de
+* Tue May 22 2007 dmueller@suse.de
 - add xdg-su (#275937)
-* Mon Nov 06 2006 - dmueller@suse.de
+* Mon Nov 06 2006 dmueller@suse.de
 - update to 1.0.1:
   * Several shell syntax issues causing failures on Ubuntu 6.10
   * Spurious output on stdout when running xdg-desktop-menu
   * Non-ascii mailto URI handling of xdg-email on non-UTF8 locales
   under KDE
-* Fri Oct 27 2006 - dmueller@suse.de
+* Fri Oct 27 2006 dmueller@suse.de
 - don't build as root
-* Wed Sep 27 2006 - dmueller@suse.de
+* Wed Sep 27 2006 dmueller@suse.de
 - update to 1.0rc1:
   * for changes, see /usr/share/doc/packages/xdg-utils/ChangeLog
-* Thu Jun 22 2006 - dmueller@suse.de
+* Thu Jun 22 2006 dmueller@suse.de
 - Initial package (TP1)