diff --git a/PyPAM-0.5.0-memory-errors.patch b/PyPAM-0.5.0-memory-errors.patch
new file mode 100644
index 0000000..038136f
--- /dev/null
+++ b/PyPAM-0.5.0-memory-errors.patch
@@ -0,0 +1,120 @@
+diff -up PyPAM-0.5.0/PAMmodule.c.memory PyPAM-0.5.0/PAMmodule.c
+--- PyPAM-0.5.0/PAMmodule.c.memory	2012-05-04 21:41:43.659610835 +0200
++++ PyPAM-0.5.0/PAMmodule.c	2012-05-04 21:45:24.313540595 +0200
+@@ -44,26 +44,41 @@ static void PyPAM_Err(PyPAMObject *self,
+ static int PyPAM_conv(int num_msg, const struct pam_message **msg,
+     struct pam_response **resp, void *appdata_ptr)
+ {
+-    PyObject                *args;
+-
++    PyObject *args, *msgList, *respList, *item;
++    struct pam_response *response, *spr;
+     PyPAMObject* self = (PyPAMObject *) appdata_ptr;
++
+     if (self->callback == NULL)
+         return PAM_CONV_ERR;
+ 
+     Py_INCREF(self);
+ 
+-    PyObject* msgList = PyList_New(num_msg);
+-    
++    msgList = PyList_New(num_msg);
++    if (msgList == NULL) {
++        Py_DECREF(self);
++        return PAM_CONV_ERR;
++    }
++
+     for (int i = 0; i < num_msg; i++) {
+-        PyList_SetItem(msgList, i,
+-            Py_BuildValue("(si)", msg[i]->msg, msg[i]->msg_style));
++        item = Py_BuildValue("(si)", msg[i]->msg, msg[i]->msg_style);
++        if (item == NULL) {
++            Py_DECREF(msgList);
++            Py_DECREF(self);
++            return PAM_CONV_ERR;
++        }
++        PyList_SetItem(msgList, i, item);
+     }
+-    
++
+     args = Py_BuildValue("(OO)", self, msgList);
+-    PyObject* respList = PyEval_CallObject(self->callback, args);
++    if (args == NULL) {
++        Py_DECREF(self);
++	Py_DECREF(msgList);
++        return PAM_CONV_ERR;
++    }
++    respList = PyEval_CallObject(self->callback, args);
+     Py_DECREF(args);
+     Py_DECREF(self);
+-    
++
+     if (respList == NULL)
+         return PAM_CONV_ERR;
+ 
+@@ -71,11 +86,15 @@ static int PyPAM_conv(int num_msg, const
+         Py_DECREF(respList);
+         return PAM_CONV_ERR;
+     }
+-    
+-    *resp = (struct pam_response *) malloc(
++
++    response = (struct pam_response *) malloc(
+         PyList_Size(respList) * sizeof(struct pam_response));
++    if (response == NULL) {
++        Py_DECREF(respList);
++        return PAM_CONV_ERR;
++    }
++    spr = response;
+ 
+-    struct pam_response* spr = *resp;
+     for (int i = 0; i < PyList_Size(respList); i++, spr++) {
+         PyObject* respTuple = PyList_GetItem(respList, i);
+         char* resp_text;
+@@ -85,7 +104,7 @@ static int PyPAM_conv(int num_msg, const
+                 free((--spr)->resp);
+                 --i;
+             }
+-            free(*resp);
++            free(response);
+             Py_DECREF(respList);
+             return PAM_CONV_ERR;
+         }
+@@ -95,7 +114,8 @@ static int PyPAM_conv(int num_msg, const
+     }
+ 
+     Py_DECREF(respList);
+-    
++    *resp = response;
++
+     return PAM_SUCCESS;
+ }
+ 
+@@ -122,7 +142,11 @@ static PyObject * PyPAM_pam(PyObject *se
+     PyPAMObject_Type.ob_type = &PyType_Type;
+     p = (PyPAMObject *) PyObject_NEW(PyPAMObject, &PyPAMObject_Type);
+ 
++    if (p == NULL)
++        return NULL;
++
+     if ((spc = (struct pam_conv *) malloc(sizeof(struct pam_conv))) == NULL) {
++        Py_DECREF((PyObject *)p);
+         PyErr_SetString(PyExc_MemoryError, "out of memory");
+         return NULL;
+     }
+@@ -455,9 +479,15 @@ static PyObject * PyPAM_getenvlist(PyObj
+     }
+     
+     retval = PyList_New(0);
++    if (retval == NULL)
++	return NULL;
+     
+     while ((cp = *(result++)) != NULL) {
+         entry = Py_BuildValue("s", cp);
++        if (entry == NULL) {
++            Py_DECREF(retval);
++            return NULL;
++        }
+         PyList_Append(retval, entry);
+         Py_DECREF(entry);
+     }
diff --git a/PyPAM.spec b/PyPAM.spec
index 92929ba..1bac80d 100644
--- a/PyPAM.spec
+++ b/PyPAM.spec
@@ -6,12 +6,14 @@
 Summary:        PAM bindings for Python
 Name:           PyPAM
 Version:        0.5.0
-Release:        12%{?dist}
+Release:        13%{?dist}
+# Note that the upstream site is dead.
 Source0:        http://www.pangalactic.org/PyPAM/%{name}-%{version}.tar.gz
 Url:            http://www.pangalactic.org/PyPAM
 Patch0:         PyPAM-dlopen.patch
 Patch1:         PyPAM-0.5.0-dealloc.patch
 Patch2:         PyPAM-0.5.0-nofree.patch
+Patch3:         PyPAM-0.5.0-memory-errors.patch
 License:        LGPLv2
 Group:          Development/Libraries
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -28,6 +30,7 @@ PAM (Pluggable Authentication Module) bindings for Python.
 %patch0 -p1 -b .dlopen
 %patch1 -p1 -b .dealloc
 %patch2 -p1 -b .nofree
+%patch3 -p1 -b .memory
 # remove prebuild rpm and others binaries
 rm -rf build dist
 
@@ -52,6 +55,9 @@ rm -rf $RPM_BUILD_ROOT
 %doc examples 
 
 %changelog
+* Fri May  4 2012 Tomáš Mráz <tmraz@redhat.com> - 0.5.0-13
+- fix memory manipulation errors (leaks, doublefree CVE-2012-1502)
+
 * Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.5.0-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild