diff --git a/cups-CVE-2008-5183.patch b/cups-CVE-2008-5183.patch
new file mode 100644
index 0000000..2c670ac
--- /dev/null
+++ b/cups-CVE-2008-5183.patch
@@ -0,0 +1,170 @@
+diff -up cups-1.4b1/scheduler/ipp.c.CVE-2008-5183 cups-1.4b1/scheduler/ipp.c
+--- cups-1.4b1/scheduler/ipp.c.CVE-2008-5183	2008-12-09 12:16:15.000000000 +0000
++++ cups-1.4b1/scheduler/ipp.c	2008-12-09 12:17:43.000000000 +0000
+@@ -2392,24 +2392,25 @@ add_job_subscriptions(
+     if (mask == CUPSD_EVENT_NONE)
+       mask = CUPSD_EVENT_JOB_COMPLETED;
+ 
+-    sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job, recipient,
+-                               0);
++    if ((sub = cupsdAddSubscription(mask, cupsdFindDest(job->dest), job,
++                                    recipient, 0)) != NULL)
++    {
++      sub->interval = interval;
+ 
+-    sub->interval = interval;
++      cupsdSetString(&sub->owner, job->username);
+ 
+-    cupsdSetString(&sub->owner, job->username);
++      if (user_data)
++      {
++	sub->user_data_len = user_data->values[0].unknown.length;
++	memcpy(sub->user_data, user_data->values[0].unknown.data,
++	       sub->user_data_len);
++      }
+ 
+-    if (user_data)
+-    {
+-      sub->user_data_len = user_data->values[0].unknown.length;
+-      memcpy(sub->user_data, user_data->values[0].unknown.data,
+-             sub->user_data_len);
++      ippAddSeparator(con->response);
++      ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
++		    "notify-subscription-id", sub->id);
+     }
+ 
+-    ippAddSeparator(con->response);
+-    ippAddInteger(con->response, IPP_TAG_SUBSCRIPTION, IPP_TAG_INTEGER,
+-                  "notify-subscription-id", sub->id);
+-
+     if (attr)
+       attr = attr->next;
+   }
+@@ -6668,7 +6669,12 @@ create_subscription(
+     else
+       job = NULL;
+ 
+-    sub = cupsdAddSubscription(mask, printer, job, recipient, 0);
++    if ((sub = cupsdAddSubscription(mask, printer, job, recipient, 0)) == NULL)
++    {
++      send_ipp_status(con, IPP_TOO_MANY_SUBSCRIPTIONS,
++		      _("There are too many subscriptions."));
++      return;
++    }
+ 
+     if (job)
+       cupsdLogMessage(CUPSD_LOG_DEBUG, "Added subscription %d for job %d",
+diff -up cups-1.4b1/scheduler/subscriptions.c.CVE-2008-5183 cups-1.4b1/scheduler/subscriptions.c
+--- cups-1.4b1/scheduler/subscriptions.c.CVE-2008-5183	2008-12-09 12:16:15.000000000 +0000
++++ cups-1.4b1/scheduler/subscriptions.c	2008-12-09 12:17:43.000000000 +0000
+@@ -341,8 +341,54 @@ cupsdAddSubscription(
+   * Limit the number of subscriptions...
+   */
+ 
+-  if (cupsArrayCount(Subscriptions) >= MaxSubscriptions)
++  if (MaxSubscriptions > 0 && cupsArrayCount(Subscriptions) >= MaxSubscriptions)
++  {
++    cupsdLogMessage(CUPSD_LOG_DEBUG,
++                    "cupsdAddSubscription: Reached MaxSubscriptions %d",
++		    MaxSubscriptions);
+     return (NULL);
++  }
++
++  if (MaxSubscriptionsPerJob > 0 && job)
++  {
++    int	count;				/* Number of job subscriptions */
++
++    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
++             count = 0;
++         temp;
++	 temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
++      if (temp->job == job)
++        count ++;
++
++    if (count >= MaxSubscriptionsPerJob)
++    {
++      cupsdLogMessage(CUPSD_LOG_DEBUG,
++		      "cupsdAddSubscription: Reached MaxSubscriptionsPerJob %d "
++		      "for job #%d", MaxSubscriptionsPerJob, job->id);
++      return (NULL);
++    }
++  }
++
++  if (MaxSubscriptionsPerPrinter > 0 && dest)
++  {
++    int	count;				/* Number of printer subscriptions */
++
++    for (temp = (cupsd_subscription_t *)cupsArrayFirst(Subscriptions),
++             count = 0;
++         temp;
++	 temp = (cupsd_subscription_t *)cupsArrayNext(Subscriptions))
++      if (temp->dest == dest)
++        count ++;
++
++    if (count >= MaxSubscriptionsPerPrinter)
++    {
++      cupsdLogMessage(CUPSD_LOG_DEBUG,
++		      "cupsdAddSubscription: Reached "
++		      "MaxSubscriptionsPerPrinter %d for %s",
++		      MaxSubscriptionsPerPrinter, dest->name);
++      return (NULL);
++    }
++  }
+ 
+  /*
+   * Allocate memory for this subscription...
+@@ -765,7 +811,6 @@ cupsdLoadAllSubscriptions(void)
+       cupsdLogMessage(CUPSD_LOG_ERROR,
+                       "Syntax error on line %d of subscriptions.conf.",
+ 	              linenum);
+-      break;
+     }
+     else if (!strcasecmp(line, "Events"))
+     {
+diff -up cups-1.4b1/test/4.4-subscription-ops.test.CVE-2008-5183 cups-1.4b1/test/4.4-subscription-ops.test
+--- cups-1.4b1/test/4.4-subscription-ops.test.CVE-2008-5183	2007-07-09 21:34:48.000000000 +0100
++++ cups-1.4b1/test/4.4-subscription-ops.test	2008-12-09 12:17:43.000000000 +0000
+@@ -116,6 +116,32 @@
+ 	EXPECT notify-events
+ 	DISPLAY notify-events
+ }
++{
++	# The name of the test...
++	NAME "Check MaxSubscriptions limits"
++
++	# The operation to use
++	OPERATION Create-Printer-Subscription
++	RESOURCE /
++
++	# The attributes to send
++	GROUP operation
++	ATTR charset attributes-charset utf-8
++	ATTR language attributes-natural-language en
++	ATTR uri printer-uri $method://$hostname:$port/printers/Test1
++
++        GROUP subscription
++	ATTR uri notify-recipient-uri testnotify://
++	ATTR keyword notify-events printer-state-changed
++	ATTR integer notify-lease-duration 5
++
++	# What statuses are OK?
++	STATUS client-error-too-many-subscriptions
++
++	# What attributes do we expect?
++	EXPECT attributes-charset
++	EXPECT attributes-natural-language
++}
+ 
+ #
+ # End of "$Id: 4.4-subscription-ops.test 6635 2007-07-09 20:34:48Z mike $"
+diff -up cups-1.4b1/test/run-stp-tests.sh.CVE-2008-5183 cups-1.4b1/test/run-stp-tests.sh
+--- cups-1.4b1/test/run-stp-tests.sh.CVE-2008-5183	2008-10-02 00:56:42.000000000 +0100
++++ cups-1.4b1/test/run-stp-tests.sh	2008-12-09 12:17:43.000000000 +0000
+@@ -326,6 +326,7 @@ PassEnv LOCALEDIR
+ DocumentRoot $root/doc
+ RequestRoot /tmp/cups-$user/spool
+ TempDir /tmp/cups-$user/spool/temp
++MaxSubscriptions 3
+ MaxLogSize 0
+ AccessLog /tmp/cups-$user/log/access_log
+ ErrorLog /tmp/cups-$user/log/error_log
diff --git a/cups.spec b/cups.spec
index 1b2bedc..d49eea4 100644
--- a/cups.spec
+++ b/cups.spec
@@ -28,6 +28,7 @@ Patch1: cups-no-gzip-man.patch
 Patch2: cups-1.1.16-system-auth.patch
 Patch3: cups-multilib.patch
 Patch4: cups-str2831.patch
+Patch5: cups-CVE-2008-5183.patch
 Patch6: cups-banners.patch
 Patch7: cups-serverbin-compat.patch
 Patch8: cups-no-export-ssllibs.patch
@@ -168,6 +169,7 @@ module.
 %patch2 -p1 -b .system-auth
 %patch3 -p1 -b .multilib
 %patch4 -p1 -b .str2831
+%patch5 -p1 -b .CVE-2008-5183
 %patch6 -p1 -b .banners
 %patch7 -p1 -b .serverbin-compat
 %patch8 -p1 -b .no-export-ssllibs
@@ -449,6 +451,8 @@ rm -rf $RPM_BUILD_ROOT
 
 %changelog
 * Tue Dec  9 2008 Tim Waugh <twaugh@redhat.com> 1:1.4-0.b1.5
+- Applied patch to fix RSS subscription limiting (bug #473901,
+  CVE-2008-5183).
 - Attempt to unbreak the fix for STR #2831 (bug #474742).
 
 * Sun Nov 30 2008 Tim Waugh <twaugh@redhat.com> 1:1.4-0.b1.4