diff --git a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
new file mode 100644
index 0000000..c8d0154
--- /dev/null
+++ b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
@@ -0,0 +1,40 @@
+Stephan Mueller reported to me recently a error in random number generation in
+the ansi cprng. If several small requests are made that are less than the
+instances block size, the remainder for loop code doesn't increment
+rand_data_valid in the last iteration, meaning that the last bytes in the
+rand_data buffer gets reused on the subsequent smaller-than-a-block request for
+random data.
+
+The fix is pretty easy, just re-code the for loop to make sure that
+rand_data_valid gets incremented appropriately
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
+CC: Stephan Mueller <stephan.mueller@atsec.com>
+CC: Petr Matousek <pmatouse@redhat.com>
+CC: Herbert Xu <herbert@gondor.apana.org.au>
+CC: "David S. Miller" <davem@davemloft.net>
+---
+ crypto/ansi_cprng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
+index c0bb377..666f196 100644
+--- a/crypto/ansi_cprng.c
++++ b/crypto/ansi_cprng.c
+@@ -230,11 +230,11 @@ remainder:
+ 	 */
+ 	if (byte_count < DEFAULT_BLK_SZ) {
+ empty_rbuf:
+-		for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
+-			ctx->rand_data_valid++) {
++		while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
+ 			*ptr = ctx->rand_data[ctx->rand_data_valid];
+ 			ptr++;
+ 			byte_count--;
++			ctx->rand_data_valid++;
+ 			if (byte_count == 0)
+ 				goto done;
+ 		}
+-- 
+1.8.3.1
diff --git a/kernel.spec b/kernel.spec
index ee6e15d..3ef40b1 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -785,6 +785,9 @@ Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch
 #CVE-2013-4350 rhbz 1007872 1007903
 Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
 
+#CVE-2013-4345 rhbz 1007690 1009136
+Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1505,6 +1508,9 @@ ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
 #CVE-2013-4350 rhbz 1007872 1007903
 ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
 
+#CVE-2013-4345 rhbz 1007690 1009136
+ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2346,6 +2352,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue Sep 17 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
+
 * Mon Sep 16 2013 Justin M. Forbes <jforbes@fedoraproject.org> 3.10.12-100
 - Linux v3.10.12