diff --git a/pl.spec b/pl.spec
index d52a50b..de1aa79 100644
--- a/pl.spec
+++ b/pl.spec
@@ -6,7 +6,7 @@
 
 Name:       pl
 Version:    5.10.2
-Release:    3%{?dist}
+Release:    4%{?dist}
 
 Summary:    SWI-Prolog - Edinburgh compatible Prolog compiler
 
@@ -29,6 +29,9 @@ Patch3:     %{name}-5.10.2-jni.patch
 Patch4:     %{name}-5.10.2-pc.patch
 # Upstream bug #470, will be in 5.10.3
 Patch5:     %{name}-5.10.2-FIXED-Bug-470-Using-export-dynamic-is-not-a-valid-gc.patch
+# Upstream bug #7, will be in 5.10.5, CVE-2011-2896, rhbz#727800
+Patch6:     xpce-gif-CVE-2011-2896-part_1.patch
+Patch7:     xpce-gif-CVE-2011-2896-part_2.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 # Base
@@ -137,6 +140,11 @@ in Prolog.  In both setups it provides a reentrant bidirectional interface.
 %patch4 -p1 -b .pc
 %patch5 -p1 -b .export_dynamic
 (
+cd packages/xpce
+%patch6 -p1 -b .CVE-2011-2896-part_1
+%patch7 -p1 -b .CVE-2011-2896-part_2
+)
+(
    cd src
    autoconf
 )
@@ -309,6 +317,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Aug 19 2011 Petr Pisar <ppisar@redhat.com> - 5.10.2-4
+- Fix CVE-2011-2896 (David Koblas' GIF decoder LZW decoder buffer overflow)
+  (bug #727800)
+
 * Thu Feb 10 2011 Petr Pisar <ppisar@redhat.com> - 5.10.2-3
 - Pass -export-dynamic to linker properly
 
diff --git a/xpce-gif-CVE-2011-2896-part_1.patch b/xpce-gif-CVE-2011-2896-part_1.patch
new file mode 100644
index 0000000..c586112
--- /dev/null
+++ b/xpce-gif-CVE-2011-2896-part_1.patch
@@ -0,0 +1,66 @@
+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Date: Thu, 18 Aug 2011 09:46:53 +0000 (+0200)
+Subject: SECURITY: Bug#7 Gif-reader bufferoverflow.  Petr Pisar.
+X-Git-Url: http://www.swi-prolog.org/packages/xpce.git/commitdiff_plain/bb328029beb148691edc031d9db9cf0a503c8247
+
+SECURITY: Bug#7 Gif-reader bufferoverflow.  Petr Pisar.
+
+See http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7
+See https://bugzilla.redhat.com/show_bug.cgi?id=727800
+
+This patch follows a corresponding patch in CUPS:
+
+CUPS was fixed recently (in 1.4.7) and now does code > max_code check
+http://cups.org/str.php?L3867
+svn diff -c 9840 http://svn.easysw.com/public/cups/
+---
+
+diff --git a/src/img/gifread.c b/src/img/gifread.c
+index bb66705..a12a2d8 100644
+--- a/src/img/gifread.c
++++ b/src/img/gifread.c
+@@ -169,7 +169,7 @@ GIFReadFD(IOSTREAM *fd,
+   /* read colormaps */
+   if ( BitSet((UCHAR) buf[4], LOCALCOLORMAP) )
+   { if ( (rval=ReadColorMap(fd, GifScreen.BitPixel, at, ac, closure))
+-	 							!= GIF_OK )
++								!= GIF_OK )
+     { setGifError("Error reading GIF colormap");
+       return rval;
+     }
+@@ -487,11 +487,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+       max_code = clear_code + 2;
+       sp = stack;
+       firstcode = oldcode = GetCode(fd, code_size, FALSE);
+-      return firstcode;
+-    } else if (code == end_code)
++      return (firstcode&255);
++    } else if (code == end_code || code > max_code)
+     {
+       int count;
+-      UCHAR buf[260];
++      UCHAR buf[260];			/* Block buffer */
+ 
+       if (ZeroDataBlock)
+ 	return -2;
+@@ -504,7 +504,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+     }
+     incode = code;
+ 
+-    if (code >= max_code)
++    if (code == max_code)
+     {
+       *sp++ = firstcode;
+       code = oldcode;
+@@ -537,9 +537,9 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+     oldcode = incode;
+ 
+     if (sp > stack)
+-      return *--sp;
++      return ((*--sp) & 255);
+   }
+-  return code;
++  return (code&255);
+ }
+ 
+ 
diff --git a/xpce-gif-CVE-2011-2896-part_2.patch b/xpce-gif-CVE-2011-2896-part_2.patch
new file mode 100644
index 0000000..b3e35df
--- /dev/null
+++ b/xpce-gif-CVE-2011-2896-part_2.patch
@@ -0,0 +1,48 @@
+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Date: Thu, 18 Aug 2011 14:26:44 +0000 (+0200)
+Subject: SECURITY: Bug#7: More gif-read fixes.
+X-Git-Url: http://www.swi-prolog.org/packages/xpce.git/commitdiff_plain/30fbc4e030cbef5871e1b96c31458116ce3e2ee8
+
+SECURITY: Bug#7: More gif-read fixes.
+
+Incorporated additional patches from http://cups.org/str.php?L3914
+---
+
+diff --git a/src/img/gifread.c b/src/img/gifread.c
+index a12a2d8..3b8a743 100644
+--- a/src/img/gifread.c
++++ b/src/img/gifread.c
+@@ -466,7 +466,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+       firstcode = oldcode = GetCode(fd, code_size, FALSE);
+     }
+     while (firstcode == clear_code);
+-    return firstcode;
++    return (firstcode&255);
+   }
+   if (sp > stack)
+     return *--sp;
+@@ -505,11 +505,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+     incode = code;
+ 
+     if (code == max_code)
+-    {
+-      *sp++ = firstcode;
++    { if ( sp < stack+sizeof(stack) )	/* stack is UCHAR */
++	*sp++ = firstcode;
+       code = oldcode;
+     }
+-    while (code >= clear_code)
++    while (code >= clear_code && sp < stack+sizeof(stack) )
+     {
+       *sp++ = vals[code];
+       if (code == (int) next[code])
+@@ -520,7 +520,8 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+       code = next[code];
+     }
+ 
+-    *sp++ = firstcode = vals[code];
++    if ( sp < stack+sizeof(stack) )
++      *sp++ = firstcode = vals[code];
+ 
+     if ((code = max_code) < (1 << MAX_LZW_BITS))
+     {