diff --git a/xen-baked-tmpfile.patch b/xen-baked-tmpfile.patch
new file mode 100644
index 0000000..c5b59b6
--- /dev/null
+++ b/xen-baked-tmpfile.patch
@@ -0,0 +1,47 @@
+changeset:   16157:b28ae5f00553
+tag:         tip
+user:        Keir Fraser <keir@xensource.com>
+date:        Tue Oct 23 09:26:43 2007 +0100
+files:       tools/xenmon/xenbaked.c tools/xenmon/xenmon.py
+description:
+xenmon: Fix security vulnerability CVE-2007-3919.
+
+The xenbaked daemon and xenmon utility communicate via a mmap'ed
+shared file. Since this file is located in /tmp, unprivileged users
+can cause arbitrary files to be truncated by creating a symlink from
+the well-known /tmp filename to e.g., /etc/passwd.
+
+The fix is to place the shared file in a directory to which only root
+should have access (in this case /var/run/).
+
+This bug was reported, and the fix suggested, by Steve Kemp
+<skx@debian.org>. Thanks!
+
+Signed-off-by: Keir Fraser <keir@xensource.com>
+
+
+diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenbaked.c
+--- a/tools/xenmon/xenbaked.c	Mon Oct 22 21:06:11 2007 +0100
++++ b/tools/xenmon/xenbaked.c	Tue Oct 23 09:26:43 2007 +0100
+@@ -589,7 +589,7 @@ error_t cmd_parser(int key, char *arg, s
+     return 0;
+ }
+ 
+-#define SHARED_MEM_FILE "/tmp/xenq-shm"
++#define SHARED_MEM_FILE "/var/run/xenq-shm"
+ void alloc_qos_data(int ncpu)
+ {
+     int i, n, pgsize, off=0;
+diff -r 118a21c66fd5 -r b28ae5f00553 tools/xenmon/xenmon.py
+--- a/tools/xenmon/xenmon.py	Mon Oct 22 21:06:11 2007 +0100
++++ b/tools/xenmon/xenmon.py	Tue Oct 23 09:26:43 2007 +0100
+@@ -46,7 +46,7 @@ QOS_DATA_SIZE = struct.calcsize(ST_QDATA
+ QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
+ 
+ # location of mmaped file, hard coded right now
+-SHM_FILE = "/tmp/xenq-shm"
++SHM_FILE = "/var/run/xenq-shm"
+ 
+ # format strings
+ TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"
+
diff --git a/xen.spec b/xen.spec
index 4fb6735..7c2e2d3 100644
--- a/xen.spec
+++ b/xen.spec
@@ -3,7 +3,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 3.1.0
-Release: 12%{?dist}
+Release: 13%{?dist}
 Group:   Development/Libraries
 License: GPL
 URL:     http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html
@@ -32,6 +32,7 @@ Patch33: xen-vmxassist-irqs.patch
 Patch34: xen-3.1.0-no-xenapi-docs.patch
 Patch35: xen-qemu-rtl8139-checksum.patch
 Patch36: xen-qemu-bootmenu.patch
+Patch37: xen-baked-tmpfile.patch
 
 # Patches to modify the default config of xend
 Patch100: xen-config-dom0-minmem.patch
@@ -143,6 +144,7 @@ virtual machines.
 %patch34 -p1
 %patch35 -p1
 %patch36 -p1
+%patch37 -p1
 
 # config patches
 %patch100 -p1
@@ -293,6 +295,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/*.a
 
 %changelog
+* Fri Oct 26 2007 Daniel P. Berrange <berrange@redhat.com> - 3.1.0-13.fc9
+- Fixed xenbaked tmpfile flaw (CVE-2007-3919)
+
 * Wed Oct 10 2007 Daniel P. Berrange <berrange@redhat.com> - 3.1.0-12.fc8
 - Pull in QEMU BIOS boot menu patch from KVM package
 - Fix QEMU patch for locating x509 certificates based on command line args