diff --git a/xen.spec b/xen.spec
index 713bf85..288bd2e 100644
--- a/xen.spec
+++ b/xen.spec
@@ -27,7 +27,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.2.2
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -87,6 +87,7 @@ Patch70: xsa45-4.2-06-unpin-preemptible.patch
 Patch71: xsa45-4.2-07-mm-error-paths-preemptible.patch
 Patch72: xsa49-4.2.patch
 Patch73: xen.pygrubtitlefix.patch
+Patch74: xsa56.patch
 
 Patch100: xen-configure-xend.patch
 
@@ -265,6 +266,7 @@ manage Xen virtual machines.
 %patch71 -p1
 %patch72 -p1
 %patch73 -p1
+%patch74 -p1
 
 %patch100 -p1
 
@@ -754,6 +756,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Fri May 17 2013 Michael Young <m.a.young@durham.ac.uk> - 4.2.2-5
+- xend toolstack doesn't check bounds for VCPU affinity
+  [XSA-56, CVE-2013-2072] (#964241)
+
 * Tue May 14 2013 Michael Young <m.a.young@durham.ac.uk> - 4.2.2-4
 - xen-devel should require libuuid-devel (#962833)
 - pygrub menu items can include too much text (#958524)
diff --git a/xsa56.patch b/xsa56.patch
new file mode 100644
index 0000000..1368ac3
--- /dev/null
+++ b/xsa56.patch
@@ -0,0 +1,50 @@
+libxc: limit cpu values when setting vcpu affinity
+
+When support for pinning more than 64 cpus was added, check for cpu
+out-of-range values was removed. This can lead to subsequent
+out-of-bounds cpumap array accesses in case the cpu number is higher
+than the actual count.
+
+This patch returns the check.
+
+This is CVE-2013-2072 / XSA-56
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+
+diff --git a/tools/python/xen/lowlevel/xc/xc.c b/tools/python/xen/lowlevel/xc/xc.c
+index e220f68..e611b24 100644
+--- a/tools/python/xen/lowlevel/xc/xc.c
++++ b/tools/python/xen/lowlevel/xc/xc.c
+@@ -228,6 +228,7 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+     int vcpu = 0, i;
+     xc_cpumap_t cpumap;
+     PyObject *cpulist = NULL;
++    int nr_cpus;
+ 
+     static char *kwd_list[] = { "domid", "vcpu", "cpumap", NULL };
+ 
+@@ -235,6 +236,10 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+                                       &dom, &vcpu, &cpulist) )
+         return NULL;
+ 
++    nr_cpus = xc_get_max_cpus(self->xc_handle);
++    if ( nr_cpus == 0 )
++        return pyxc_error_to_exception(self->xc_handle);
++
+     cpumap = xc_cpumap_alloc(self->xc_handle);
+     if(cpumap == NULL)
+         return pyxc_error_to_exception(self->xc_handle);
+@@ -244,6 +249,13 @@ static PyObject *pyxc_vcpu_setaffinity(XcObject *self,
+         for ( i = 0; i < PyList_Size(cpulist); i++ ) 
+         {
+             long cpu = PyInt_AsLong(PyList_GetItem(cpulist, i));
++            if ( cpu < 0 || cpu >= nr_cpus )
++            {
++                free(cpumap);
++                errno = EINVAL;
++                PyErr_SetFromErrno(xc_error_obj);
++                return NULL;
++            }
+             cpumap[cpu / 8] |= 1 << (cpu % 8);
+         }
+     }