diff --git a/glibc-rh1167569.patch b/glibc-rh1167569.patch
new file mode 100644
index 0000000..bd9ba56
--- /dev/null
+++ b/glibc-rh1167569.patch
@@ -0,0 +1,164 @@
+commit 33ceaf6187b31ea15284ac65131749e1cb68d2ae
+Author: Carlos O'Donell <carlos@redhat.com>
+Date:   Wed Nov 19 11:44:12 2014 -0500
+
+    CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
+    
+    The function wordexp() fails to properly handle the WRDE_NOCMD
+    flag when processing arithmetic inputs in the form of "$((... ``))"
+    where "..." can be anything valid. The backticks in the arithmetic
+    epxression are evaluated by in a shell even if WRDE_NOCMD forbade
+    command substitution. This allows an attacker to attempt to pass
+    dangerous commands via constructs of the above form, and bypass
+    the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
+    in exec_comm(), the only place that can execute a shell. All other
+    checks for WRDE_NOCMD are superfluous and removed.
+    
+    We expand the testsuite and add 3 new regression tests of roughly
+    the same form but with a couple of nested levels.
+    
+    On top of the 3 new tests we add fork validation to the WRDE_NOCMD
+    testing. If any forks are detected during the execution of a wordexp()
+    call with WRDE_NOCMD, the test is marked as failed. This is slightly
+    heuristic since vfork might be used in the future, but it provides a
+    higher level of assurance that no shells were executed as part of
+    command substitution with WRDE_NOCMD in effect. In addition it doesn't
+    require libpthread or libdl, instead we use the public implementation
+    namespace function __register_atfork (already part of the public ABI
+    for libpthread).
+    
+    Tested on x86_64 with no regressions.
+    
+    (cherry picked from commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c)
+
+diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
+index 4957006..bdd65e4 100644
+--- a/posix/wordexp-test.c
++++ b/posix/wordexp-test.c
+@@ -27,6 +27,25 @@
+ 
+ #define IFS " \n\t"
+ 
++extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
++extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
++
++static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
++{
++  return __register_atfork (prepare, parent, child,
++			    &__dso_handle == NULL ? NULL : __dso_handle);
++}
++
++/* Number of forks seen.  */
++static int registered_forks;
++
++/* For each fork increment the fork count.  */
++static void
++register_fork (void)
++{
++  registered_forks++;
++}
++
+ struct test_case_struct
+ {
+   int retval;
+@@ -206,6 +225,12 @@ struct test_case_struct
+     { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
+     { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
+     { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
++    /* Test for CVE-2014-7817. We test 3 combinations of command
++       substitution inside an arithmetic expression to make sure that
++       no commands are executed and error is returned.  */
++    { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
++    { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
++    { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
+ 
+     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
+   };
+@@ -258,6 +283,15 @@ main (int argc, char *argv[])
+ 	  return -1;
+     }
+ 
++  /* If we are not allowed to do command substitution, we install
++     fork handlers to verify that no forks happened.  No forks should
++     happen at all if command substitution is disabled.  */
++  if (__app_register_atfork (register_fork, NULL, NULL) != 0)
++    {
++      printf ("Failed to register fork handler.\n");
++      return -1;
++    }
++
+   for (test = 0; test_case[test].retval != -1; test++)
+     if (testit (&test_case[test]))
+       ++fail;
+@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
+ 
+   printf ("Test %d (%s): ", ++tests, tc->words);
+ 
++  if (tc->flags & WRDE_NOCMD)
++    registered_forks = 0;
++
+   if (tc->flags & WRDE_APPEND)
+     {
+       /* initial wordexp() call, to be appended to */
+@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
+     }
+   retval = wordexp (tc->words, &we, tc->flags);
+ 
++  if ((tc->flags & WRDE_NOCMD)
++      && (registered_forks > 0))
++    {
++	  printf ("FAILED fork called for WRDE_NOCMD\n");
++	  return 1;
++    }
++
+   if (tc->flags & WRDE_DOOFFS)
+       start_offs = sav_we.we_offs;
+ 
+diff --git a/posix/wordexp.c b/posix/wordexp.c
+index b6b65dd..26f3a26 100644
+--- a/posix/wordexp.c
++++ b/posix/wordexp.c
+@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length, size_t *max_length,
+   pid_t pid;
+   int noexec = 0;
+ 
++  /* Do nothing if command substitution should not succeed.  */
++  if (flags & WRDE_NOCMD)
++    return WRDE_CMDSUB;
++
+   /* Don't fork() unless necessary */
+   if (!comm || !*comm)
+     return 0;
+@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t *max_length,
+ 	    }
+ 	}
+ 
+-      if (flags & WRDE_NOCMD)
+-	return WRDE_CMDSUB;
+-
+       (*offset) += 2;
+       return parse_comm (word, word_length, max_length, words, offset, flags,
+ 			 quoted? NULL : pwordexp, ifs, ifs_white);
+@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t *max_length,
+ 	  break;
+ 
+ 	case '`':
+-	  if (flags & WRDE_NOCMD)
+-	    return WRDE_CMDSUB;
+-
+ 	  ++(*offset);
+ 	  error = parse_backtick (word, word_length, max_length, words,
+ 				  offset, flags, NULL, NULL, NULL);
+@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags)
+ 	break;
+ 
+       case '`':
+-	if (flags & WRDE_NOCMD)
+-	  {
+-	    error = WRDE_CMDSUB;
+-	    goto do_error;
+-	  }
+-
+ 	++words_offset;
+ 	error = parse_backtick (&word, &word_length, &max_length, words,
+ 				&words_offset, flags, pwordexp, ifs,
diff --git a/glibc.spec b/glibc.spec
index 25b62a2..9a32b31 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -1,6 +1,6 @@
 %define glibcsrcdir  glibc-2.20
 %define glibcversion 2.20
-%define glibcrelease 7%{?dist}
+%define glibcrelease 8%{?dist}
 # Pre-release tarballs are pulled in from git using a command that is
 # effectively:
 #
@@ -207,6 +207,7 @@ Patch0051: %{name}-disable-rwlock-elision.patch
 #
 ##############################################################################
 Patch1001: %{name}-rh1133508.patch
+Patch1002: %{name}-rh1167569.patch
 
 ##############################################################################
 #
@@ -575,6 +576,7 @@ package or when debugging this package.
 %patch0050 -p1
 %patch1001 -p1
 %patch0051 -p1
+%patch1002 -p1
 
 ##############################################################################
 # %%prep - Additional prep required...
@@ -1710,6 +1712,9 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Fri Feb 27 2015 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.20-8
+- wordexp fails to honour WRDE_NOCMD (CVE-2014-7817, #1167569).
+
 * Tue Jan 06 2015 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.20-7
 - Remove LIB_LANG since we don't install locales in /usr/lib/locale anymore.
 - Don't own any directories in /usr/share/locale (#1167445).