diff -Nru rpm-4.11.2/debian/changelog rpm-4.11.2/debian/changelog
--- rpm-4.11.2/debian/changelog	2014-04-29 08:54:50.000000000 +0000
+++ rpm-4.11.2/debian/changelog	2015-01-16 16:40:52.000000000 +0000
@@ -1,3 +1,16 @@
+rpm (4.11.2-3ubuntu0.1) utopic-security; urgency=medium
+
+  * SECURITY UPDATE: code execution via insecure temp file use
+    - debian/patches/CVE-2013-6435.patch: create file with proper
+      permissions in lib/fsm.c.
+    - CVE-2013-6435
+  * SECURITY UPDATE: code execution via long file name
+    - debian/patches/CVE-2014-8118.patch: limit length of file name in
+      lib/cpio.c.
+    - CVE-2014-8118
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 16 Jan 2015 10:43:56 -0500
+
 rpm (4.11.2-3) unstable; urgency=medium
 
   * Tighten inter package dependencies (Closes: #745379).
diff -Nru rpm-4.11.2/debian/control rpm-4.11.2/debian/control
--- rpm-4.11.2/debian/control	2014-04-29 08:54:50.000000000 +0000
+++ rpm-4.11.2/debian/control	2015-01-16 16:41:10.000000000 +0000
@@ -32,7 +32,8 @@
                liblua5.2-dev,
                libselinux-dev [linux-any],
                libsemanage-dev [linux-any]
-Maintainer: Michal Čihař <nijel@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Michal Čihař <nijel@debian.org>
 Uploaders: Loic Minier <lool@dooz.org>
 X-Python-Version: >= 2.6
 Standards-Version: 3.9.5
diff -Nru rpm-4.11.2/debian/patches/CVE-2013-6435.patch rpm-4.11.2/debian/patches/CVE-2013-6435.patch
--- rpm-4.11.2/debian/patches/CVE-2013-6435.patch	1970-01-01 00:00:00.000000000 +0000
+++ rpm-4.11.2/debian/patches/CVE-2013-6435.patch	2015-01-16 15:43:44.000000000 +0000
@@ -0,0 +1,31 @@
+Description: Create the file with mode 0
+ It was found that RPM wrote file contents to the target installation
+ directory under a temporary name, and verified its cryptographic
+ signature only after the temporary file has been written
+ completely. Under certain conditions, the system interprets the
+ unverified temporary file contents and extracts commands from
+ it. This could allow an attacker to modify signed RPM files in such a
+ way that they would execute code chosen by the attacker during
+ package installation.
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=956268&action=diff
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
+Last-Update: 2014-12-14
+
+Index: rpm-4.11.3/lib/fsm.c
+===================================================================
+--- rpm-4.11.3.orig/lib/fsm.c	2014-12-14 18:01:29.484568052 -0800
++++ rpm-4.11.3/lib/fsm.c	2014-12-14 18:02:05.550228685 -0800
+@@ -731,7 +731,12 @@
+     pgpHashAlgo digestalgo = 0;
+     int rc = 0;
+ 
+-    wfd = Fopen(fsm->path, "w.ufdio");
++    /* Create the file with 000 permissions. */
++    {
++	mode_t old_umask = umask(0777);
++	wfd = Fopen(fsm->path, "w.ufdio");
++	umask(old_umask);
++    }
+     if (Ferror(wfd)) {
+ 	rc = CPIOERR_OPEN_FAILED;
+ 	goto exit;
diff -Nru rpm-4.11.2/debian/patches/CVE-2014-8118.patch rpm-4.11.2/debian/patches/CVE-2014-8118.patch
--- rpm-4.11.2/debian/patches/CVE-2014-8118.patch	1970-01-01 00:00:00.000000000 +0000
+++ rpm-4.11.2/debian/patches/CVE-2014-8118.patch	2015-01-16 15:43:50.000000000 +0000
@@ -0,0 +1,24 @@
+Description: Limit the length of the file name to a reasonable value
+ It was found that RPM could encounter an integer overflow, leading to
+ a stack-based overflow, while parsing a crafted CPIO header in the
+ payload section of an RPM file.  This could allow an attacker to
+ modify signed RPM files in such a way that they would execute code
+ chosen by the attacker during package installation.
+Origin: backport, https://bugzilla.redhat.com/attachment.cgi?id=962159&action=diff
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8118
+Last-Update: 2014-12-14
+
+Index: rpm-4.11.3/lib/cpio.c
+===================================================================
+--- rpm-4.11.3.orig/lib/cpio.c	2013-11-22 02:31:31.000000000 -0800
++++ rpm-4.11.3/lib/cpio.c	2014-12-14 17:44:58.572662964 -0800
+@@ -296,6 +296,9 @@
+     st->st_rdev = makedev(major, minor);
+ 
+     GET_NUM_FIELD(hdr.namesize, nameSize);
++    if (nameSize <= 0 || nameSize > 4096) {
++        return CPIOERR_BAD_HEADER;
++    }
+ 
+     *path = xmalloc(nameSize + 1);
+     read = Fread(*path, nameSize, 1, cpio->fd);
diff -Nru rpm-4.11.2/debian/patches/series rpm-4.11.2/debian/patches/series
--- rpm-4.11.2/debian/patches/series	2014-04-29 08:54:50.000000000 +0000
+++ rpm-4.11.2/debian/patches/series	2015-01-16 15:43:50.000000000 +0000
@@ -13,3 +13,5 @@
 rpm-4.10.90-rpmlib-filesystem-check.patch
 fix-python-multiarch-include.patch
 rpm-4.11.2-double-separator-warning.patch
+CVE-2013-6435.patch
+CVE-2014-8118.patch