diff --git a/SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch b/SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch
new file mode 100644
index 0000000..180d29f
--- /dev/null
+++ b/SOURCES/0669-journald-free-cmdline-buffers-owned-by-iovec.patch
@@ -0,0 +1,46 @@
+From b4f602cb19719cbb44e5635d4b4743125f5b20bd Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 16 Jan 2019 10:24:56 +0100
+Subject: [PATCH] journald: free cmdline buffers owned by iovec
+
+Resolves: #1666646
+
+[msekleta: this is a followup for the fix of CVE-2018-16864. While
+backporting upstream changes I've accidentally dropped the automatic
+cleanup of the cmdline buffers. Technically speaking similar issue is in
+coredump.c too, but after we dispatch iovec buffer in coredump.c we
+immediately exit so allocated memory is reclaimed by the kernel.]
+---
+ src/journal/journald-server.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
+index c35858247..88d8f3e41 100644
+--- a/src/journal/journald-server.c
++++ b/src/journal/journald-server.c
+@@ -738,6 +738,7 @@ static void dispatch_message_real(
+ o_uid[sizeof("OBJECT_UID=") + DECIMAL_STR_MAX(uid_t)],
+ o_gid[sizeof("OBJECT_GID=") + DECIMAL_STR_MAX(gid_t)],
+ o_owner_uid[sizeof("OBJECT_SYSTEMD_OWNER_UID=") + DECIMAL_STR_MAX(uid_t)];
++ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
+ uid_t object_uid;
+ gid_t object_gid;
+ char *x;
+@@ -790,7 +791,7 @@ static void dispatch_message_real(
+ if (r >= 0) {
+ /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
+ * Let's use a heap allocation for this one. */
+- set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
++ cmdline1 = set_iovec_field_free(iovec, &n, "_CMDLINE=", t);
+ }
+
+ r = get_process_capeff(ucred->pid, &t);
+@@ -916,7 +917,7 @@ static void dispatch_message_real(
+
+ r = get_process_cmdline(object_pid, 0, false, &t);
+ if (r >= 0)
+- set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
++ cmdline2 = set_iovec_field_free(iovec, &n, "OBJECT_CMDLINE=", t);
+
+ #ifdef HAVE_AUDIT
+ r = audit_session_from_pid(object_pid, &audit);
diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec
index 4245b61..c8953f6 100644
--- a/SPECS/systemd.spec
+++ b/SPECS/systemd.spec
@@ -7,7 +7,7 @@
Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
Version: 219
-Release: 62%{?dist}.2
+Release: 62%{?dist}.3
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: A System and Service Manager
@@ -707,6 +707,7 @@ Patch0665: 0665-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch
Patch0666: 0666-journald-do-not-store-the-iovec-entry-for-process-co.patch
Patch0667: 0667-journald-set-a-limit-on-the-number-of-fields-1k.patch
Patch0668: 0668-journal-remote-set-a-limit-on-the-number-of-fields-i.patch
+Patch0669: 0669-journald-free-cmdline-buffers-owned-by-iovec.patch
%global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
@@ -1683,6 +1684,9 @@ fi
%{_mandir}/man8/systemd-resolved.*
%changelog
+* Wed Jan 16 2019 Lukas Nykryn <lnykryn@redhat.com> - 219-62.3
+- journald: free cmdline buffers owned by iovec (#1666646)
+
* Mon Jan 07 2019 Lukas Nykryn <lnykryn@redhat.com> - 219-62.2
- journald: do not store the iovec entry for process commandline on stack (#1657788)
- journald: set a limit on the number of fields (1k) (#1657792)