diff --git a/SOURCES/bash-4.2-env-inject.patch b/SOURCES/bash-4.2-env-inject.patch
new file mode 100644
index 0000000..0d7a15f
--- /dev/null
+++ b/SOURCES/bash-4.2-env-inject.patch
@@ -0,0 +1,62 @@
+*** ../bash-4.3-patched/builtins/common.h	2013-07-08 16:54:47.000000000 -0400
+--- builtins/common.h	2014-09-12 14:25:47.000000000 -0400
+***************
+*** 34,37 ****
+--- 49,54 ----
+  #define SEVAL_PARSEONLY	0x020
+  #define SEVAL_NOLONGJMP 0x040
++ #define SEVAL_FUNCDEF	0x080		/* only allow function definitions */
++ #define SEVAL_ONECMD	0x100		/* only allow a single command */
+  
+  /* Flags for describe_command, shared between type.def and command.def */
+*** ../bash-4.3-patched/builtins/evalstring.c	2014-02-11 09:42:10.000000000 -0500
+--- builtins/evalstring.c	2014-09-14 14:15:13.000000000 -0400
+***************
+*** 309,312 ****
+--- 313,324 ----
+  	      struct fd_bitmap *bitmap;
+  
++ 	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
++ 		{
++ 		  internal_warning ("%s: ignoring function definition attempt", from_file);
++ 		  should_jump_to_top_level = 0;
++ 		  last_result = last_command_exit_value = EX_BADUSAGE;
++ 		  break;
++ 		}
++ 
+  	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
+  	      begin_unwind_frame ("pe_dispose");
+***************
+*** 369,372 ****
+--- 381,387 ----
+  	      dispose_fd_bitmap (bitmap);
+  	      discard_unwind_frame ("pe_dispose");
++ 
++ 	      if (flags & SEVAL_ONECMD)
++ 		break;
+  	    }
+  	}
+*** ../bash-4.3-patched/variables.c	2014-05-15 08:26:50.000000000 -0400
+--- variables.c	2014-09-14 14:23:35.000000000 -0400
+***************
+*** 359,368 ****
+  	  strcpy (temp_string + char_index + 1, string);
+  
+! 	  parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+! 
+! 	  /* Ancient backwards compatibility.  Old versions of bash exported
+! 	     functions like name()=() {...} */
+! 	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
+! 	    name[char_index - 2] = '\0';
+  
+  	  if (temp_var = find_function (name))
+--- 364,372 ----
+  	  strcpy (temp_string + char_index + 1, string);
+  
+! 	  /* Don't import function names that are invalid identifiers from the
+! 	     environment, though we still allow them to be defined as shell
+! 	     variables. */
+! 	  if (legal_identifier (name))
+! 	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
+  
+  	  if (temp_var = find_function (name))
diff --git a/SPECS/bash.spec b/SPECS/bash.spec
index afaa1f1..ac25e77 100644
--- a/SPECS/bash.spec
+++ b/SPECS/bash.spec
@@ -6,7 +6,7 @@
 Version: %{baseversion}%{patchleveltag}
 Name: bash
 Summary: The GNU Bourne Again shell
-Release: 5%{?dist}
+Release: 5%{?dist}.2
 Group: System Environment/Shells
 License: GPLv3+
 Url: http://www.gnu.org/software/bash
@@ -116,6 +116,9 @@ Patch125: bash-4.2-size_type.patch
 Patch126: bash-4.2-missing_closes.patch
 Patch127: bash-4.1-trap.patch
 
+# 1141647
+Patch128: bash-4.2-env-inject.patch
+
 BuildRequires: texinfo bison
 BuildRequires: ncurses-devel
 BuildRequires: autoconf, gettext
@@ -218,6 +221,7 @@ This package contains documentation files for %{name}.
 %patch125 -p1 -b .size_type
 %patch126 -p1 -b .missing_closes
 %patch127 -p1 -b .trap
+%patch128 -p0 -b .inject
 
 echo %{version} > _distribution
 echo %{release} > _patchlevel
@@ -410,6 +414,14 @@ end
 #%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
 
 %changelog
+* Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.2.45-5.2
+- Fix-up the patch
+  Related: #1141647
+
+* Mon Sep 15 2014 Ondrej Oprala <ooprala@redhat.com - 4.2.45-5.1
+- Check for fishy environment
+  Resolves: #1141647
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 4.2.45-5
 - Mass rebuild 2014-01-24