diff --git a/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch b/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch
new file mode 100644
index 0000000..73122c8
--- /dev/null
+++ b/SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch
@@ -0,0 +1,26 @@
+From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 24 Dec 2022 16:28:54 +0800
+Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
+
+* lisp/htmlfontify.el (hfy-text-p): Fix command injection
+vulnerability.  (Bug#60295)
+---
+ lisp/htmlfontify.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
+index df4c6ab079c..389b92939cc 100644
+--- a/lisp/htmlfontify.el
++++ b/lisp/htmlfontify.el
+@@ -1912,7 +1912,7 @@ hfy-make-directory
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
+-- 
+2.36.1
diff --git a/SPECS/emacs.spec b/SPECS/emacs.spec
index c16d070..25c5304 100644
--- a/SPECS/emacs.spec
+++ b/SPECS/emacs.spec
@@ -4,7 +4,7 @@ Summary:        GNU Emacs text editor
 Name:           emacs
 Epoch:          1
 Version:        24.3
-Release:        23%{?dist}
+Release:        23%{?dist}.1
 License:        GPLv3+
 URL:            http://www.gnu.org/software/emacs/
 Group:          Applications/Editors
@@ -55,6 +55,7 @@ Patch32:        emacs-0013-gnutls.el-increase-gnutls-min-prime-bits-to-1024-by-.
 Patch100:       emacs-24.3-hunspell.patch
 # Fix for emacs bug #827033
 Patch101:       emacs-24.3-hunspell.2.patch
+Patch102:       emacs-htmlfontify-command-injection-vulnerability.patch
 
 
 BuildRequires:  atk-devel cairo-devel freetype-devel fontconfig-devel dbus-devel giflib-devel glibc-devel libpng-devel
@@ -219,6 +220,7 @@ packages that add functionality to Emacs.
 
 %patch100 -p1 -b .hunspell
 %patch101 -p1 -b .hunspell.2
+%patch102 -p1 -b .htmlfontify-command-injection-vulnerability
 if test configure.ac -nt aclocal.m4 -o m4/gnulib-comp.m4 -nt aclocal.m4 ; then
     sleep 1
     touch aclocal.m4
@@ -478,7 +480,6 @@ update-desktop-database &> /dev/null || :
 %{_datadir}/applications/emacs.desktop
 %{_datadir}/applications/emacsclient.desktop
 %{_datadir}/icons/hicolor/*/apps/emacs.png
-#%{_datadir}/icons/hicolor/*/apps/emacs22.png
 %{_datadir}/icons/hicolor/scalable/apps/emacs.svg
 %{_datadir}/icons/hicolor/scalable/mimetypes/emacs-document.svg
 
@@ -495,7 +496,6 @@ update-desktop-database &> /dev/null || :
 %{_bindir}/etags.emacs
 %{_bindir}/gctags
 %{_bindir}/grep-changelog
-#%{_bindir}/rcs-checkin
 %{_mandir}/*/*
 %{_infodir}/*
 %dir %{_datadir}/emacs/%{version}
@@ -520,6 +520,9 @@ update-desktop-database &> /dev/null || :
 %dir %{_datadir}/emacs/site-lisp/site-start.d
 
 %changelog
+* Fri Apr 7 2023 Jacek Migacz <jmigacz@redhat.com> - 1:24.3-23.1
+- Fix htmlfontify.el command injection vulnerability (#2175177)
+
 * Fri Nov 01 2019 Tomas Pelka <tpelka@redhat.com> - 1:24.3-23
 - Resolves: #1765208 rebuild against new IM