diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch b/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch
new file mode 100644
index 0000000..2fa3347
--- /dev/null
+++ b/SOURCES/flatpak-1.0.2-CVE-2019-5736.patch
@@ -0,0 +1,66 @@
+From 86d9d711bdaada5677166a99b96b769df2c5e7b6 Mon Sep 17 00:00:00 2001
+From: Alexander Larsson <alexl@redhat.com>
+Date: Sun, 10 Feb 2019 18:23:44 +0100
+Subject: [PATCH] Don't expose /proc when running apply_extra
+
+As shown by CVE-2019-5736, it is sometimes possible for the sandbox
+app to access outside files using /proc/self/exe. This is not
+typically an issue for flatpak as the sandbox runs as the user which
+has no permissions to e.g. modify the host files.
+
+However, when installing apps using extra-data into the system repo
+we *do* actually run a sandbox as root. So, in this case we disable mounting
+/proc in the sandbox, which will neuter attacks like this.
+---
+ common/flatpak-common-types-private.h | 1 +
+ common/flatpak-dir.c                  | 2 +-
+ common/flatpak-run.c                  | 6 +++++-
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h
+index 8c40d2e8..1e94bd1c 100644
+--- a/common/flatpak-common-types-private.h
++++ b/common/flatpak-common-types-private.h
+@@ -44,6 +44,7 @@ typedef enum {
+   FLATPAK_RUN_FLAG_SANDBOX            = (1 << 14),
+   FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15),
+   FLATPAK_RUN_FLAG_BLUETOOTH          = (1 << 16),
++  FLATPAK_RUN_FLAG_NO_PROC            = (1 << 19),
+ } FlatpakRunFlags;
+ 
+ typedef struct FlatpakDir          FlatpakDir;
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index eb69225d..be370d49 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -6509,7 +6509,7 @@ apply_extra_data (FlatpakDir   *self,
+                           NULL);
+ 
+   if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2],
+-                                    FLATPAK_RUN_FLAG_NO_SESSION_HELPER,
++                                    FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC,
+                                     error))
+     return FALSE;
+ 
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index 6ab466af..b4f2c475 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -2347,9 +2347,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap   *bwrap,
+     "# Disable user pkcs11 config, because the host modules don't work in the runtime\n"
+     "user-config: none\n";
+ 
++  if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)
++    flatpak_bwrap_add_args (bwrap,
++                            "--proc", "/proc",
++                            NULL);
++
+   flatpak_bwrap_add_args (bwrap,
+                           "--unshare-pid",
+-                          "--proc", "/proc",
+                           "--dir", "/tmp",
+                           "--dir", "/var/tmp",
+                           "--dir", "/run/host",
+-- 
+2.20.1
+
diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec
index 7fec546..fd8c0cb 100644
--- a/SPECS/flatpak.spec
+++ b/SPECS/flatpak.spec
@@ -4,7 +4,7 @@
 
 Name:           flatpak
 Version:        %{flatpak_version}
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -19,6 +19,8 @@ Patch0:         no-user-systemd.patch
 # Make sure our resulting binaries always have the rpath set to the bundled
 # ostree directory
 Patch1:         flatpak-ostree-bundle.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1675433
+Patch2:         flatpak-1.0.2-CVE-2019-5736.patch
 
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(fuse)
@@ -129,6 +131,7 @@ This package contains libflatpak.
 %setup -q -a 1 -a 2
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 
 %build
@@ -285,6 +288,12 @@ flatpak remote-list --system &> /dev/null || :
 
 
 %changelog
+* Fri Feb 15 2019 David King <dking@redhat.com> - 1.0.2-4
+- Tweak /proc sandbox patch (#1675433)
+
+* Wed Feb 13 2019 David King <dking@redhat.com> - 1.0.2-3
+- Do not mount /proc in root sandbox (#1675433)
+
 * Thu Sep 13 2018 Kalev Lember <klember@redhat.com> - 1.0.2-2
 - Update to 1.0.2 (#1570030)