diff --git a/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch b/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch
new file mode 100644
index 0000000..6a9d751
--- /dev/null
+++ b/SOURCES/flatpak-1.0.2-CVE-2019-10063.patch
@@ -0,0 +1,29 @@
+From 9686b3007afb15162cb2b5ca3219d906cc849a60 Mon Sep 17 00:00:00 2001
+From: Ryan Gonzalez <rymg19@gmail.com>
+Date: Mon, 25 Mar 2019 13:00:15 -0500
+Subject: [PATCH] run: Only compare the lowest 32 ioctl arg bits for TIOCSTI
+
+Closes #2782.
+
+Closes: #2783
+Approved by: alexlarsson
+---
+ common/flatpak-run.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/flatpak-run.c b/common/flatpak-run.c
+index b4f2c475..0e6b3141 100644
+--- a/common/flatpak-run.c
++++ b/common/flatpak-run.c
+@@ -2122,7 +2122,7 @@ setup_seccomp (FlatpakBwrap   *bwrap,
+     {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+ 
+     /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
+-    {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)},
++    {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+   };
+ 
+   struct
+-- 
+2.21.0
+
diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec
index fd8c0cb..17550b4 100644
--- a/SPECS/flatpak.spec
+++ b/SPECS/flatpak.spec
@@ -4,7 +4,7 @@
 
 Name:           flatpak
 Version:        %{flatpak_version}
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -21,6 +21,8 @@ Patch0:         no-user-systemd.patch
 Patch1:         flatpak-ostree-bundle.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1675433
 Patch2:         flatpak-1.0.2-CVE-2019-5736.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1700651
+Patch3:         flatpak-1.0.2-CVE-2019-10063.patch
 
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(fuse)
@@ -132,6 +134,7 @@ This package contains libflatpak.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 
 %build
@@ -288,6 +291,9 @@ flatpak remote-list --system &> /dev/null || :
 
 
 %changelog
+* Mon Apr 29 2019 David King <dking@redhat.com> - 1.0.2-5
+- Fix IOCSTI sandbox bypass (#1700651)
+
 * Fri Feb 15 2019 David King <dking@redhat.com> - 1.0.2-4
 - Tweak /proc sandbox patch (#1675433)