diff --git a/SOURCES/fribidi-CVE-2019-18397.patch b/SOURCES/fribidi-CVE-2019-18397.patch
new file mode 100644
index 0000000..a734a87
--- /dev/null
+++ b/SOURCES/fribidi-CVE-2019-18397.patch
@@ -0,0 +1,27 @@
+From 034c6e9a1d296286305f4cfd1e0072b879f52568 Mon Sep 17 00:00:00 2001
+From: Dov Grobgeld <dov.grobgeld@gmail.com>
+Date: Thu, 24 Oct 2019 09:37:29 +0300
+Subject: [PATCH] Truncate isolate_level to FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL
+
+---
+ lib/fribidi-bidi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fribidi-bidi.c b/lib/fribidi-bidi.c
+index 6c84392..d384878 100644
+--- a/lib/fribidi-bidi.c
++++ b/lib/fribidi-bidi.c
+@@ -747,7 +747,9 @@ fribidi_get_par_embedding_levels_ex (
+             }
+ 
+ 	  RL_LEVEL (pp) = level;
+-          RL_ISOLATE_LEVEL (pp) = isolate_level++;
++          RL_ISOLATE_LEVEL (pp) = isolate_level;
++          if (isolate_level < FRIBIDI_BIDI_MAX_EXPLICIT_LEVEL-1)
++              isolate_level++;
+           base_level_per_iso_level[isolate_level] = new_level;
+ 
+ 	  if (!FRIBIDI_IS_NEUTRAL (override))
+-- 
+2.23.0
+
diff --git a/SPECS/fribidi.spec b/SPECS/fribidi.spec
index f791acf..2774f8b 100644
--- a/SPECS/fribidi.spec
+++ b/SPECS/fribidi.spec
@@ -1,13 +1,14 @@
 Summary: Library implementing the Unicode Bidirectional Algorithm
 Name: fribidi
 Version: 1.0.4
-Release: 6%{?dist}
+Release: 8%{?dist}
 URL: https://github.com/fribidi/fribidi/
 Source: https://github.com//%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
 License: LGPLv2+ and UCD
 BuildRequires: gcc
 BuildRequires: automake autoconf libtool
 Patch0: %{name}-drop-bundled-gnulib.patch
+Patch1: %{name}-CVE-2019-18397.patch
 
 %description
 A library to handle bidirectional scripts (for example Hebrew, Arabic),
@@ -64,6 +65,15 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_mandir}/man3/*.gz
 
 %changelog
+* Tue Dec 17 2019 Tomas Pelka <tpelka@redhat.com> - 1.0.4-8
+- bump version and rebuild to avoid version conflict with 8.1.0.z
+  Resolves: rhbz#1781227
+
+
+* Fri Dec 13 2019 Akira TAGOH <tagoh@redhat.com> - 1.0.4-7
+- Security fix for CVE-2019-18397
+  Resolves: rhbz#1781227
+
 * Thu Jul 26 2018 Akira TAGOH <tagoh@redhat.com> - 1.0.4-6
 - Drop bundled gnulib code.
 
@@ -201,7 +211,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 - put devel .so symlink in the right subpackage
 
 * Tue May 23 2006 Caolan McNamara <caolanm@redhat.com> 0.10.7-3
-- rh#192669# clearly I didn't actually get around to basing fribidi-config 
+- rh#192669# clearly I didn't actually get around to basing fribidi-config
   of pkg-config output
 
 * Tue May 02 2006 Caolan McNamara <caolanm@redhat.com> 0.10.7-2