diff --git a/SOURCES/ghostscript-cve-2019-10216.patch b/SOURCES/ghostscript-cve-2019-10216.patch
new file mode 100644
index 0000000..83fc1f9
--- /dev/null
+++ b/SOURCES/ghostscript-cve-2019-10216.patch
@@ -0,0 +1,43 @@
+From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 2 Aug 2019 15:18:26 +0100
+Subject: Bug 701394: protect use of .forceput with executeonly
+
+
+diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
+index 6c7735bc0c..a039ccee35 100644
+--- a/Resource/Init/gs_type1.ps
++++ b/Resource/Init/gs_type1.ps
+@@ -118,25 +118,25 @@
+                          ( to be the same as glyph: ) print 1 index //== exec } if
+                    3 index exch 3 index .forceput
+                                                                  % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+-                 }
++                 }executeonly
+                  {pop} ifelse
+-               } forall
++               } executeonly forall
+                pop pop
+-             }
++             } executeonly
+              {
+                pop pop pop
+              } ifelse
+-           }
++           } executeonly
+            {
+                                                                % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+              pop pop
+            } ifelse
+-         } forall
++         } executeonly forall
+          3 1 roll pop pop
+-     } if
++     } executeonly if
+      pop
+      dup /.AGLprocessed~GS //true .forceput
+-   } if
++   } executeonly if
+ 
+    %% We need to excute the C .buildfont1 in a stopped context so that, if there
+    %% are errors we can put the stack back sanely and exit. Otherwise callers won't
diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec
index b1550e0..8afcf31 100644
--- a/SPECS/ghostscript.spec
+++ b/SPECS/ghostscript.spec
@@ -34,7 +34,7 @@
 Name:             ghostscript
 Summary:          Interpreter for PostScript language & PDF
 Version:          9.25
-Release:          2%{?dist}
+Release:          2%{?dist}.1
 
 License:          AGPLv3+
 
@@ -103,6 +103,7 @@ Patch011: ghostscript-cve-2019-3835.patch
 Patch012: ghostscript-cve-2019-3838.patch
 Patch013: ghostscript-fix-DSC-comment-parsing.patch
 Patch014: ghostscript-pdf2dsc-regression.patch
+Patch015: ghostscript-cve-2019-10216.patch
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -426,6 +427,9 @@ install -m 0755 -d %{buildroot}%{_sysconfdir}/%{name}/
 # =============================================================================
 
 %changelog
+* Mon Aug 05 2019 Martin Osvald <mosvald@redhat.com> - 9.25-2.1
+- Resolves: #1737338 - CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394)
+
 * Tue Apr 02 2019 Martin Osvald <mosvald@redhat.com> - 9.25-2
 - obsoleted old ghostscript-devel to allow clean upgrade to libgs-devel