diff --git a/SOURCES/git-cve-2019-1387.patch b/SOURCES/git-cve-2019-1387.patch
new file mode 100644
index 0000000..20a5bfe
--- /dev/null
+++ b/SOURCES/git-cve-2019-1387.patch
@@ -0,0 +1,166 @@
+diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
+index cc79d059f2..29adde60bd 100644
+--- a/builtin/submodule--helper.c
++++ b/builtin/submodule--helper.c
+@@ -25,11 +25,32 @@ static int check_name(int argc, const char **argv, const char *prefix)
+ return 0;
+ }
+
++/*
++ * Exit non-zero if the proposed submodule repository path is inside
++ * another submodules' git dir.
++ */
++static int validate_git_dir(int argc, const char **argv, const char *prefix)
++{
++ char *sm_gitdir;
++
++ if (argc != 3)
++ usage("git submodule--helper validate-git-dir <path> <name>");
++ sm_gitdir = xstrdup(argv[1]);
++ if (validate_submodule_git_dir(sm_gitdir, argv[2]) < 0) {
++ free(sm_gitdir);
++ return 1;
++ }
++ free(sm_gitdir);
++ return 0;
++}
++
+ int cmd_submodule__helper(int argc, const char **argv, const char *prefix)
+ {
+ if (argc < 2)
+ usage("git submodule--helper <command>");
+ if (!strcmp(argv[1], "check-name"))
+ return check_name(argc - 1, argv + 1, prefix);
++ if (!strcmp(argv[1], "validate-git-dir"))
++ return validate_git_dir(argc - 1, argv + 1, prefix);
+ die(_("'%s' is not a valid submodule--helper subcommand"), argv[1]);
+ }
+diff -ruNp a/git-submodule.sh b/git-submodule.sh
+--- a/git-submodule.sh 2020-01-09 20:01:48.885647299 +0100
++++ b/git-submodule.sh 2020-01-10 08:42:05.107514269 +0100
+@@ -253,6 +253,11 @@ module_clone()
+ gitdir_base="$gitdir/modules/$base_name"
+ gitdir="$gitdir/modules/$name"
+
++ if ! git submodule--helper validate-git-dir "$gitdir" "$name"
++ then
++ die "$(eval_gettextln "refusing to create/use '\$gitdir' in another submodule's git dir")"
++ fi
++
+ if test -d "$gitdir"
+ then
+ mkdir -p "$sm_path"
+
+diff --git a/git-submodule.sh b/git-submodule.sh
+index ca16579c3c..bf5ffdb1f6 100755
+--- a/git-submodule.sh
++++ b/git-submodule.sh
+@@ -419,6 +419,11 @@ Use -f if you really want to add it." >&2
+ fi
+
+ else
++ sm_gitdir=".git/modules/$sm_name"
++ if ! git submodule--helper validate-git-dir "$sm_gitdir" "$sm_name"
++ then
++ die "$(eval_gettextln "refusing to create/use '\$sm_gitdir' in another submodule's git dir")"
++ fi
+ if test -d ".git/modules/$sm_name"
+ then
+ if test -z "$force"
+diff --git a/submodule.c b/submodule.c
+index 6337cab091..9927f56a33 100644
+--- a/submodule.c
++++ b/submodule.c
+@@ -1034,3 +1034,43 @@ int merge_submodule(unsigned char result[20], const char *path,
+ free(merges.objects);
+ return 0;
+ }
++int validate_submodule_git_dir(char *git_dir, const char *submodule_name)
++{
++ size_t len = strlen(git_dir), suffix_len = strlen(submodule_name);
++ char *p;
++ int ret = 0;
++
++ if (len <= suffix_len || (p = git_dir + len - suffix_len)[-1] != '/' ||
++ strcmp(p, submodule_name))
++ die("BUG: submodule name '%s' not a suffix of git dir '%s'",
++ submodule_name, git_dir);
++
++ /*
++ * We prevent the contents of sibling submodules' git directories to
++ * clash.
++ *
++ * Example: having a submodule named `hippo` and another one named
++ * `hippo/hooks` would result in the git directories
++ * `.git/modules/hippo/` and `.git/modules/hippo/hooks/`, respectively,
++ * but the latter directory is already designated to contain the hooks
++ * of the former.
++ */
++ for (; *p; p++) {
++ if (is_dir_sep(*p)) {
++ char c = *p;
++
++ *p = '\0';
++ if (is_git_directory(git_dir))
++ ret = -1;
++ *p = c;
++
++ if (ret < 0)
++ return error(_("submodule git dir '%s' is "
++ "inside git dir '%.*s'"),
++ git_dir,
++ (int)(p - git_dir), git_dir);
++ }
++ }
++
++ return 0;
++}
+diff --git a/submodule.h b/submodule.h
+index 59dbdfbd17..9c99457a3f 100644
+--- a/submodule.h
++++ b/submodule.h
+@@ -37,6 +37,11 @@ int find_unpushed_submodules(unsigned char new_sha1[20], const char *remotes_nam
+ struct string_list *needs_pushing);
+ int push_unpushed_submodules(unsigned char new_sha1[20], const char *remotes_name);
+
++/*
++ * Make sure that no submodule's git dir is nested in a sibling submodule's.
++ */
++int validate_submodule_git_dir(char *git_dir, const char *submodule_name);
++
+ /*
+ * Returns 0 if the name is syntactically acceptable as a submodule "name"
+ * (e.g., that may be found in the subsection of a .gitmodules file) and -1
+diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
+index 6456d5ae43..29393de617 100755
+--- a/t/t7415-submodule-names.sh
++++ b/t/t7415-submodule-names.sh
+@@ -151,4 +151,27 @@ test_expect_success 'fsck detects symlinked .gitmodules file' '
+ )
+ '
+
++test_expect_success 'git dirs of sibling submodules must not be nested' '
++ git init nested &&
++ (
++ cd nested &&
++ test_commit nested &&
++ cat >.gitmodules <<-EOF &&
++ [submodule "hippo"]
++ url = .
++ path = thing1
++ [submodule "hippo/hooks"]
++ url = .
++ path = thing2
++ EOF
++ git clone . thing1 &&
++ git clone . thing2 &&
++ git add .gitmodules thing1 thing2 &&
++ test_tick &&
++ git commit -m nested
++ ) &&
++ test_must_fail git clone --recurse-submodules nested clone 2>err &&
++ test_i18ngrep "is inside git dir" err
++'
++
+ test_done
+
diff --git a/SPECS/git.spec b/SPECS/git.spec
index 426e3e7..3693555 100644
--- a/SPECS/git.spec
+++ b/SPECS/git.spec
@@ -25,7 +25,7 @@
Name: git
Version: 1.8.3.1
-Release: 20%{?dist}
+Release: 21%{?dist}
Summary: Fast Version Control System
License: GPLv2
Group: Development/Tools
@@ -67,6 +67,8 @@ Patch19: git-cve-2018-11235.patch
Patch20: 0001-Switch-git-instaweb-default-to-apache.patch
Patch21: git-cve-2018-17456.patch
Patch22: git-cve-2018-17456-tests.patch
+# https://repo.or.cz/git/debian.git/commit/392f99a5d2174e6124f829d034bac6755c33119d
+Patch23: git-cve-2019-1387.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -321,6 +323,7 @@ Requires: gnome-keyring
%patch20 -p1
%patch21 -p1
%patch22 -p1
+%patch23 -p1
chmod a+x t/t0011-hashmap.sh t/t1307-config-blob.sh t/t4139-apply-escape.sh t/t7415-submodule-names.sh t/t7416-submodule-dash-url.sh t/t7417-submodule-path-url.sh