diff --git a/SOURCES/gnupg-2.0.22-cve-2018-12020.patch b/SOURCES/gnupg-2.0.22-cve-2018-12020.patch
new file mode 100644
index 0000000..7ea32a2
--- /dev/null
+++ b/SOURCES/gnupg-2.0.22-cve-2018-12020.patch
@@ -0,0 +1,16 @@
+diff -up gnupg-2.0.22/g10/mainproc.c.sanitize-filename gnupg-2.0.22/g10/mainproc.c
+--- gnupg-2.0.22/g10/mainproc.c.sanitize-filename	2016-03-24 12:57:29.280170800 +0100
++++ gnupg-2.0.22/g10/mainproc.c	2018-06-21 13:42:53.448177540 +0200
+@@ -631,7 +631,11 @@ proc_plaintext( CTX c, PACKET *pkt )
+     if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
+ 	log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
+     else if( opt.verbose )
+-	log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
++      {
++	char *tmp = make_printable_string (pt->name, pt->namelen, 0);
++	log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
++	xfree (tmp);
++      }
+     free_md_filter_context( &c->mfx );
+     if (gcry_md_open (&c->mfx.md, 0, 0))
+       BUG ();
diff --git a/SPECS/gnupg2.spec b/SPECS/gnupg2.spec
index 8f2c857..38cdc42 100644
--- a/SPECS/gnupg2.spec
+++ b/SPECS/gnupg2.spec
@@ -1,7 +1,7 @@
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 2.0.22
-Release: 4%{?dist}
+Release: 5%{?dist}
 
 License: GPLv3+
 Group:   Applications/System
@@ -15,6 +15,7 @@ Patch4:  gnupg-2.0.18-protect-tool-env.patch
 Patch5:  gnupg-2.0.20-ocsp-keyusage.patch
 Patch6:  gnupg-2.0.22-fips-algo.patch
 Patch7:  gnupg-2.0.22-rsa-es.patch
+Patch8:  gnupg-2.0.22-cve-2018-12020.patch
 
 URL:     http://www.gnupg.org/
 
@@ -80,6 +81,7 @@ to the base GnuPG package
 %patch5 -p1 -b .keyusage
 %patch6 -p1 -b .fips
 %patch7 -p1 -b .rsa-es
+%patch8 -p1 -b .sanitize-filename
 
 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@@ -195,6 +197,9 @@ fi
 
 
 %changelog
+* Thu Jun 21 2018 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-5
+- fix CVE-2018-12020 - missing sanitization of original filename
+
 * Thu Mar 24 2016 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-4
 - allow import of RSA-E and RSA-S keys (patch by Marcel Kolaja) (#1233182)
 - do not abort when missing hash algorithm in FIPS mode (#1078962)