diff --git a/SOURCES/perl-5.16.3-Perl_my_setenv-handle-integer-wrap.patch b/SOURCES/perl-5.16.3-Perl_my_setenv-handle-integer-wrap.patch
new file mode 100644
index 0000000..44ace06
--- /dev/null
+++ b/SOURCES/perl-5.16.3-Perl_my_setenv-handle-integer-wrap.patch
@@ -0,0 +1,175 @@
+From 17858779e42103ae815c8cf7c4d390207e485856 Mon Sep 17 00:00:00 2001
+From: Jitka Plesnikova <jplesnik@redhat.com>
+Date: Mon, 7 Jan 2019 13:38:36 +0100
+Subject: [PATCH] Perl_my_setenv(); handle integer wrap
+
+RT #133204
+
+Wean this function off int/I32 and onto UV/Size_t.
+Also, replace all malloc-ish calls with a wrapper that does
+overflow checks,
+
+In particular, it was doing (nlen + vlen + 2) which could wrap when
+the combined length of the environment variable name and value
+exceeded around 0x7fffffff.
+
+The wrapper check function is probably overkill, but belt and braces...
+
+NB this function has several variant parts, #ifdef'ed by platform
+type; I have blindly changed the parts that aren't compiled under linux.
+
+Backported David Mitchell's patch to 5.16.3
+---
+ util.c | 75 ++++++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 52 insertions(+), 23 deletions(-)
+
+diff --git a/util.c b/util.c
+index c1dca62..1357ad5 100644
+--- a/util.c
++++ b/util.c
+@@ -2029,7 +2029,38 @@ Perl_new_warnings_bitfield(pTHX_ STRLEN *buffer, const char *const bits,
+    *(s+(nlen+1+vlen)) = '\0'
+ 
+ #ifdef USE_ENVIRON_ARRAY
+-       /* VMS' my_setenv() is in vms.c */
++
++/* small wrapper for use by Perl_my_setenv that mallocs, or reallocs if
++ * 'current' is non-null, with up to three sizes that are added together.
++ * It handles integer overflow.
++ */
++static char *
++S_env_alloc(void *current, Size_t l1, Size_t l2, Size_t l3, Size_t size)
++{
++    void *p;
++    Size_t sl, l = l1 + l2;
++
++    if (l < l2)
++        goto panic;
++    l += l3;
++    if (l < l3)
++        goto panic;
++    sl = l * size;
++    if (sl < l)
++        goto panic;
++
++    p = current
++            ? safesysrealloc(current, sl)
++            : safesysmalloc(sl);
++    if (p)
++        return (char*)p;
++
++  panic:
++    Perl_croak_nocontext("%s", PL_memory_wrap);
++}
++
++
++/* VMS' my_setenv() is in vms.c */
+ #if !defined(WIN32) && !defined(NETWARE)
+ void
+ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+@@ -2043,28 +2074,27 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #ifndef PERL_USE_SAFE_PUTENV
+     if (!PL_use_safe_putenv) {
+     /* most putenv()s leak, so we manipulate environ directly */
+-    register I32 i;
+-    register const I32 len = strlen(nam);
+-    int nlen, vlen;
++    UV i;
++    Size_t vlen, nlen = strlen(nam);
+ 
+     /* where does it go? */
+     for (i = 0; environ[i]; i++) {
+-        if (strnEQ(environ[i],nam,len) && environ[i][len] == '=')
++        if (strnEQ(environ[i], nam, nlen) && environ[i][nlen] == '=')
+             break;
+     }
+ 
+     if (environ == PL_origenviron) {   /* need we copy environment? */
+-       I32 j;
+-       I32 max;
++       UV j, max;
+        char **tmpenv;
+ 
+        max = i;
+        while (environ[max])
+            max++;
+-       tmpenv = (char**)safesysmalloc((max+2) * sizeof(char*));
++       /* XXX shouldn't that be max+1 rather than max+2 ??? - DAPM */
++       tmpenv = (char**)S_env_alloc(NULL, max, 2, 0, sizeof(char*));
+        for (j=0; j<max; j++) {         /* copy environment */
+-           const int len = strlen(environ[j]);
+-           tmpenv[j] = (char*)safesysmalloc((len+1)*sizeof(char));
++           const Size_t len = strlen(environ[j]);
++           tmpenv[j] = S_env_alloc(NULL, len, 1, 0, 1);
+            Copy(environ[j], tmpenv[j], len+1, char);
+        }
+        tmpenv[max] = NULL;
+@@ -2079,15 +2109,15 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+        return;
+     }
+     if (!environ[i]) {                 /* does not exist yet */
+-       environ = (char**)safesysrealloc(environ, (i+2) * sizeof(char*));
++       environ = (char**)S_env_alloc(environ, i, 2, 0, sizeof(char*));
+        environ[i+1] = NULL;    /* make sure it's null terminated */
+     }
+     else
+        safesysfree(environ[i]);
+-       nlen = strlen(nam);
++
+        vlen = strlen(val);
+ 
+-       environ[i] = (char*)safesysmalloc((nlen+vlen+2) * sizeof(char));
++       environ[i] = S_env_alloc(NULL, nlen, vlen, 2, 1);
+        /* all that work just for this */
+        my_setenv_format(environ[i], nam, nlen, val, vlen);
+     } else {
+@@ -2107,22 +2137,21 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+         if (val == NULL) {
+             (void)unsetenv(nam);
+         } else {
+-	    const int nlen = strlen(nam);
+-	    const int vlen = strlen(val);
+-	    char * const new_env =
+-                (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
++	    const Size_t nlen = strlen(nam);
++	    const Size_t vlen = strlen(val);
++	    char * const new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+             my_setenv_format(new_env, nam, nlen, val, vlen);
+             (void)putenv(new_env);
+         }
+ #       else /* ! HAS_UNSETENV */
+         char *new_env;
+-	const int nlen = strlen(nam);
+-	int vlen;
++	const Size_t nlen = strlen(nam);
++	Size_t vlen;
+         if (!val) {
+ 	   val = "";
+         }
+         vlen = strlen(val);
+-        new_env = (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
++        new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+         /* all that work just for this */
+         my_setenv_format(new_env, nam, nlen, val, vlen);
+         (void)putenv(new_env);
+@@ -2141,14 +2170,14 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+     dVAR;
+     register char *envstr;
+-    const int nlen = strlen(nam);
+-    int vlen;
++    const Size_t nlen = strlen(nam);
++    Size_t vlen;
+ 
+     if (!val) {
+        val = "";
+     }
+     vlen = strlen(val);
+-    Newx(envstr, nlen+vlen+2, char);
++    envstr = S_env_alloc(NULL, nlen, vlen, 2, 1);
+     my_setenv_format(envstr, nam, nlen, val, vlen);
+     (void)PerlEnv_putenv(envstr);
+     Safefree(envstr);
+-- 
+2.17.2
+
diff --git a/SPECS/perl.spec b/SPECS/perl.spec
index c7534d0..ea94be5 100644
--- a/SPECS/perl.spec
+++ b/SPECS/perl.spec
@@ -31,7 +31,7 @@
 Name:           perl
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        293%{?dist}
+Release:        294%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@@ -175,6 +175,10 @@ Patch41:        perl-5.16.3-use-SNI-for-SSL-support-in-SMTP.patch
 # fixed in Math-BigInt-1.999718
 Patch42:        perl-5.16.3-Fix-Math-BigInt-overload-warning.patch
 
+# Fix an integer wrap when allocating memory for an environment variable,
+# RT#133204, in upstream after 5.29.0 - CVE-2018-18311
+Patch43:        perl-5.16.3-Perl_my_setenv-handle-integer-wrap.patch
+
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
 
@@ -1976,6 +1980,7 @@ tarball from perl.org.
 %patch40 -p1
 %patch41 -p1
 %patch42 -p1
+%patch43 -p1
 
 %if !%{defined perl_bootstrap}
 # Local patch tracking
@@ -2020,6 +2025,7 @@ perl -x patchlevel.h \
     'RHEL Patch40: Add SSL support to Net::SMTP (CPAN RT#93823) [3]' \
     'RHEL Patch41: Add SSL support to Net::SMTP (CPAN RT#93823) [4]' \
     'RHEL Patch42: Do not overload ".." in Math::BigInt (CPAN RT#80182)' \
+    'RHEL Patch43: Fix CVE-2018-18311 Integer overflow leading to buffer overflow' \
     %{nil}
 %endif
 
@@ -3702,6 +3708,9 @@ sed \
 
 # Old changelog entries are preserved in CVS.
 %changelog
+* Mon Jan 07 2019 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.16.3-294
+- Fix CVE-2018-18311 Integer overflow leading to buffer overflow (bug #1661064)
+
 * Wed Mar 21 2018 Petr Pisar <ppisar@redhat.com> - 4:5.16.3-293
 - Add SSL support to Net::SMTP (bug #1557574)
 - Do not overload ".." in Math::BigInt (bug #1497734)