diff --git a/SOURCES/polkit-0.112-PolkitAgentSession-race.patch b/SOURCES/polkit-0.112-PolkitAgentSession-race.patch
new file mode 100644
index 0000000..d6e16b2
--- /dev/null
+++ b/SOURCES/polkit-0.112-PolkitAgentSession-race.patch
@@ -0,0 +1,120 @@
+From 7650ad1e08ab13bdb461783c4995d186d9392840 Mon Sep 17 00:00:00 2001
+From: Rui Matos <tiagomatos@gmail.com>
+Date: Thu, 6 Feb 2014 18:41:18 +0100
+Subject: [PATCH] PolkitAgentSession: fix race between child and io watches
+
+The helper flushes and fdatasyncs stdout and stderr before terminating
+but this doesn't guarantee that our io watch is called before our
+child watch. This means that we can end up with a successful return
+from the helper which we still report as a failure.
+
+If we add G_IO_HUP and G_IO_ERR to the conditions we look for in the
+io watch and the child terminates we still run the io watch handler
+which will complete the session.
+
+This means that the child watch is in fact needless and we can remove
+it.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=60847
+---
+ src/polkitagent/polkitagentsession.c | 47 +++++++++---------------------------
+ 1 file changed, 11 insertions(+), 36 deletions(-)
+
+diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c
+index 1c7a2dc..f014773 100644
+--- a/src/polkitagent/polkitagentsession.c
++++ b/src/polkitagent/polkitagentsession.c
+@@ -92,7 +92,6 @@ struct _PolkitAgentSession
+   int child_stdout;
+   GPid child_pid;
+ 
+-  GSource *child_watch_source;
+   GSource *child_stdout_watch_source;
+   GIOChannel *child_stdout_channel;
+ 
+@@ -377,13 +376,6 @@ kill_helper (PolkitAgentSession *session)
+       session->child_pid = 0;
+     }
+ 
+-  if (session->child_watch_source != NULL)
+-    {
+-      g_source_destroy (session->child_watch_source);
+-      g_source_unref (session->child_watch_source);
+-      session->child_watch_source = NULL;
+-    }
+-
+   if (session->child_stdout_watch_source != NULL)
+     {
+       g_source_destroy (session->child_stdout_watch_source);
+@@ -429,26 +421,6 @@ complete_session (PolkitAgentSession *session,
+     }
+ }
+ 
+-static void
+-child_watch_func (GPid     pid,
+-                  gint     status,
+-                  gpointer user_data)
+-{
+-  PolkitAgentSession *session = POLKIT_AGENT_SESSION (user_data);
+-
+-  if (G_UNLIKELY (_show_debug ()))
+-    {
+-      g_print ("PolkitAgentSession: in child_watch_func for pid %d (WIFEXITED=%d WEXITSTATUS=%d)\n",
+-               (gint) pid,
+-               WIFEXITED(status),
+-               WEXITSTATUS(status));
+-    }
+-
+-  /* kill all the watches we have set up, except for the child since it has exited already */
+-  session->child_pid = 0;
+-  complete_session (session, FALSE);
+-}
+-
+ static gboolean
+ io_watch_have_data (GIOChannel    *channel,
+                     GIOCondition   condition,
+@@ -475,10 +447,13 @@ io_watch_have_data (GIOChannel    *channel,
+                           NULL,
+                           NULL,
+                           &error);
+-  if (error != NULL)
++  if (error != NULL || line == NULL)
+     {
+-      g_warning ("Error reading line from helper: %s", error->message);
+-      g_error_free (error);
++      /* In case we get just G_IO_HUP, line is NULL but error is
++         unset.*/
++      g_warning ("Error reading line from helper: %s",
++                 error ? error->message : "nothing to read");
++      g_clear_error (&error);
+ 
+       complete_session (session, FALSE);
+       goto out;
+@@ -540,6 +515,9 @@ io_watch_have_data (GIOChannel    *channel,
+   g_free (line);
+   g_free (unescaped);
+ 
++  if (condition & (G_IO_ERR | G_IO_HUP))
++    complete_session (session, FALSE);
++
+   /* keep the IOChannel around */
+   return TRUE;
+ }
+@@ -650,12 +628,9 @@ polkit_agent_session_initiate (PolkitAgentSession *session)
+   if (G_UNLIKELY (_show_debug ()))
+     g_print ("PolkitAgentSession: spawned helper with pid %d\n", (gint) session->child_pid);
+ 
+-  session->child_watch_source = g_child_watch_source_new (session->child_pid);
+-  g_source_set_callback (session->child_watch_source, (GSourceFunc) child_watch_func, session, NULL);
+-  g_source_attach (session->child_watch_source, g_main_context_get_thread_default ());
+-
+   session->child_stdout_channel = g_io_channel_unix_new (session->child_stdout);
+-  session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel, G_IO_IN);
++  session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel,
++                                                          G_IO_IN | G_IO_ERR | G_IO_HUP);
+   g_source_set_callback (session->child_stdout_watch_source, (GSourceFunc) io_watch_have_data, session, NULL);
+   g_source_attach (session->child_stdout_watch_source, g_main_context_get_thread_default ());
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/polkit-0.112-XDG_RUNTIME_DIR.patch b/SOURCES/polkit-0.112-XDG_RUNTIME_DIR.patch
new file mode 100644
index 0000000..f8c2e77
--- /dev/null
+++ b/SOURCES/polkit-0.112-XDG_RUNTIME_DIR.patch
@@ -0,0 +1,78 @@
+From 8635ffc16aeff6a07d675f861fe0dea03ea81d7e Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Thu, 21 Nov 2013 17:39:37 -0500
+Subject: [PATCH] pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR
+
+This workaround isn't too much code, and it's often better to fix bugs
+in two places anyways.
+
+For more information:
+
+See https://bugzilla.redhat.com/show_bug.cgi?id=753882
+See http://lists.freedesktop.org/archives/systemd-devel/2013-November/014370.html
+---
+ src/programs/pkexec.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 005e1fe..a7ca8e0 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -143,8 +143,22 @@ pam_conversation_function (int n,
+   return PAM_CONV_ERR;
+ }
+ 
++/* A work around for:
++ * https://bugzilla.redhat.com/show_bug.cgi?id=753882
++ */
++static gboolean
++xdg_runtime_dir_is_owned_by (const char *path,
++			     uid_t       target_uid)
++{
++  struct stat stbuf;
++
++  return stat (path, &stbuf) == 0 &&
++    stbuf.st_uid == target_uid;
++}
++
+ static gboolean
+-open_session (const gchar *user_to_auth)
++open_session (const gchar *user_to_auth,
++	      uid_t        target_uid)
+ {
+   gboolean ret;
+   gint rc;
+@@ -186,7 +200,19 @@ open_session (const gchar *user_to_auth)
+     {
+       guint n;
+       for (n = 0; envlist[n]; n++)
+-        putenv (envlist[n]);
++	{
++	  const char *envitem = envlist[n];
++	  
++	  if (g_str_has_prefix (envitem, "XDG_RUNTIME_DIR="))
++	    {
++	      const char *eq = strchr (envitem, '=');
++	      g_assert (eq);
++	      if (!xdg_runtime_dir_is_owned_by (eq + 1, target_uid))
++		continue;
++	    }
++
++	  putenv (envlist[n]);
++	}
+       free (envlist);
+     }
+ 
+@@ -913,7 +939,8 @@ main (int argc, char *argv[])
+    * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this.
+    */
+ #ifdef POLKIT_AUTHFW_PAM
+-  if (!open_session (pw->pw_name))
++  if (!open_session (pw->pw_name,
++		     pw->pw_uid))
+     {
+       goto out;
+     }
+-- 
+1.8.3.1
+
diff --git a/SPECS/polkit.spec b/SPECS/polkit.spec
index 535c6e9..7661b26 100644
--- a/SPECS/polkit.spec
+++ b/SPECS/polkit.spec
@@ -6,11 +6,15 @@
 Summary: An authorization framework
 Name: polkit
 Version: 0.112
-Release: 1%{?dist}
+Release: 5%{?dist}
 License: LGPLv2+
 URL: http://www.freedesktop.org/wiki/Software/polkit
 Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
 Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign
+# https://bugs.freedesktop.org/show_bug.cgi?id=71894
+Patch0: polkit-0.112-XDG_RUNTIME_DIR.patch
+# https://bugs.freedesktop.org/show_bug.cgi?id=60847
+Patch1: polkit-0.112-PolkitAgentSession-race.patch
 Group: System Environment/Libraries
 BuildRequires: glib2-devel >= 2.30.0
 BuildRequires: expat-devel
@@ -77,6 +81,8 @@ Development documentation for polkit.
 
 %prep
 %setup -q
+%patch0 -p1 -b .XDG_RUNTIME_DIR
+%patch1 -p1 -b .PolkitAgentSession-race
 
 %build
 %if 0%{?enable_autoreconf}
@@ -90,7 +96,7 @@ export LDFLAGS='-pie -Wl,-z,now -Wl,-z,relro'
         --disable-static \
         --enable-introspection \
         --disable-examples \
-        --enable-libsystemd-login=yes
+        --enable-libsystemd-login=yes --with-mozjs=mozjs-17.0
 make V=1
 
 %install
@@ -163,6 +169,21 @@ exit 0
 %{_datadir}/gtk-doc
 
 %changelog
+* Mon Feb 10 2014 Miloslav Trmač <mitr@redhat.com> - 0.112-5
+- Fix a PolkitAgentSession race condition
+  Resolves: #1063193
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.112-4
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.112-3
+- Mass rebuild 2013-12-27
+
+* Sat Dec  7 2013 Miloslav Trmač <mitr@redhat.com> - 0.112-2
+- Workaround pam_systemd setting broken XDG_RUNTIME_DIR
+  Resolves: #1033774
+- Always use mozjs-17.0 even if js-devel is installed
+
 * Wed Sep 18 2013 Miloslav Trmač <mitr@redhat.com> - 0.112-1
 - Update to polkit-0.112
 - Resolves: #1005135, CVE-2013-4288