diff --git a/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch b/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch
new file mode 100644
index 0000000..e4347b0
--- /dev/null
+++ b/SOURCES/kvm-slirp-check-sscanf-result-when-emulating-ident.patch
@@ -0,0 +1,62 @@
+From 5cba04974b46608f462b7ce711c8eb0966f5d101 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Mon, 20 May 2019 17:00:52 +0200
+Subject: [PATCH 1/4] slirp: check sscanf result when emulating ident
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20190520170055.15404-2-marcandre.lureau@redhat.com>
+Patchwork-id: 88098
+O-Subject: [RHEL-7.6.z qemu-kvm PATCH 1/4] slirp: check sscanf result when emulating ident
+Bugzilla: 1669067
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: William Bowling <will@wbowling.info>
+
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 043f28f..0b7138b 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -605,12 +605,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 							break;
+ 						}
+ 					}
++					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
++								 so_rcv->sb_datalen,
++								 "%d,%d\r\n", n1, n2);
++					so_rcv->sb_rptr = so_rcv->sb_data;
++					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 				}
+-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+-                                                         so_rcv->sb_datalen,
+-                                                         "%d,%d\r\n", n1, n2);
+-				so_rcv->sb_rptr = so_rcv->sb_data;
+-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 			}
+ 			m_free(m);
+ 			return 0;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch b/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
new file mode 100644
index 0000000..8ab4afc
--- /dev/null
+++ b/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
@@ -0,0 +1,127 @@
+From dae1fad6e93e6bdff0d5366fdb269904cd00c83c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Mon, 20 May 2019 17:00:55 +0200
+Subject: [PATCH 4/4] slirp: don't manipulate so_rcv in tcp_emu()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20190520170055.15404-5-marcandre.lureau@redhat.com>
+Patchwork-id: 88097
+O-Subject: [RHEL-7.6.z qemu-kvm PATCH 4/4] slirp: don't manipulate so_rcv in tcp_emu()
+Bugzilla: 1669067
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+For some reason, EMU_IDENT is not like other "emulated" protocols and
+tries to reconstitute the original buffer, if it came in multiple
+packets. Unfortunately, it does so wrongly, as it doesn't respect the
+sbuf circular buffer appending rules, nor does it maintain some of the
+invariants (rptr is incremented without bounds, etc): this leads to
+further memory corruption revealed by ASAN or various malloc
+errors. Furthermore, the so_rcv buffer is regularly flushed, so there
+is no guarantee that buffer reconstruction will do what is expected.
+
+Instead, do what the function comment says: "XXX Assumes the whole
+command came in one packet", and don't touch so_rcv.
+
+Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1664205
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+(cherry picked from libslirp commit
+9da0da837780f825b5db31db6620492f8b7cd5d6)
+
+[ MA - backported with style conflicts, and without qemu commit
+a7104eda7dab99d0cdbd3595c211864cba415905 which is unnecessary with
+this patch ]
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 63 +++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 30 insertions(+), 33 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 578b204..d49a366 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -581,42 +581,39 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 			struct socket *tmpso;
+ 			struct sockaddr_in addr;
+ 			socklen_t addrlen = sizeof(struct sockaddr_in);
+-			struct sbuf *so_rcv = &so->so_rcv;
+-
+-			memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
+-			so_rcv->sb_wptr += m->m_len;
+-			so_rcv->sb_rptr += m->m_len;
+-			m_inc(m, m->m_len + 1);
+-			m->m_data[m->m_len] = 0; /* NULL terminate */
+-			if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) {
+-				if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) == 2) {
+-					HTONS(n1);
+-					HTONS(n2);
+-					/* n2 is the one on our host */
+-					for (tmpso = slirp->tcb.so_next;
+-					     tmpso != &slirp->tcb;
+-					     tmpso = tmpso->so_next) {
+-						if (tmpso->so_laddr.s_addr == so->so_laddr.s_addr &&
+-						    tmpso->so_lport == n2 &&
+-						    tmpso->so_faddr.s_addr == so->so_faddr.s_addr &&
+-						    tmpso->so_fport == n1) {
+-							if (getsockname(tmpso->s,
+-								(struct sockaddr *)&addr, &addrlen) == 0)
+-							   n2 = addr.sin_port;
+-							break;
+-						}
++			char *eol = g_strstr_len(m->m_data, m->m_len, "\r\n");
++
++			if (!eol) {
++				return 1;
++			}
++
++			*eol = '\0';
++			if (sscanf(m->m_data, "%u%*[ ,]%u", &n1, &n2) == 2) {
++				HTONS(n1);
++				HTONS(n2);
++				/* n2 is the one on our host */
++				for (tmpso = slirp->tcb.so_next; tmpso != &slirp->tcb;
++					 tmpso = tmpso->so_next) {
++					if (tmpso->so_laddr.s_addr == so->so_laddr.s_addr &&
++						tmpso->so_lport == n2 &&
++						tmpso->so_faddr.s_addr == so->so_faddr.s_addr &&
++						tmpso->so_fport == n1) {
++						if (getsockname(tmpso->s, (struct sockaddr *)&addr,
++										&addrlen) == 0)
++							n2 = addr.sin_port;
++						break;
+ 					}
+-					NTOHS(n1);
+-					NTOHS(n2);
+-					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+-								 so_rcv->sb_datalen,
+-								 "%d,%d\r\n", n1, n2);
+-					so_rcv->sb_rptr = so_rcv->sb_data;
+-					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 				}
++				NTOHS(n1);
++				NTOHS(n2);
++				m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
++				m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
++				assert(m->m_len < M_ROOM(m));
++			} else {
++				*eol = '\r';
+ 			}
+-			m_free(m);
+-			return 0;
++
++			return 1;
+ 		}
+ 
+         case EMU_FTP: /* ftp */
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch b/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
new file mode 100644
index 0000000..ceb2fc0
--- /dev/null
+++ b/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
@@ -0,0 +1,66 @@
+From 16725ff1e92b21449017a6e3aa9b1621d06c84a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Mon, 20 May 2019 17:00:54 +0200
+Subject: [PATCH 3/4] slirp: ensure there is enough space in mbuf to
+ null-terminate
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20190520170055.15404-4-marcandre.lureau@redhat.com>
+Patchwork-id: 88099
+O-Subject: [RHEL-7.6.z qemu-kvm PATCH 3/4] slirp: ensure there is enough space in mbuf to null-terminate
+Bugzilla: 1669067
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+Prevents from buffer overflows.
+Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1664205
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+(cherry picked from libslirp commit
+306fef58b54d793ba4b259728c21322765bda917)
+
+[ MA - backported with style conflicts fixes ]
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 80538a9..578b204 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -586,6 +586,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 			memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
+ 			so_rcv->sb_wptr += m->m_len;
+ 			so_rcv->sb_rptr += m->m_len;
++			m_inc(m, m->m_len + 1);
+ 			m->m_data[m->m_len] = 0; /* NULL terminate */
+ 			if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) {
+ 				if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) == 2) {
+@@ -619,6 +620,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 		}
+ 
+         case EMU_FTP: /* ftp */
++		m_inc(m, m->m_len + 1);
+                 *(m->m_data+m->m_len) = 0; /* NUL terminate for strstr */
+ 		if ((bptr = (char *)strstr(m->m_data, "ORT")) != NULL) {
+ 			/*
+@@ -716,6 +718,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 		/*
+ 		 * Need to emulate DCC CHAT, DCC SEND and DCC MOVE
+ 		 */
++		m_inc(m, m->m_len + 1);
+ 		*(m->m_data+m->m_len) = 0; /* NULL terminate the string for strstr */
+ 		if ((bptr = (char *)strstr(m->m_data, "DCC")) == NULL)
+ 			 return 1;
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch b/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
new file mode 100644
index 0000000..861404e
--- /dev/null
+++ b/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
@@ -0,0 +1,52 @@
+From 6e4dad9d915f8de71e1695720398160c97e8ebd0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Mon, 20 May 2019 17:00:53 +0200
+Subject: [PATCH 2/4] slirp: fix big/little endian conversion in ident protocol
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20190520170055.15404-3-marcandre.lureau@redhat.com>
+Patchwork-id: 88100
+O-Subject: [RHEL-7.6.z qemu-kvm PATCH 2/4] slirp: fix big/little endian conversion in ident protocol
+Bugzilla: 1669067
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+[ MA - backported to ease backport of CVE-2019-6778 ]
+
+(cherry picked from commit 1fd71067dae501f1c78618e9583c6cc72db0cfa6)
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 0b7138b..80538a9 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -601,10 +601,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 						    tmpso->so_fport == n1) {
+ 							if (getsockname(tmpso->s,
+ 								(struct sockaddr *)&addr, &addrlen) == 0)
+-							   n2 = ntohs(addr.sin_port);
++							   n2 = addr.sin_port;
+ 							break;
+ 						}
+ 					}
++					NTOHS(n1);
++					NTOHS(n2);
+ 					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+ 								 so_rcv->sb_datalen,
+ 								 "%d,%d\r\n", n1, n2);
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index a813c1b..b7e76d5 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version}                                      \
 Summary: QEMU is a machine emulator and virtualizer
 Name: %{pkgname}%{?pkgsuffix}
 Version: 1.5.3
-Release: 160%{?dist}.2
+Release: 160%{?dist}.3
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 10
 License: GPLv2 and GPLv2+ and CC-BY
@@ -3943,6 +3943,14 @@ Patch1942: kvm-slirp-Correct-size-check-in-m_inc.patch
 Patch1943: kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch
 # For bz#1693216 - qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling [rhel-7.6.z]
 Patch1944: kvm-target-i386-define-md-clear-bit-rhel.patch
+# For bz#1669067 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z]
+Patch1945: kvm-slirp-check-sscanf-result-when-emulating-ident.patch
+# For bz#1669067 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z]
+Patch1946: kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
+# For bz#1669067 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z]
+Patch1947: kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
+# For bz#1669067 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z]
+Patch1948: kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
 
 
 BuildRequires: zlib-devel
@@ -6065,6 +6073,10 @@ tar -xf %{SOURCE21}
 %patch1942 -p1
 %patch1943 -p1
 %patch1944 -p1
+%patch1945 -p1
+%patch1946 -p1
+%patch1947 -p1
+%patch1948 -p1
 
 %build
 buildarch="%{kvm_target}-softmmu"
@@ -6510,6 +6522,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 %{_mandir}/man8/qemu-nbd.8*
 
 %changelog
+* Tue May 28 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-160.el7_6.3
+- kvm-slirp-check-sscanf-result-when-emulating-ident.patch [bz#1669067]
+- kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch [bz#1669067]
+- kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch [bz#1669067]
+- kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch [bz#1669067]
+- Resolves: bz#1669067
+  (CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.6.z])
+
 * Wed Apr 10 2019 Danilo C. L. de Paula <ddepaula@redhat.com> - 1.5.3-160.el7_6.2
 - kvm-target-i386-define-md-clear-bit-rhel.patch
 - Resolves: bz#1693216