diff --git a/SOURCES/cve-2022-31212.patch b/SOURCES/cve-2022-31212.patch
new file mode 100644
index 0000000..0b2f460
--- /dev/null
+++ b/SOURCES/cve-2022-31212.patch
@@ -0,0 +1,66 @@
+From 7fd15f8e272136955f7ffc37df29fbca9ddceca1 Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsberg@gmail.com>
+Date: Tue, 19 Apr 2022 13:11:02 +0200
+Subject: [PATCH] strnspn: fix buffer overflow
+
+Fix the strnspn and strncspn functions to use a properly sized buffer.
+It used to be 1 byte too short. Checking for `0xff` in a string will
+thus write `0xff` once byte beyond the stack space of the local buffer.
+
+Note that the public API does not allow to pass `0xff` to those
+functions. Therefore, this is a read-only buffer overrun, possibly
+causing bogus reports from the parser, but still well-defined.
+
+Reported-by: Steffen Robertz
+Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
+---
+ /subprojects/c-shquote/src/c-shquote.c    | 4 ++--
+ /subprojects/c-shquote/src/test-private.c | 6 ++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a//subprojects/c-shquote/src/c-shquote.c b//subprojects/c-shquote/src/c-shquote.c
+index b268906..abb55d6 100644
+--- a//subprojects/c-shquote/src/c-shquote.c
++++ b//subprojects/c-shquote/src/c-shquote.c
+@@ -85,7 +85,7 @@ int c_shquote_consume_char(char **outp,
+ size_t c_shquote_strnspn(const char *string,
+                         size_t n_string,
+                         const char *accept) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         for ( ; *accept; ++accept)
+                 buffer[(unsigned char)*accept] = true;
+@@ -100,7 +100,7 @@ size_t c_shquote_strnspn(const char *string,
+ size_t c_shquote_strncspn(const char *string,
+                           size_t n_string,
+                           const char *reject) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         if (strlen(reject) == 1) {
+                 const char *p;
+diff --git a//subprojects/c-shquote/src/test-private.c b//subprojects/c-shquote/src/test-private.c
+index 57a7250..c6afe40 100644
+--- a//subprojects/c-shquote/src/test-private.c
++++ b//subprojects/c-shquote/src/test-private.c
+@@ -148,6 +148,9 @@ static void test_strnspn(void) {
+ 
+         len = c_shquote_strnspn("ab", 2, "bc");
+         c_assert(len == 0);
++
++        len = c_shquote_strnspn("ab", 2, "\xff");
++        c_assert(len == 0);
+ }
+ 
+ static void test_strncspn(void) {
+@@ -167,6 +170,9 @@ static void test_strncspn(void) {
+ 
+         len = c_shquote_strncspn("ab", 2, "cd");
+         c_assert(len == 2);
++
++        len = c_shquote_strncspn("ab", 2, "\xff");
++        c_assert(len == 2);
+ }
+ 
+ static void test_discard_comment(void) {
diff --git a/SOURCES/cve-2022-31213.patch b/SOURCES/cve-2022-31213.patch
new file mode 100644
index 0000000..683084b
--- /dev/null
+++ b/SOURCES/cve-2022-31213.patch
@@ -0,0 +1,35 @@
+From 4fefc3908ce527de4ca3d7386886c2447d6b4c14 Mon Sep 17 00:00:00 2001
+From: David Rheinsberg <david.rheinsberg@gmail.com>
+Date: Tue, 19 Apr 2022 13:29:53 +0200
+Subject: [PATCH] launch/config: keep empty cdata around
+
+We expect the `node->cdata` pointer to contain the actual content of an
+XML entry. Make sure it is initialized to an empty string, so we can
+dereference it without checking for validity everywhere.
+
+Note that we want it to be an owned string, to allow claiming the value.
+We will avoid any `n_cdata + 'static ""` here, to keep the code simple.
+The performance of that strdup() merely affects XML parsing, no bus
+runtime.
+
+Reported-by: Steffen Robertz
+Signed-off-by: David Rheinsberg <david.rheinsberg@gmail.com>
+---
+ src/launch/config.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/launch/config.c b/src/launch/config.c
+index 490d7b7d..cb7e3fae 100644
+--- a/src/launch/config.c
++++ b/src/launch/config.c
+@@ -133,6 +133,10 @@ int config_node_new(ConfigNode **nodep, ConfigNode *parent, unsigned int type) {
+                 break;
+         }
+ 
++        node->cdata = strdup("");
++        if (!node->cdata)
++                return error_origin(-ENOMEM);
++
+         *nodep = node;
+         node = NULL;
+         return 0;
diff --git a/SPECS/dbus-broker.spec b/SPECS/dbus-broker.spec
index 1be1236..ffbb045 100644
--- a/SPECS/dbus-broker.spec
+++ b/SPECS/dbus-broker.spec
@@ -2,13 +2,15 @@
 
 Name:                 dbus-broker
 Version:              28
-Release:              5%{?dist}
+Release:              5.1%{?dist}
 Summary:              Linux D-Bus Message Broker
 License:              ASL 2.0
 URL:                  https://github.com/bus1/dbus-broker
 Source0:              https://github.com/bus1/dbus-broker/releases/download/v%{version}/dbus-broker-%{version}.tar.xz
 Patch0000:            https://github.com/bus1/dbus-broker/commit/1add8a7d60e46806e0ef87994d3024245db0d84a.patch
 Patch0001:            https://github.com/bus1/dbus-broker/commit/b82b670bfec6600d0144bcb9ca635fb07c80118f.patch
+Patch0002:	      cve-2022-31212.patch
+Patch0003:	      cve-2022-31213.patch
 %{?systemd_requires}
 BuildRequires:        pkgconfig(audit)
 BuildRequires:        pkgconfig(expat)
@@ -95,6 +97,13 @@ fi
 %{_userunitdir}/dbus-broker.service
 
 %changelog
+* Tue Aug 02 2022 Jakub Martisko <jamartis@redhat.com> - 28-5.1
+- Fix a stack buffer over-read in the c-shquote library
+- Fix null pointer reference when supplying a malformed XML config file
+- Add gating.yaml
+Resolves: CVE-2022-31212
+Resolves: CVE-2022-31213
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 28-5
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688