diff --git a/SOURCES/dbus-1.12.20-CVE-2022-42010.patch b/SOURCES/dbus-1.12.20-CVE-2022-42010.patch
new file mode 100644
index 0000000..ce387c7
--- /dev/null
+++ b/SOURCES/dbus-1.12.20-CVE-2022-42010.patch
@@ -0,0 +1,116 @@
+From 8f382ee405ec68850866298ba0574f12e261a6fa Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Tue, 13 Sep 2022 15:10:22 +0100
+Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest
+ correctly
+
+In debug builds with assertions enabled, a signature with incorrectly
+nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result
+in an assertion failure.
+
+In production builds without assertions enabled, a signature with
+incorrectly nested `()` and `{}` could potentially result in a crash
+or incorrect message parsing, although we do not have a concrete example
+of either of these failure modes.
+
+Thanks: Evgeny Vereshchagin
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418
+Resolves: CVE-2022-42010
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 9d07424e9011e3bbe535e83043d335f3093d2916)
+(cherry picked from commit 3e53a785dee8d1432156188a2c4260e4cbc78c4d)
+---
+ dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
+index 4d492f3f3..ae68414dd 100644
+--- a/dbus/dbus-marshal-validate.c
++++ b/dbus/dbus-marshal-validate.c
+@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+ 
+   int element_count;
+   DBusList *element_count_stack;
++  char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' };
++  char last_bracket;
+ 
+   result = DBUS_VALID;
+   element_count_stack = NULL;
+@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+ 
+   while (p != end)
+     {
++      _dbus_assert (struct_depth + dict_entry_depth >= 0);
++      _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++      _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0');
++
+       switch (*p)
+         {
+         case DBUS_TYPE_BYTE:
+@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               goto out;
+             }
+ 
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
++          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR;
+           break;
+ 
+         case DBUS_STRUCT_END_CHAR:
+@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               goto out;
+             }
+ 
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
++
++          if (last_bracket != DBUS_STRUCT_BEGIN_CHAR)
++            {
++              result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED;
++              goto out;
++            }
++
+           _dbus_list_pop_last (&element_count_stack);
+ 
+           struct_depth -= 1;
++          opened_brackets[struct_depth + dict_entry_depth] = '\0';
+           break;
+ 
+         case DBUS_DICT_ENTRY_BEGIN_CHAR:
+@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               goto out;
+             }
+ 
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0');
++          opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR;
+           break;
+ 
+         case DBUS_DICT_ENTRY_END_CHAR:
+@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str,
+               result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
+               goto out;
+             }
+-            
++
++          _dbus_assert (struct_depth + dict_entry_depth >= 1);
++          _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets));
++          last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1];
++
++          if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR)
++            {
++              result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED;
++              goto out;
++            }
++
+           dict_entry_depth -= 1;
++          opened_brackets[struct_depth + dict_entry_depth] = '\0';
+ 
+           element_count = 
+             _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack));
+-- 
+GitLab
+
diff --git a/SOURCES/dbus-1.12.20-CVE-2022-42011.patch b/SOURCES/dbus-1.12.20-CVE-2022-42011.patch
new file mode 100644
index 0000000..d0a5510
--- /dev/null
+++ b/SOURCES/dbus-1.12.20-CVE-2022-42011.patch
@@ -0,0 +1,57 @@
+From 3b8a7aff228770f4f7b478db606b10cceacea875 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Mon, 12 Sep 2022 13:14:18 +0100
+Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of
+ fixed-length items
+
+This fast-path previously did not check that the array was made up
+of an integer number of items. This could lead to assertion failures
+and out-of-bounds accesses during subsequent message processing (which
+assumes that the message has already been validated), particularly after
+the addition of _dbus_header_remove_unknown_fields(), which makes it
+more likely that dbus-daemon will apply non-trivial edits to messages.
+
+Thanks: Evgeny Vereshchagin
+Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays"
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413
+Resolves: CVE-2022-42011
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 079bbf16186e87fb0157adf8951f19864bc2ed69)
+(cherry picked from commit b9e6a7523085a2cfceaffca7ba1ab4251f12a984)
+---
+ dbus/dbus-marshal-validate.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c
+index ae68414dd..7d0d6cf72 100644
+--- a/dbus/dbus-marshal-validate.c
++++ b/dbus/dbus-marshal-validate.c
+@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader       *reader,
+                  */ 
+                 if (dbus_type_is_fixed (array_elem_type))
+                   {
++                    /* Note that fixed-size types all have sizes equal to
++                     * their alignments, so this is really the item size. */
++                    alignment = _dbus_type_get_alignment (array_elem_type);
++                    _dbus_assert (alignment == 1 || alignment == 2 ||
++                                  alignment == 4 || alignment == 8);
++
++                    /* Because the alignment is a power of 2, this is
++                     * equivalent to: (claimed_len % alignment) != 0,
++                     * but avoids slower integer division */
++                    if ((claimed_len & (alignment - 1)) != 0)
++                      return DBUS_INVALID_ARRAY_LENGTH_INCORRECT;
++
+                     /* bools need to be handled differently, because they can
+                      * have an invalid value
+                      */
+                     if (array_elem_type == DBUS_TYPE_BOOLEAN)
+                       {
+                         dbus_uint32_t v;
+-                        alignment = _dbus_type_get_alignment (array_elem_type);
+ 
+                         while (p < array_end)
+                           {
+-- 
+GitLab
+
diff --git a/SOURCES/dbus-1.12.20-CVE-2022-42012.patch b/SOURCES/dbus-1.12.20-CVE-2022-42012.patch
new file mode 100644
index 0000000..29ff781
--- /dev/null
+++ b/SOURCES/dbus-1.12.20-CVE-2022-42012.patch
@@ -0,0 +1,73 @@
+From 51a5bbf9074855b0f4a353ed309938b196c13525 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Fri, 30 Sep 2022 13:46:31 +0100
+Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed
+
+When a D-Bus message includes attached file descriptors, the body of the
+message contains unsigned 32-bit indexes pointing into an out-of-band
+array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to
+these indexes as "handles" for the associated fds (not to be confused
+with a Windows HANDLE, which is a kernel object).
+
+The assertion message removed by this commit is arguably correct up to
+a point: fd-passing is only reasonable on a local machine, and no known
+operating system allows processes of differing endianness even on a
+multi-endian ARM or PowerPC CPU, so it makes little sense for the sender
+to specify a byte-order that differs from the byte-order of the recipient.
+
+However, this doesn't account for the fact that a malicious sender
+doesn't have to restrict itself to only doing things that make sense.
+On a system with untrusted local users, a message sender could crash
+the system dbus-daemon (a denial of service) by sending a message in
+the opposite endianness that contains handles to file descriptors.
+
+Before this commit, if assertions are enabled, attempting to byteswap
+a fd index would cleanly crash the message recipient with an assertion
+failure. If assertions are disabled, attempting to byteswap a fd index
+would silently do nothing without advancing the pointer p, causing the
+message's type and the pointer into its contents to go out of sync, which
+can result in a subsequent crash (the crash demonstrated by fuzzing was
+a use-after-free, but other failure modes might be possible).
+
+In principle we could resolve this by rejecting wrong-endianness messages
+from a local sender, but it's actually simpler and less code to treat
+wrong-endianness messages as valid and byteswap them.
+
+Thanks: Evgeny Vereshchagin
+Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds"
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417
+Resolves: CVE-2022-42012
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+(cherry picked from commit 236f16e444e88a984cf12b09225e0f8efa6c5b44)
+(cherry picked from commit 3fb065b0752db1e298e4ada52cf4adc414f5e946)
+---
+ dbus/dbus-marshal-byteswap.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c
+index 27695aafb..7104e9c63 100644
+--- a/dbus/dbus-marshal-byteswap.c
++++ b/dbus/dbus-marshal-byteswap.c
+@@ -61,6 +61,7 @@ byteswap_body_helper (DBusTypeReader       *reader,
+         case DBUS_TYPE_BOOLEAN:
+         case DBUS_TYPE_INT32:
+         case DBUS_TYPE_UINT32:
++        case DBUS_TYPE_UNIX_FD:
+           {
+             p = _DBUS_ALIGN_ADDRESS (p, 4);
+             *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p));
+@@ -188,11 +189,6 @@ byteswap_body_helper (DBusTypeReader       *reader,
+           }
+           break;
+ 
+-        case DBUS_TYPE_UNIX_FD:
+-          /* fds can only be passed on a local machine, so byte order must always match */
+-          _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense");
+-          break;
+-
+         default:
+           _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature");
+           break;
+-- 
+GitLab
+
diff --git a/SPECS/dbus.spec b/SPECS/dbus.spec
index 05a4724..d54b1d1 100644
--- a/SPECS/dbus.spec
+++ b/SPECS/dbus.spec
@@ -23,7 +23,7 @@
 Name:    dbus
 Epoch:   1
 Version: 1.12.20
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: D-BUS message bus
 
 # The effective license of the majority of the package, including the shared
@@ -43,6 +43,12 @@ Source6: dbus.user.socket
 Source7: dbus-daemon.user.service
 Source8: dbus-systemd-sysusers.conf
 Patch0: 0001-tools-Use-Python3-for-GetAllMatchRules.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2133647
+Patch1: dbus-1.12.20-CVE-2022-42010.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2133641
+Patch2: dbus-1.12.20-CVE-2022-42011.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2133635
+Patch3: dbus-1.12.20-CVE-2022-42012.patch
 
 BuildRequires: autoconf-archive
 BuildRequires: libtool
@@ -448,6 +454,11 @@ systemctl --no-reload --global preset dbus-daemon.service &>/dev/null || :
 
 
 %changelog
+* Tue Oct 18 2022 David King <amigadave@amigadave.com> - 1:1.12.20-7
+- Fix CVE-2022-42010 (#2133647)
+- Fix CVE-2022-42011 (#2133641)
+- Fix CVE-2022-42012 (#2133635)
+
 * Wed Aug 17 2022 David King <amigadave@amigadave.com> - 1:1.12.20-6
 - Override upstream sysusers.d confguration (#2118226)