diff --git a/bash-4.2-format-security.patch b/bash-4.2-format-security.patch
new file mode 100644
index 0000000..8e81142
--- /dev/null
+++ b/bash-4.2-format-security.patch
@@ -0,0 +1,12 @@
+diff -up ./bash-4.2/print_cmd.c-orig ./bash-4.2/print_cmd.c
+--- ./bash-4.2/print_cmd.c-orig	2013-12-04 13:22:53.850843813 +0100
++++ ./bash-4.2/print_cmd.c	2013-12-04 13:23:28.249867347 +0100
+@@ -1394,7 +1394,7 @@ indent (amount)
+   for (i = 0; amount > 0; amount--)
+     indentation_string[i++] = ' ';
+   indentation_string[i] = '\0';
+-  cprintf (indentation_string);
++  cprintf ("%s", indentation_string);
+ }
+ 
+ static void
diff --git a/bash.spec b/bash.spec
index cef8d95..b3576d6 100644
--- a/bash.spec
+++ b/bash.spec
@@ -7,7 +7,7 @@
 Version: %{baseversion}%{patchleveltag}
 Name: bash
 Summary: The GNU Bourne Again shell
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group: System Environment/Shells
 License: GPLv3+
 Url: http://www.gnu.org/software/bash
@@ -119,6 +119,9 @@ Patch126: bash-4.2-missing_closes.patch
 # fix deadlock in trap, backported from devel branch
 Patch127: bash-4.2-trap.patch
 
+# 1036998, bash FTBFS if -Werror=format-string is used
+Patch128: bash-4.2-format-security.patch
+
 BuildRequires: texinfo bison
 BuildRequires: ncurses-devel
 BuildRequires: autoconf, gettext
@@ -218,6 +221,7 @@ This package contains documentation files for %{name}.
 %patch124 -p1 -b .signal
 %patch125 -p1 -b .size_type
 %patch126 -p1 -b .missing_closes
+%patch128 -p1 -b .format-security
 
 echo %{version} > _distribution
 echo %{release} > _patchlevel
@@ -410,6 +414,9 @@ end
 #%doc doc/*.ps doc/*.0 doc/*.html doc/article.txt
 
 %changelog
+* Wed Dec 04 2013 Ondrej Oprala <ooprala@redhat.com> 4.2.45-5
+- bash FTBFS if -Werror=format-string is used (#1036998)
+
 * Fri Aug 09 2013 Roman Rakus <rrakus@redhat.com> - 4.2.45-4
 - Added suggestion to .bashrc how to disable autopaging in systemctl