diff --git a/rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch b/rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch
new file mode 100644
index 0000000..820a25a
--- /dev/null
+++ b/rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch
@@ -0,0 +1,41 @@
+From 903f0610116ae254383c9ef65ef2695f56a240f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
+Date: Sat, 13 Nov 2021 11:18:54 +0100
+Subject: [PATCH] Pass "--" to git commands to separate positional and optional
+ args
+
+To make sure git uri's specified in Gemfile are never misinterpreted as
+optional arguments, potentially allowing for local code execution.
+---
+ spec/bundler/source/git/git_proxy_spec.rb | 20 ++++++++++++++++++++
+ 1 files changed, 20 insertions(+)
+
+diff --git a/spec/bundler/source/git/git_proxy_spec.rb b/spec/bundler/source/git/git_proxy_spec.rb
+index d282a449a5..fbe7ef8792 100644
+--- a/spec/bundler/source/git/git_proxy_spec.rb
++++ b/spec/bundler/source/git/git_proxy_spec.rb
+@@ -113,4 +113,24 @@ RSpec.describe Bundler::Source::Git::GitProxy do
+       end
+     end
+   end
++
++  it "doesn't allow arbitrary code execution through Gemfile uris with a leading dash" do
++    gemfile <<~G
++      gem "poc", git: "-u./pay:load.sh"
++    G
++
++    file = bundled_app("pay:load.sh")
++
++    create_file file, <<~RUBY
++      #!/bin/sh
++
++      touch #{bundled_app("canary")}
++    RUBY
++
++    FileUtils.chmod("+x", file)
++
++    bundle :lock, :raise_on_error => false
++
++    expect(Pathname.new(bundled_app("canary"))).not_to exist
++  end
+ end
diff --git a/rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch b/rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch
new file mode 100644
index 0000000..9865fd7
--- /dev/null
+++ b/rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch
@@ -0,0 +1,31 @@
+From 903f0610116ae254383c9ef65ef2695f56a240f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
+Date: Sat, 13 Nov 2021 11:18:54 +0100
+Subject: [PATCH] Pass "--" to git commands to separate positional and optional
+ args
+
+To make sure git uri's specified in Gemfile are never misinterpreted as
+optional arguments, potentially allowing for local code execution.
+---
+ lib/bundler/source/git/git_proxy.rb       |  4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/bundler/source/git/git_proxy.rb b/lib/bundler/source/git/git_proxy.rb
+index c56dda66ea..a9f9b50e0b 100644
+--- a/lib/bundler/source/git/git_proxy.rb
++++ b/lib/bundler/source/git/git_proxy.rb
+@@ -100,12 +100,12 @@ module Bundler
+             SharedHelpers.filesystem_access(path.dirname) do |p|
+               FileUtils.mkdir_p(p)
+             end
+-            git_retry %(clone #{uri_escaped_with_configured_credentials} "#{path}" --bare --no-hardlinks --quiet)
++            git_retry %(clone --bare --no-hardlinks --quiet -- #{uri_escaped_with_configured_credentials} "#{path}")
+             return unless extra_ref
+           end
+ 
+           in_path do
+-            git_retry %(fetch --force --quiet --tags #{uri_escaped_with_configured_credentials} "refs/heads/*:refs/heads/*" #{extra_ref})
++            git_retry %(fetch --force --quiet --tags -- #{uri_escaped_with_configured_credentials} "refs/heads/*:refs/heads/*" #{extra_ref})
+           end
+         end
+ 
diff --git a/rubygem-bundler.spec b/rubygem-bundler.spec
index 10a60c2..9d5af47 100644
--- a/rubygem-bundler.spec
+++ b/rubygem-bundler.spec
@@ -12,7 +12,7 @@
 
 Name: rubygem-%{gem_name}
 Version: 1.16.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 Summary: Library and utilities to manage a Ruby application's gem dependencies
 Group: Development/Languages
 License: MIT
@@ -25,6 +25,10 @@ Source1: %{gem_name}-%{version}-specs.tgz
 # https://github.com/rubygems/rubygems/pull/5029
 Patch0: ruby-bundler-raise-error-in-dependency-confusion.patch
 Patch1: ruby-bundler-raise-error-in-dependency-confusion-tests.patch
+# Fix CVE-2021-43809: unexpected code execution in Gemfiles
+# https://github.com/rubygems/rubygems/pull/5142
+Patch2: rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti.patch
+Patch3: rubygem-bundler-2.3.0-Pass-to-git-commands-to-separate-positional-and-opti-tests.patch
 # ruby package has just soft dependency on rubygem(io-console), while
 # Bundler always requires it.
 Requires: rubygem(io-console)
@@ -65,6 +69,7 @@ Documentation for %{name}.
 
 pushd .%{gem_instdir}
 %patch0 -p1
+%patch2 -p1
 popd
 
 %build
@@ -125,6 +130,7 @@ ruby -e '
 
 tar xzvf %{SOURCE1}
 cat %{PATCH1} | patch -p1
+cat %{PATCH3} | patch -p1
 
 # Re-create bundler.gemspec used in spec/spec_helper.rb to avoid unnecessary
 # git dependency.
@@ -199,6 +205,10 @@ popd
 %doc %{gem_instdir}/README.md
 
 %changelog
+* Fri Apr 25 2025 Vít Ondruch <vondruch@redhat.com> - 1.16.1-5
+- Fix unexpected code execution in Gemfiles (CVE-2021-43809)
+  Resolves: RHEL-87017
+
 * Mon Dec 13 2021 Jun Aruga <jaruga@redhat.com> - 1.16.1-4
 - Fix Bundler dependency confusion.
   Resolves: CVE-2020-36327