diff --git a/1125-Properly-check-authorization-on-incoming-guestOps-re.patch b/1125-Properly-check-authorization-on-incoming-guestOps-re.patch
new file mode 100644
index 0000000000000000000000000000000000000000..52a2a5b0977d8946e4b567b02ea50acba2936e36
--- /dev/null
+++ b/1125-Properly-check-authorization-on-incoming-guestOps-re.patch
@@ -0,0 +1,15 @@
+Index: pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c
+===================================================================
+--- pkg-open-vm-tools.orig/open-vm-tools/vgauth/serviceImpl/proto.c
++++ pkg-open-vm-tools/open-vm-tools/vgauth/serviceImpl/proto.c
+@@ -1201,6 +1201,10 @@ Proto_SecurityCheckRequest(ServiceConnec
+    VGAuthError err;
+    gboolean isSecure = ServiceNetworkIsConnectionPrivateSuperUser(conn);
+ 
++   if (conn->isPublic && req->reqType != PROTO_REQUEST_SESSION_REQ) {
++      return VGAUTH_E_PERMISSION_DENIED;
++   }
++
+    switch (req->reqType) {
+       /*
+        * This comes over the public connection; alwsys let it through.
diff --git a/make.sh b/make.sh
index b562e222fbecd593f33993889bab5c9bd0104f11..d900c49c2438d6c32b4ffcca6539f2753b108abb 100755
--- a/make.sh
+++ b/make.sh
@@ -33,9 +33,21 @@ dget https://deb.debian.org/debian/pool/main/o/open-vm-tools/open-vm-tools_10.3.
 cd open-vm-tools-10.3.10
 mk-build-deps --install --tool='apt-get -o Debug::pkgProblemResolver=yes --yes' debian/control
 
-wget https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/raw/67b16ff62228304dfe96d33a0ba663c2e8d3167d/debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch -O debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch
+#wget https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/raw/67b16ff62228304dfe96d33a0ba663c2e8d3167d/debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch -O debian/patches/1125-Properly-check-authorization-on-incoming-guestOps-re.patch
+cp -v 1125-Properly-check-authorization-on-incoming-guestOps-re.patch debian/patches
 echo '1125-Properly-check-authorization-on-incoming-guestOps-re.patch' >> debian/patches/series
 
+cat << EOCHL > debian/changelog
+open-vm-tools (2:10.3.10-1+deb10u2+dex1) buster; urgency=medium
+
+  * [67b16ff] Properly check authorization on incoming guestOps requests.
+    (Closes: #1018012 CVE-2022-31676)
+
+ -- Bernd Zeimetz <bzed@debian.org>  Wed, 24 Aug 2022 10:28:40 +0200
+
+$(cat debian/changelog)
+EOCHL
+
 dpkg-buildpackage -uc -us -b
 
 cd ..