diff --git a/checkrestart b/checkrestart
index e84824c..e20ab85 100755
--- a/checkrestart
+++ b/checkrestart
@@ -39,6 +39,7 @@
 import pwd
 import sys
 import string
+import subprocess
 
 if os.getuid() != 0:
     sys.stderr.write('This program must be run as root\n')
@@ -81,10 +82,10 @@
     print "(%d distinct programs)" % len(programs)
 
     packages = {}
-    #dpkgQuery = 'dpkg-query --search ' + ' '.join(programs.keys())
     diverted = None
-    dpkgQuery = 'dpkg --search ' + ' '.join(programs.keys())
-    for line in os.popen(dpkgQuery).readlines():
+    dpkgQuery = ["dpkg", "--search"] + programs.keys()
+    dpkgProc = subprocess.Popen(dpkgQuery, stdout=subprocess.PIPE)
+    for line in dpkgProc.stdout.readlines():
         if line.startswith('local diversion'):
             continue
         
diff --git a/debian/changelog b/debian/changelog
index b2a4abc..76de61b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+debian-goodies (0.34) unstable; urgency=high
+
+  * Fix security bug that enables users to generate files in the
+    filesystem with shell metacharacters and have the checkrestart
+    script run external code (as root, since the script will only
+    run as admin) (Closes: 440411)
+
+ -- Javier Fernandez-Sanguino Pen~a <jfs@debian.org>  Sun, 02 Sep 2007 23:07:30 +0200
+
 debian-goodies (0.33) unstable; urgency=low
 
   * Added description of demany in debian/control