diff --git a/krb5-1.12-pic-aes-ni.patch b/krb5-1.12-pic-aes-ni.patch
new file mode 100644
index 0000000..61c6c82
--- /dev/null
+++ b/krb5-1.12-pic-aes-ni.patch
@@ -0,0 +1,38 @@
+--- krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
++++ krb5-1.12/src/lib/crypto/builtin/aes/iaesx86.s
+@@ -256,6 +256,7 @@ DD 0
+ section .text
+ 
+ 
++extern _GLOBAL_OFFSET_TABLE_
+ 
+ align 16
+ key_expansion256:
+@@ -318,7 +319,12 @@ _iEncExpandKey128:
+ 
+         movdqu [edx], xmm1
+ 
+-        movdqa xmm5, [shuffle_mask]
++        call .get_GOT
++.get_GOT:
++        pop ebx
++        add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
++
++        movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff]
+ 
+         add edx,16
+ 
+@@ -421,7 +430,12 @@ _iEncExpandKey256:
+ 
+     add edx,32
+ 
+-    movdqa xmm5, [shuffle_mask]  ; this mask is used by key_expansion
++    call .get_GOT
++.get_GOT:
++    pop ebx
++    add ebx,_GLOBAL_OFFSET_TABLE_+$$-.get_GOT wrt ..gotpc
++
++    movdqa xmm5, [ebx+shuffle_mask wrt ..gotoff] ; this mask is used by key_expansion
+ 
+     aeskeygenassist xmm2, xmm3, 0x1     ;
+     call key_expansion256
diff --git a/krb5.spec b/krb5.spec
index ae0924a..e53dc96 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -97,6 +97,7 @@ Patch138: krb5-master-keytab_close.patch
 Patch139: krb5-1.12-copy_context.patch
 Patch140: krb5-master-spnego_error_messages.patch
 Patch141: krb5-1.12-enable-NX.patch
+Patch142: krb5-1.12-pic-aes-ni.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -322,6 +323,7 @@ ln -s NOTICE LICENSE
 %patch139 -p1 -b .copy_context
 %patch140 -p1 -b .spnego_error_messages
 %patch141 -p1 -b .enable-NX
+%patch142 -p1 -b .pic-aes-ni
 
 # Apply when the hard-wired or configured default location is
 # DIR:/run/user/%%{uid}/krb5cc.
@@ -976,9 +978,12 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
-* Mon Jan  6 2014 Nalin Dahyabhai <nalin@redhat.com>
+* Mon Jan  6 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-9
 - grab a more-commented version of the most recent patch from upstream
   master
+- make a guess at making the 32-bit AES-NI implementation sufficiently
+  position-independent to not require execmod permissions for libk5crypto
+  (more of #1045699)
 
 * Thu Jan  2 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12-8
 - add patch from Dhiru Kholia for the AES-NI implementations to allow