diff --git a/ChangeLog b/ChangeLog
index 719b05c2ef..3c678fac98 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 Fri Oct 17 11:58:31 +0200 Jim Meyering <meyering@redhat.com>
 
+	Makefile.maint (sync-vcs-ignore-files): avoid risk of abuse
+	* Makefile.maint (sync-vcs-ignore-files): Rewrite rule so that
+	it won't misbehave even with maliciously-named sub-directories.
+
 	generate .gitignore files from .cvsignore ones
 	* Makefile.maint (sync-vcs-ignore-files): New target.
 	Prompted by a patch from James Morris.
diff --git a/Makefile.maint b/Makefile.maint
index 441deac45c..d85646928f 100644
--- a/Makefile.maint
+++ b/Makefile.maint
@@ -608,11 +608,27 @@ my-distcheck: $(local-check) check
 	echo "$(distdir).tar.gz is ready for distribution"; \
 	echo "========================"
 
-gi=.gitignore
+cvs-to-git = '\#!/usr/bin/perl\n\
+use warnings;\n\
+use strict;\n\
+use File::Find;\n\
+use File::Copy;\n\
+\n\
+find ({wanted =>\n\
+       sub {$$_ eq q/.cvsignore/ or return;\n\
+	    my $$gi = q/.gitignore/;\n\
+	    unlink $$gi;\n\
+	    copy($$_, $$gi) or die qq/copy failed: $$_->$$gi: $$!\\n/;\n\
+	    chmod 0444, $$gi;\n\
+	    }},\n\
+      q!.!);\n'
+
+.PHONY: sync-vcs-ignore-files
+c2g = cvs-to-git
 sync-vcs-ignore-files:
-	find . -name .cvsignore				\
-	  | sed						\
-	    -e 's,\(.*\),cp -f \1 \1; chmod 444 \1,'	\
-	    -e 's,\.cvsignore; ,$(gi); ,'		\
-	    -e 's,\.cvsignore$$,$(gi),'			\
-	  | $(SHELL)
+	rm -f $(c2g)-t $(c2g)
+	printf $(cvs-to-git) > $(c2g)-t
+	chmod a+x-w $(c2g)-t
+	mv $(c2g)-t $(c2g)
+	perl $(c2g)
+	rm -f $(c2g)