diff --git a/ChangeLog b/ChangeLog
index e8be6cba70..7d7dca2843 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Fri Jun 22 13:36:50 2012  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* random.c (random_init, random_load): cannot initialize frozen object
+	  again, nor with tainted/untrusted object.  [Bug #6540]
+
 Fri Jun 22 13:32:33 2012  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* error.c (rb_check_copyable): new function, to ensure the target is
diff --git a/random.c b/random.c
index 7244a00538..197a80f529 100644
--- a/random.c
+++ b/random.c
@@ -462,10 +462,12 @@ random_init(int argc, VALUE *argv, VALUE obj)
     rb_random_t *rnd = get_rnd(obj);
 
     if (argc == 0) {
+	rb_check_frozen(obj);
 	vseed = random_seed();
     }
     else {
 	rb_scan_args(argc, argv, "01", &vseed);
+	rb_check_copyable(obj, vseed);
     }
     rnd->seed = rand_init(&rnd->mt, vseed);
     return obj;
@@ -686,6 +688,7 @@ random_load(VALUE obj, VALUE dump)
     VALUE *ary;
     unsigned long x;
 
+    rb_check_copyable(obj, dump);
     Check_Type(dump, T_ARRAY);
     ary = RARRAY_PTR(dump);
     switch (RARRAY_LEN(dump)) {
diff --git a/test/ruby/test_rand.rb b/test/ruby/test_rand.rb
index c7139818de..a722c67f4a 100644
--- a/test/ruby/test_rand.rb
+++ b/test/ruby/test_rand.rb
@@ -484,4 +484,25 @@ END
       Random.new.marshal_load(0)
     }
   end
+
+  def test_marshal_load_frozen
+    r = Random.new(0)
+    d = r.marshal_dump
+    r.freeze
+    assert_raise(RuntimeError, '[Bug #6540]') do
+      r.marshal_load(d)
+    end
+  end
+
+  def test_marshal_load_insecure
+    r = Random.new(0)
+    d = r.marshal_dump
+    l = proc do
+      $SAFE = 4
+      r.marshal_load(d)
+    end
+    assert_raise(SecurityError, '[Bug #6540]') do
+      l.call
+    end
+  end
 end