diff --git a/pkgs/development/libraries/gegl/default.nix b/pkgs/development/libraries/gegl/default.nix
index a30d5c78e7f2..0649775ad216 100644
--- a/pkgs/development/libraries/gegl/default.nix
+++ b/pkgs/development/libraries/gegl/default.nix
@@ -1,6 +1,6 @@
 { stdenv, fetchurl, pkgconfig, glib, babl, libpng, cairo, libjpeg
 , librsvg, pango, gtk, bzip2, intltool }:
-        
+
 stdenv.mkDerivation rec {
   name = "gegl-0.2.0";
 
@@ -9,6 +9,13 @@ stdenv.mkDerivation rec {
     sha256 = "df2e6a0d9499afcbc4f9029c18d9d1e0dd5e8710a75e17c9b1d9a6480dd8d426";
   };
 
+  patches = [( fetchurl {
+    url = "https://projects.archlinux.org/svntogit/packages.git/plain/trunk/"
+      + "gegl-0.2.0-CVE-2012-4433.patch?h=packages/gegl&id=57a60fbda5d7bbbd1cc4767cb0724baa80c5e3e9";
+    sha256 = "0p8mxj3w09nn1cc6cbxrd9hx742c5y27903i608wx6ja3kdjis59";
+    name = "CVE-2012-4433.patch";
+  })];
+
   # needs fonts otherwise  don't know how to pass them
   configureFlags = "--disable-docs";