diff --git a/pkgs/development/libraries/jbig2dec/default.nix b/pkgs/development/libraries/jbig2dec/default.nix
index 8828d0057f36..45df4876be1f 100644
--- a/pkgs/development/libraries/jbig2dec/default.nix
+++ b/pkgs/development/libraries/jbig2dec/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl }:
+{ stdenv, fetchurl, fetchpatch }:
 
 stdenv.mkDerivation rec {
   name = "jbig2dec-0.13";
@@ -8,6 +8,14 @@ stdenv.mkDerivation rec {
     sha256 = "04akiwab8iy5iy34razcvh9mcja9wy737civ3sbjxk4j143s1b2s";
   };
 
+  patches =
+    [ (fetchpatch {
+        url = "http://git.ghostscript.com/?p=jbig2dec.git;a=patch;h=e698d5c11d27212aa1098bc5b1673a3378563092";
+        sha256 = "1fc8xm1z98xj2zkcl0zj7dpjjsbz3vn61b59jnkhcyzy3iiczv7f";
+        name = "CVE-2016-9601.patch";
+      })
+    ];
+
   meta = {
     homepage = https://www.ghostscript.com/jbig2dec.html;
     description = "Decoder implementation of the JBIG2 image compression format";