diff --git a/pkgs/shells/bash/cve-2014-7169.patch b/pkgs/shells/bash/cve-2014-7169.patch
new file mode 100644
index 00000000000..f58e73f7806
--- /dev/null
+++ b/pkgs/shells/bash/cve-2014-7169.patch
@@ -0,0 +1,13 @@
+http://www.openwall.com/lists/oss-security/2014/09/25/10
+
+*** ../bash-20140912/parse.y	2014-08-26 15:09:42.000000000 -0400
+--- parse.y	2014-09-24 22:47:28.000000000 -0400
+***************
+*** 2959,2962 ****
+--- 2959,2964 ----
+    word_desc_to_read = (WORD_DESC *)NULL;
+  
++   eol_ungetc_lookahead = 0;
++ 
+    current_token = '\n';		/* XXX */
+    last_read_token = '\n';
diff --git a/pkgs/shells/bash/default.nix b/pkgs/shells/bash/default.nix
index 6a6b8563a55..5181da77f3a 100644
--- a/pkgs/shells/bash/default.nix
+++ b/pkgs/shells/bash/default.nix
@@ -27,14 +27,14 @@ stdenv.mkDerivation rec {
   patchFlags = "-p0";
 
   patches =
-    let
+    (let
       patch = nr: sha256:
         fetchurl {
           url = "mirror://gnu/bash/bash-4.2-patches/bash42-${nr}";
           inherit sha256;
         };
     in
-      import ./bash-4.2-patches.nix patch;
+      import ./bash-4.2-patches.nix patch) ++ [ ./cve-2014-7169.patch ];
 
   crossAttrs = {
     configureFlags = baseConfigureFlags +