diff --git a/pkgs/tools/archivers/cpio/default.nix b/pkgs/tools/archivers/cpio/default.nix
index 919484fa915..ec873507c85 100644
--- a/pkgs/tools/archivers/cpio/default.nix
+++ b/pkgs/tools/archivers/cpio/default.nix
@@ -2,12 +2,14 @@
 
 stdenv.mkDerivation {
   name = "cpio-2.11";
-  
+
   src = fetchurl {
     url = mirror://gnu/cpio/cpio-2.11.tar.bz2;
     sha256 = "bb820bfd96e74fc6ce43104f06fe733178517e7f5d1cdee553773e8eff7d5bbd";
   };
 
+  patches = [ ./no-gets.patch ];
+
   meta = {
     homepage = http://www.gnu.org/software/cpio/;
     description = "A program to create or extract from cpio archives";
diff --git a/pkgs/tools/archivers/cpio/no-gets.patch b/pkgs/tools/archivers/cpio/no-gets.patch
new file mode 100644
index 00000000000..f7a9be324df
--- /dev/null
+++ b/pkgs/tools/archivers/cpio/no-gets.patch
@@ -0,0 +1,24 @@
+https://bugs.gentoo.org/424974
+
+hack until gzip pulls a newer gnulib version
+
+From 66712c23388e93e5c518ebc8515140fa0c807348 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 29 Mar 2012 13:30:41 -0600
+Subject: [PATCH] stdio: don't assume gets any more
+
+Gnulib intentionally does not have a gets module, and now that C11
+and glibc have dropped it, we should be more proactive about warning
+any user on a platform that still has a declaration of this dangerous
+interface.
+
+--- a/gnu/stdio.in.h
++++ b/gnu/stdio.in.h
+@@ -125,7 +125,6 @@
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
+ #undef gets
+-_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@