diff --git a/pkgs/development/libraries/boost/1.49.nix b/pkgs/development/libraries/boost/1.49.nix
index f502df4e19c..fca4249e963 100644
--- a/pkgs/development/libraries/boost/1.49.nix
+++ b/pkgs/development/libraries/boost/1.49.nix
@@ -57,7 +57,12 @@ stdenv.mkDerivation {
   };
 
   # See <http://svn.boost.org/trac/boost/ticket/4688>.
-  patches = [ ./boost_filesystem_post_1_49_0.patch ./time_utc.patch ./boost-149-cstdint.patch ] ++ (stdenv.lib.optional stdenv.isDarwin ./boost-149-darwin.patch );
+  patches = [
+    ./CVE-2013-0252.patch # https://svn.boost.org/trac/boost/ticket/7743
+    ./boost_filesystem_post_1_49_0.patch
+    ./time_utc.patch
+    ./boost-149-cstdint.patch
+  ] ++ (stdenv.lib.optional stdenv.isDarwin ./boost-149-darwin.patch );
 
   enableParallelBuilding = true;
 
diff --git a/pkgs/development/libraries/boost/CVE-2013-0252.patch b/pkgs/development/libraries/boost/CVE-2013-0252.patch
new file mode 100644
index 00000000000..fce52d47969
--- /dev/null
+++ b/pkgs/development/libraries/boost/CVE-2013-0252.patch
@@ -0,0 +1,48 @@
+Index: /boost/locale/utf.hpp
+===================================================================
+--- /boost/locale/utf.hpp	(revision 78304)
++++ /boost/locale/utf.hpp	(revision 81590)
+@@ -220,4 +220,6 @@
+                     return incomplete;
+                 tmp = *p++;
++                if (!is_trail(tmp))
++                    return illegal;
+                 c = (c << 6) | ( tmp & 0x3F);
+             case 2:
+@@ -225,4 +227,6 @@
+                     return incomplete;
+                 tmp = *p++;
++                if (!is_trail(tmp))
++                    return illegal;
+                 c = (c << 6) | ( tmp & 0x3F);
+             case 1:
+@@ -230,4 +234,6 @@
+                     return incomplete;
+                 tmp = *p++;
++                if (!is_trail(tmp))
++                    return illegal;
+                 c = (c << 6) | ( tmp & 0x3F);
+             }
+Index: /libs/locale/test/test_codepage_converter.cpp
+===================================================================
+--- /libs/locale/test/test_codepage_converter.cpp	(revision 73786)
++++ /libs/locale/test/test_codepage_converter.cpp	(revision 81590)
+@@ -140,4 +140,18 @@
+         TEST_TO("\xf8\x90\x80\x80\x80",illegal);  // 400 0000
+         TEST_TO("\xfd\xbf\xbf\xbf\xbf\xbf",illegal);  // 7fff ffff
++
++        std::cout << "-- Invalid trail" << std::endl;
++        TEST_TO("\xC2\x7F",illegal);
++        TEST_TO("\xdf\x7F",illegal);
++        TEST_TO("\xe0\x7F\x80",illegal);
++        TEST_TO("\xef\xbf\x7F",illegal);
++        TEST_TO("\xe0\x7F\x80",illegal);
++        TEST_TO("\xef\xbf\x7F",illegal);
++        TEST_TO("\xf0\x7F\x80\x80",illegal);
++        TEST_TO("\xf4\x7f\xbf\xbf",illegal);
++        TEST_TO("\xf0\x90\x7F\x80",illegal);
++        TEST_TO("\xf4\x8f\x7F\xbf",illegal);
++        TEST_TO("\xf0\x90\x80\x7F",illegal);
++        TEST_TO("\xf4\x8f\xbf\x7F",illegal);
+ 
+         std::cout << "-- Invalid length" << std::endl;