diff --git a/pkgs/development/libraries/libzip/default.nix b/pkgs/development/libraries/libzip/default.nix
index be50a58c54a..4af9278c7b1 100644
--- a/pkgs/development/libraries/libzip/default.nix
+++ b/pkgs/development/libraries/libzip/default.nix
@@ -2,12 +2,21 @@
 
 stdenv.mkDerivation rec {
   name = "libzip-0.11.2";
-  
+
   src = fetchurl {
     url = "http://www.nih.at/libzip/${name}.tar.gz";
     sha256 = "1mcqrz37vjrfr4gnss37z1m7xih9x9miq3mms78zf7wn7as1znw3";
   };
-  
+
+  # fix CVE-2015-2331 taken from Debian patch:
+  # https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=12;filename=libzip-0.11.2-1.2-nmu.diff;att=1;bug=780756
+  postPatch = ''
+    substituteInPlace lib/zip_dirent.c --replace \
+      'else if ((cd->entry=(struct zip_entry *)' \
+      'else if (nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_entry *)'
+    cat lib/zip_dirent.c
+  '';
+
   propagatedBuildInputs = [ zlib ];
 
   # At least mysqlWorkbench cannot find zipconf.h; I think also openoffice