diff --git a/pkgs/tools/compression/rzip/default.nix b/pkgs/tools/compression/rzip/default.nix
index 2737966b83e..ad1b8041041 100644
--- a/pkgs/tools/compression/rzip/default.nix
+++ b/pkgs/tools/compression/rzip/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, bzip2}:
+{stdenv, fetchurl, fetchpatch, bzip2}:
 
 stdenv.mkDerivation {
   name = "rzip-2.1";
@@ -8,6 +8,14 @@ stdenv.mkDerivation {
   };
   buildInputs = [ bzip2 ];
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2017-8364-fill-buffer.patch";
+      url = https://sources.debian.net/data/main/r/rzip/2.1-4.1/debian/patches/80-CVE-2017-8364-fill-buffer.patch;
+      sha256 = "0jcjlx9ksdvxvjyxmyzscx9ar9992iy5icw0sc3n0p09qi4d6x1r";
+    })
+  ];
+
   meta = {
     homepage = http://rzip.samba.org/;
     description = "Compression program";