diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 4cdb2f7ec7d..e3b7a955441 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchurl, python, zlib, pkgconfig, glib, ncurses, perl, pixman
-, vde2, alsaLib, texinfo, libuuid, flex, bison, lzo, snappy
-, libaio, gnutls, nettle
+{ stdenv, fetchurl, fetchpatch, python, zlib, pkgconfig, glib
+, ncurses, perl, pixman, vde2, alsaLib, texinfo, libuuid, flex
+, bison, lzo, snappy, libaio, gnutls, nettle
 , makeWrapper
 , attr, libcap, libcap_ng
 , CoreServices, Cocoa, rez, setfile
@@ -45,7 +45,24 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  patches = [ ./no-etc-install.patch ];
+  patches = [
+    ./no-etc-install.patch
+    (fetchpatch {
+      url = "http://git.qemu.org/?p=qemu.git;a=patch;h=fff39a7ad09da07ef490de05c92c91f22f8002f2";
+      name = "9pfs-forbid-illegal-path-names.patch";
+      sha256 = "081j85p6m7s1cfh3aq1i2av2fsiarlri9gs939s0wvc6pdyb4b70";
+    })
+    (fetchpatch {
+      url = "http://git.qemu.org/?p=qemu.git;a=patch;h=805b5d98c649d26fc44d2d7755a97f18e62b438a";
+      name = "9pfs-forbid-.-and-..-in-file-names.patch";
+      sha256 = "0km6knll492dx745gx37bi6dhmz08cmjiyf479ajkykp0aljii24";
+    })
+    (fetchpatch {
+      url = "http://git.qemu.org/?p=qemu.git;a=patch;h=56f101ecce0eafd09e2daf1c4eeb1377d6959261";
+      name = "9pfs-directory-traversal-CVE-2016-7116.patch";
+      sha256 = "06pr070qj19w5mjxr36bcqxmgpiczncigqsbwfc8ncjhm1h7dmry";
+    })
+  ];
 
   configureFlags =
     [ "--smbd=smbd" # use `smbd' from $PATH