diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix
index c7476d9f339..e38de5e6bd8 100644
--- a/pkgs/tools/text/a2ps/default.nix
+++ b/pkgs/tools/text/a2ps/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libpaper, gperf, file }:
+{ stdenv, fetchurl, fetchpatch, libpaper, gperf, file, perl }:
 
 stdenv.mkDerivation rec {
   name = "a2ps-4.14";
@@ -7,14 +7,28 @@ stdenv.mkDerivation rec {
     sha256 = "195k78m1h03m961qn7jr120z815iyb93gwi159p1p9348lyqvbpk";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/a/a2ps/1:4.14-1.3/debian/patches/09_CVE-2001-1593.diff";
+      sha256 = "1hrfmvb21zlklmg2fqikgywhqgc4qnvbhx517w87faafrhzhlnh0";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/a/a2ps/1:4.14-1.3/debian/patches/CVE-2014-0466.diff";
+      sha256 = "0grqqsc3m45niac56m19m5gx7gc0m8zvia5iman1l4rlq31shf8s";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/a/a2ps/1:4.14-1.3/debian/patches/fix-format-security.diff";
+      sha256 = "0pq7zl41gf2kc6ahwyjnzn93vbxb4jc2c5g8j20isp4vw6dqrnwv";
+    })
+  ];
+
   postPatch = ''
     substituteInPlace afm/make_fonts_map.sh --replace "/bin/rm" "rm"
     substituteInPlace tests/defs.in --replace "/bin/rm" "rm"
   '';
 
-  buildInputs = [ libpaper gperf file ];
-
-  hardeningDisable = [ "format" ];
+  nativeBuildInputs = [ file perl ];
+  buildInputs = [ libpaper gperf ];
 
   meta = with stdenv.lib; {
     description = "An Anything to PostScript converter and pretty-printer";