diff --git a/pkgs/development/libraries/libgrss/default.nix b/pkgs/development/libraries/libgrss/default.nix
index 8c5ea73af0b..5e1c2b17858 100644
--- a/pkgs/development/libraries/libgrss/default.nix
+++ b/pkgs/development/libraries/libgrss/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, pkg-config, vala, gobject-introspection, gtk-doc, docbook_xsl, docbook_xml_dtd_412, glib, libxml2, libsoup, gnome }:
+{ lib, stdenv, fetchurl, fetchpatch, pkg-config, vala, gobject-introspection, gtk-doc, docbook_xsl, docbook_xml_dtd_412, glib, libxml2, libsoup, gnome }:
 
 let
   version = "0.7.0";
@@ -14,6 +14,15 @@ stdenv.mkDerivation {
     sha256 = "1nalslgyglvhpva3px06fj6lv5zgfg0qmj0sbxyyl5d963vc02b7";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2016-20011.patch";
+      # https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7, not yet merged!
+      url = "https://gitlab.gnome.org/GNOME/libgrss/-/commit/2c6ea642663e2a44efc8583fae7c54b7b98f72b3.patch";
+      sha256 = "1ijvq2jl97vphcvrbrqxvszdmv6yyjfygdca9vyaijpafwyzzb18";
+    })
+  ];
+
   nativeBuildInputs = [ pkg-config vala gobject-introspection gtk-doc docbook_xsl docbook_xml_dtd_412 ];
   buildInputs = [ glib libxml2 libsoup ];