diff --git a/pkgs/applications/misc/mupdf/default.nix b/pkgs/applications/misc/mupdf/default.nix
index b0d8ba3bb08..1b510221d12 100644
--- a/pkgs/applications/misc/mupdf/default.nix
+++ b/pkgs/applications/misc/mupdf/default.nix
@@ -39,6 +39,48 @@ in stdenv.mkDerivation rec {
       url = "http://git.ghostscript.com/?p=mupdf.git;a=patch;h=26527eef77b3e51c2258c8e40845bfbc015e405d;hp=ab98356f959c7a6e94b1ec10f78dd2c33ed3f3e7";
       sha256 = "1brcc029s5zmd6ya0d9qk3mh9qwx5g6vhsf1j8h879092sya5627";
     })
+    (fetchpatch {
+      # Bugs 698804/698810/698811, 698819: Keep PDF object numbers below limit.
+      name = "CVE-2017-17858.patch";
+      url = "http://git.ghostscript.com/?p=mupdf.git;a=patch;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731";
+      sha256 = "1bf683d59i5009cv1hhmwmrp2rsb75cbf98qd44dk39cpvq8ydwv";
+    })
+    (fetchpatch {
+      # Bug 698825: Do not drop borrowed colorspaces.
+      name = "CVE-2018-1000051.patch";
+      url = "http://git.ghostscript.com/?p=mupdf.git;a=patch;h=321ba1de287016b0036bf4a56ce774ad11763384";
+      sha256 = "0jbcc9j565q5y305pi888qzlp83zww6nhkqbsmkk91gim958zikm";
+    })
+    (fetchpatch {
+      # Bug 698908 preprecondition: Add portable pseudo-random number generator based on the lrand48 family.
+      name = "CVE-2018-6187.0.1.patch";
+      url = "http://git.ghostscript.com/?p=mupdf.git;a=patch;h=2d5b4683e912d6e6e1f1e2ca5aa0297beb3e6807";
+      sha256 = "028bxinbjs5gg9myjr3vs366qxg9l2iyba2j3pxkxsh1851hj728";
+    })
+    (fetchpatch {
+      # Bug 698908 precondition: Fix "being able to search for redacted text" bug.
+      name = "CVE-2018-6187.0.2.patch";
+      url = "http://git.ghostscript.com/?p=mupdf.git;a=patch;h=25593f4f9df0c4a9b9adaa84aaa33fe2a89087f6";
+      sha256 = "195y69c3f8yqxcsa0bxrmxbdc3fx1dzvz8v66i56064mjj0mx04s";
+    })
+    (fetchpatch {
+      # Bug 698908: Resize object use and renumbering lists after repair.
+      name = "CVE-2018-6187.1.patch";
+      url = "http://git.ghostscript.com/?p=mupdf.git;a=patch;h=3e30fbb7bf5efd88df431e366492356e7eb969ec";
+      sha256 = "0wzbqj750h06q1wa6vxbpv5a5q9pfg0cxjdv88yggkrjb3vrkd9j";
+    })
+    (fetchpatch {
+      # Bug 698908: Plug PDF object leaks when decimating pages in pdfposter.
+      name = "CVE-2018-6187.2.patch";
+      url = "http://git.ghostscript.com/?p=mupdf.git;a=patch;h=a71e7c85a9f2313cde20d4479cd727a5f5518ed2";
+      sha256 = "1pcjkq8lg6l2m0186rl79lilg79crgdvz9hrmm3w60gy2gxkgksc";
+    })
+    (fetchpatch {
+      # Bug 698916: Indirect object numbers must be in range.
+      name = "CVE-2018-6192.patch";
+      url = "http://git.ghostscript.com/?p=mupdf.git;a=patch;h=5e411a99604ff6be5db9e273ee84737204113299";
+      sha256 = "134zc07fp0p1mwqa8xrkq3drg4crajzf1hjf4mdwmcy1jfj2pfhj";
+    })
   ]
 
   # Use shared libraries to decrease size