diff --git a/bzip2-1.0.6-CVE-2016-3189.patch b/bzip2-1.0.6-CVE-2016-3189.patch
new file mode 100644
index 0000000..311f666
--- /dev/null
+++ b/bzip2-1.0.6-CVE-2016-3189.patch
@@ -0,0 +1,15 @@
+Author: Jakub Martisko <jamartis@redhat.com>
+Date: Wed, 30 Mar 2016 10:22:27 +0200
+Description: bzip2recover: Fix potential use-after-free
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=edit
+
+--- a/bzip2recover.c
++++ b/bzip2recover.c
+@@ -472,6 +472,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;
diff --git a/bzip2.changes b/bzip2.changes
index 2ee4415..0f30028 100644
--- a/bzip2.changes
+++ b/bzip2.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Apr 18 10:28:36 UTC 2019 - Kristýna Streitová <kstreitova@suse.com>
+
+- add bzip2-1.0.6-CVE-2016-3189.patch to fix a heap use after
+  free vulnerability that was reported in bzip2recover [bsc#985657]
+  [CVE-2016-3189]
+
 -------------------------------------------------------------------
 Tue Aug 21 11:28:34 UTC 2018 - christophe@krop.fr
 
diff --git a/bzip2.spec b/bzip2.spec
index 121c1b0..bd0ddb6 100644
--- a/bzip2.spec
+++ b/bzip2.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package bzip2
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -37,6 +37,7 @@ Patch3:         bzip2-point-to-doc-pkg.patch
 Patch4:         bzip2-ocloexec.patch
 # PATCH-FIX-UPSTREAM bnc#970260 kstreitova@suse.com -- fix a wrong exit code when grepping multiple archives
 Patch5:         bzip2-1.0.6-bzgrep_return_value.patch
+Patch6:         bzip2-1.0.6-CVE-2016-3189.patch
 BuildRequires:  autoconf >= 2.57
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@@ -80,6 +81,7 @@ The bzip2 runtime library development files.
 %patch3 -p1
 %patch4
 %patch5 -p1
+%patch6 -p1
 
 %build
 autoreconf -fiv