diff --git a/epiphany-leak-fixes.patch b/epiphany-leak-fixes.patch
new file mode 100644
index 0000000..c34a2c1
--- /dev/null
+++ b/epiphany-leak-fixes.patch
@@ -0,0 +1,128 @@
+From 0dda917a8eb0fdeee4e380c090043c7ffb48aa43 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@igalia.com>
+Date: Sun, 24 Jun 2018 16:06:24 -0500
+Subject: [PATCH] Fix leak in ephy_user_agent_get_internal
+
+If it returns a nonnull, zero-length string, then we leak it.
+---
+ lib/ephy-user-agent.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ephy-user-agent.c b/lib/ephy-user-agent.c
+index 7274db04e..7bcf6f50d 100644
+--- a/lib/ephy-user-agent.c
++++ b/lib/ephy-user-agent.c
+@@ -35,8 +35,11 @@ ephy_user_agent_get_internal (void)
+     return user_agent;
+ 
+   user_agent = g_settings_get_string (EPHY_SETTINGS_WEB, EPHY_PREFS_WEB_USER_AGENT);
+-  if (user_agent && user_agent[0])
+-    return user_agent;
++  if (user_agent) {
++    if (user_agent[0])
++      return user_agent;
++    g_free (user_agent);
++  }
+ 
+   settings = webkit_settings_new ();
+   user_agent = g_strdup_printf ("%s Epiphany/605.1.15", webkit_settings_get_user_agent (settings));
+-- 
+2.17.1
+
+From fe544cccca5acfd7e94ba84f3e5c1f57ba874664 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@igalia.com>
+Date: Sun, 24 Jun 2018 17:38:33 -0500
+Subject: [PATCH] Fix multiple leaks in ephy_uri_decode
+
+---
+ lib/ephy-uri-helpers.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/ephy-uri-helpers.c b/lib/ephy-uri-helpers.c
+index 143210f03..021ab07ab 100644
+--- a/lib/ephy-uri-helpers.c
++++ b/lib/ephy-uri-helpers.c
+@@ -459,6 +459,8 @@ ephy_uri_decode (const char *uri_string)
+ 
+     if (U_FAILURE (error)) {
+       g_warning ("ICU error converting domain %s for display: %d", uri->host, error);
++      soup_uri_free (uri);
++      g_free (idna_decoded_name);
+       return g_strdup (uri_string);
+     }
+ 
+@@ -466,6 +468,7 @@ ephy_uri_decode (const char *uri_string)
+     g_free (uri->host);
+     uri->host = evaluate_host_for_display (percent_decoded_host, idna_decoded_name);
+     g_free (percent_decoded_host);
++    g_free (idna_decoded_name);
+   }
+ 
+   /* Note: this also strips passwords from the display URI. */
+-- 
+2.17.1
+
+
+From 2e687706c0f42a3b0420b1980b458fd2aa5d6efe Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@igalia.com>
+Date: Sun, 24 Jun 2018 18:13:48 -0500
+Subject: [PATCH] Fix leak in adblock_filter_retrieve_data_new
+
+---
+ embed/ephy-filters-manager.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/embed/ephy-filters-manager.c b/embed/ephy-filters-manager.c
+index 96697041f..385e502a6 100644
+--- a/embed/ephy-filters-manager.c
++++ b/embed/ephy-filters-manager.c
+@@ -88,7 +88,7 @@ typedef struct {
+ static AdblockFilterRetrieveData *
+ adblock_filter_retrieve_data_new (EphyFiltersManager *manager,
+                                   EphyDownload       *download,
+-                                  char               *source_uri)
++                                  const char         *source_uri)
+ {
+   AdblockFilterRetrieveData* data;
+   data = g_slice_new (AdblockFilterRetrieveData);
+@@ -157,7 +157,7 @@ start_retrieving_filter_file (EphyFiltersManager *manager,
+   wk_download = ephy_download_get_webkit_download (download);
+   webkit_download_set_allow_overwrite (wk_download, TRUE);
+ 
+-  data = adblock_filter_retrieve_data_new (manager, download, g_strdup (filter_url));
++  data = adblock_filter_retrieve_data_new (manager, download, filter_url);
+ 
+   g_signal_connect (download, "completed",
+                     G_CALLBACK (download_completed_cb), data);
+-- 
+2.17.1
+
+From 3ed3677ccc5cbd5a62beabd43b802454110aeddd Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@igalia.com>
+Date: Sat, 30 Jun 2018 21:22:03 -0500
+Subject: [PATCH] Fix const qualifiers warning
+
+I introduced this warning recently when fixing the memory leak that was
+here.
+
+
+(cherry picked from commit 2d166afcfc083ce650192155e6925ed4f6d79bca)
+---
+ lib/ephy-uri-helpers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ephy-uri-helpers.c b/lib/ephy-uri-helpers.c
+index bb4fef3b0..6931f6780 100644
+--- a/lib/ephy-uri-helpers.c
++++ b/lib/ephy-uri-helpers.c
+@@ -508,7 +508,7 @@ char *
+ ephy_uri_to_security_origin (const char *uri_string)
+ {
+   WebKitSecurityOrigin *origin;
+-  const char *result;
++  char *result;
+ 
+   /* Convert to URI containing only protocol, host, and port. */
+   origin = webkit_security_origin_new_for_uri (uri_string);
+-- 
+2.17.1
diff --git a/epiphany.changes b/epiphany.changes
index c34ae9a..a496462 100644
--- a/epiphany.changes
+++ b/epiphany.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Jun 25 09:33:27 UTC 2018 - bjorn.lie@gmail.com
+
+- Add epiphany-leak-fixes.patch: Fix multiple leaks.
+
 -------------------------------------------------------------------
 Wed Jun 13 23:25:20 UTC 2018 - bjorn.lie@gmail.com
 
diff --git a/epiphany.spec b/epiphany.spec
index 9841357..37010a7 100644
--- a/epiphany.spec
+++ b/epiphany.spec
@@ -29,6 +29,8 @@ Source99:       %{name}-rpmlintrc
 Patch0:         epiphany-uri-tester-fixes.patch
 # PATCH-FIX-UPSTREAM epip-revert-gsb-storage-dont-hardcode-Linux-threat-lists.patch -- Revert "gsb-storage: Don't hardcode Linux threat lists"
 Patch1:         epip-revert-gsb-storage-dont-hardcode-Linux-threat-lists.patch
+# PATCH-FIX-UPSTREAM epiphany-leak-fixes.patch -- Fix multiple leaks
+Patch2:         epiphany-leak-fixes.patch
 
 BuildRequires:  fdupes
 BuildRequires:  meson