diff --git a/gd-CVE-2019-11038.patch b/gd-CVE-2019-11038.patch
new file mode 100644
index 0000000..1127d16
--- /dev/null
+++ b/gd-CVE-2019-11038.patch
@@ -0,0 +1,18 @@
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 4ca41acf..cf0545ef 100644
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ 			}
+ 			h[3] = ch;
+ 		}
+-		sscanf(h, "%x", &b);
++		if (sscanf(h, "%x", &b) != 1) {
++			gd_error("invalid XBM");
++			gdImageDestroy(im);
++			return 0;
++		}
+ 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
+ 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+ 			if (x == im->sx) {
+
diff --git a/gd.changes b/gd.changes
index c51d0e9..0d40b67 100644
--- a/gd.changes
+++ b/gd.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jul 16 09:12:06 UTC 2019 - pgajdos@suse.com
+
+- security update
+- added patches
+  CVE-2019-11038 [bsc#1140118]
+  + gd-CVE-2019-11038.patch
+
 -------------------------------------------------------------------
 Thu May 30 13:02:38 UTC 2019 - pgajdos@suse.com
 
diff --git a/gd.spec b/gd.spec
index 26140e1..e2dca9e 100644
--- a/gd.spec
+++ b/gd.spec
@@ -38,6 +38,8 @@ Patch5:         libgd-config.patch
 Patch6:         gd-CVE-2018-1000222.patch
 Patch7:         gd-CVE-2019-6978.patch
 Patch8:         gd-CVE-2019-6977.patch
+# CVE-2019-11038 [bsc#1140118]
+Patch9:         gd-CVE-2019-11038.patch
 # needed for tests
 BuildRequires:  dejavu
 BuildRequires:  libjpeg-devel
@@ -93,6 +95,7 @@ the formats accepted for inline images by most browsers.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 chmod 644 COPYING
 
 %build