diff --git a/libjpeg-turbo-CVE-2020-13790.patch b/libjpeg-turbo-CVE-2020-13790.patch
new file mode 100644
index 0000000..6a1f7b6
--- /dev/null
+++ b/libjpeg-turbo-CVE-2020-13790.patch
@@ -0,0 +1,12 @@
+--- a/rdppm.c
++++ b/rdppm.c
+@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     /* On 16-bit-int machines we have to be careful of maxval = 65535 */
+     source->rescale = (JSAMPLE *)
+       (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
+-                                  (size_t)(((long)maxval + 1L) *
++                                  (size_t)(((long)MAX(maxval, 255) + 1L) *
+                                            sizeof(JSAMPLE)));
+     half_maxval = maxval / 2;
+     for (val = 0; val <= (long)maxval; val++) {
+
diff --git a/libjpeg-turbo.changes b/libjpeg-turbo.changes
index b920f7f..98fea37 100644
--- a/libjpeg-turbo.changes
+++ b/libjpeg-turbo.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jun  8 11:49:47 UTC 2020 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2020-13790 [bsc#1172491], heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file
+  + libjpeg-turbo-CVE-2020-13790.patch
+
 -------------------------------------------------------------------
 Sun Mar 29 10:02:02 UTC 2020 - Aaron Stern <ukbeast89@protonmail.com>
 
diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec
index 3b8d9ec..3cd8473 100644
--- a/libjpeg-turbo.spec
+++ b/libjpeg-turbo.spec
@@ -39,6 +39,8 @@ Source0:        http://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.t
 Source1:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
 Patch2:         ctest-depends.patch
+# CVE-2020-13790 [bsc#1172491], heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file
+Patch3:         libjpeg-turbo-CVE-2020-13790.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  pkgconfig
@@ -104,6 +106,7 @@ files using the libjpeg library.
 %setup -q
 %patch1
 %patch2 -p1
+%patch3 -p1
 
 %build
 MYLDFLAGS="-Wl,-z,relro,-z,now"
diff --git a/libjpeg62-turbo.spec b/libjpeg62-turbo.spec
index 0f49ba7..871799e 100644
--- a/libjpeg62-turbo.spec
+++ b/libjpeg62-turbo.spec
@@ -34,6 +34,8 @@ Source2:        libjpeg-turbo.keyring
 Source3:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
 Patch2:         ctest-depends.patch
+# CVE-2020-13790 [bsc#1172491], heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file
+Patch3:         libjpeg-turbo-CVE-2020-13790.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 # needed for tests as we remove the lib here
@@ -78,6 +80,7 @@ files using the libjpeg library.
 %setup -q -n libjpeg-turbo-%{srcver}
 %patch1
 %patch2 -p1
+%patch3 -p1
 
 %build
 export LDFLAGS="-Wl,-z,relro,-z,now"