diff --git a/libjpeg-turbo-CVE-2023-2804.patch b/libjpeg-turbo-CVE-2023-2804.patch
new file mode 100644
index 0000000..e779d40
--- /dev/null
+++ b/libjpeg-turbo-CVE-2023-2804.patch
@@ -0,0 +1,14 @@
+Index: libjpeg-turbo-2.1.5.1/jdmaster.c
+===================================================================
+--- libjpeg-turbo-2.1.5.1.orig/jdmaster.c
++++ libjpeg-turbo-2.1.5.1/jdmaster.c
+@@ -33,6 +33,9 @@ LOCAL(boolean)
+ use_merged_upsample(j_decompress_ptr cinfo)
+ {
+ #ifdef UPSAMPLE_MERGING_SUPPORTED
++  /* Colorspace conversion is not supported with lossless JPEG images */
++  if (cinfo->master->lossless)
++    return FALSE;
+   /* Merging is the equivalent of plain box-filter upsampling */
+   if (cinfo->do_fancy_upsampling || cinfo->CCIR601_sampling)
+     return FALSE;
diff --git a/libjpeg-turbo.changes b/libjpeg-turbo.changes
index 3f8ef4a..3da9eb9 100644
--- a/libjpeg-turbo.changes
+++ b/libjpeg-turbo.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Jun  2 07:31:13 UTC 2023 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c
+  + libjpeg-turbo-CVE-2023-2804.patch
+
 -------------------------------------------------------------------
 Thu May  4 11:37:31 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
 
diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec
index 798ed5f..76e9d27 100644
--- a/libjpeg-turbo.spec
+++ b/libjpeg-turbo.spec
@@ -37,6 +37,8 @@ Source1:        https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.
 Source2:        libjpeg-turbo.keyring
 Source3:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
+# CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c
+Patch2:         libjpeg-turbo-CVE-2023-2804.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 BuildRequires:  nasm
@@ -100,6 +102,7 @@ files using the libjpeg library.
 %prep
 %setup -q
 %patch1
+%patch2 -p1
 
 %build
 MYLDFLAGS="-Wl,-z,relro,-z,now"
diff --git a/libjpeg62-turbo.spec b/libjpeg62-turbo.spec
index 0f8b937..389fb3b 100644
--- a/libjpeg62-turbo.spec
+++ b/libjpeg62-turbo.spec
@@ -32,6 +32,8 @@ Source1:        https://downloads.sf.net/libjpeg-turbo/libjpeg-turbo-%{version}.
 Source2:        libjpeg-turbo.keyring
 Source3:        baselibs.conf
 Patch1:         libjpeg-turbo-1.3.0-tiff-ojpeg.patch
+# CVE-2023-2804 [bsc#1211542], heap-buffer-overflow in h2v2_merged_upsample_internal() at /libjpeg-turbo/jdmrgext.c
+Patch2:         libjpeg-turbo-CVE-2023-2804.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 # needed for tests as we remove the lib here
@@ -73,6 +75,7 @@ files using the libjpeg library.
 %prep
 %setup -q -n libjpeg-turbo-%{srcver}
 %patch1
+%patch2 -p1
 
 %build
 export LDFLAGS="-Wl,-z,relro,-z,now"