diff --git a/CVE-2015-8547.patch b/CVE-2015-8547.patch
new file mode 100644
index 0000000..a32dcfb
--- /dev/null
+++ b/CVE-2015-8547.patch
@@ -0,0 +1,22 @@
+From 476aaa050f26d6a31494631d172724409e4c569b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Konstantin=20Bl=C3=A4si?= <kblaesi@gmail.com>
+Date: Wed, 21 Oct 2015 03:26:02 +0200
+Subject: [PATCH] Fixes a crash of the core when executing "/op *" in a query.
+
+---
+ src/core/coreuserinputhandler.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/coreuserinputhandler.cpp b/src/core/coreuserinputhandler.cpp
+index 7887a92..73aac48 100644
+--- a/src/core/coreuserinputhandler.cpp
++++ b/src/core/coreuserinputhandler.cpp
+@@ -228,7 +228,7 @@ void CoreUserInputHandler::doMode(const BufferInfo &bufferInfo, const QChar& add
+     if (!isNumber || maxModes == 0) maxModes = 1;
+ 
+     QStringList nickList;
+-    if (nicks == "*") { // All users in channel
++    if (nicks == "*" && bufferInfo.type() == BufferInfo::ChannelBuffer) { // All users in channel
+         const QList<IrcUser*> users = network()->ircChannel(bufferInfo.bufferName())->ircUsers();
+         foreach(IrcUser *user, users) {
+             if ((addOrRemove == '+' && !network()->ircChannel(bufferInfo.bufferName())->userModes(user).contains(mode))
diff --git a/quassel.changes b/quassel.changes
index 19e018b..d583362 100644
--- a/quassel.changes
+++ b/quassel.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Dec 14 12:14:48 UTC 2015 - tchvatal@suse.com
+
+- Apply patch for bnc#958928 CVE-2015-8547:
+  * CVE-2015-8547.patch
+
 -------------------------------------------------------------------
 Sun Nov 15 12:16:24 UTC 2015 - vbabka@suse.com
 
diff --git a/quassel.spec b/quassel.spec
index 93b0290..335e8c7 100644
--- a/quassel.spec
+++ b/quassel.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package quassel
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -35,6 +35,8 @@ Patch0:         quassel-set-required-libs-and-flags.patch
 Patch1:         Fix-build-with-Qt-5.5.patch
 # PATCH-FIX-UPSTREAM Fix-rejoining-parted-channels.patch
 Patch2:         Fix-rejoining-parted-channels.patch
+# PATCH-FIX-UPSTREAM: fix CVE-2015-8547
+Patch3:         CVE-2015-8547.patch
 BuildRequires:  cmake >= 2.8.10
 BuildRequires:  extra-cmake-modules
 BuildRequires:  fdupes
@@ -163,6 +165,7 @@ This contains common parts shared by %{name} and %{name}-client
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 FAKE_BUILDDATE=$(LC_ALL=C date -r %{_sourcedir}/%{name}.changes '+%%b %%e %%Y')