diff --git a/CVE-2018-6381.patch b/CVE-2018-6381.patch
new file mode 100644
index 0000000..a6beff9
--- /dev/null
+++ b/CVE-2018-6381.patch
@@ -0,0 +1,19 @@
+Index: zziplib-0.13.67/zzip/memdisk.c
+===================================================================
+--- zziplib-0.13.67.orig/zzip/memdisk.c
++++ zziplib-0.13.67/zzip/memdisk.c
+@@ -209,6 +209,14 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
+     item->zz_diskstart = zzip_disk_entry_get_diskstart(entry);
+     item->zz_filetype = zzip_disk_entry_get_filetype(entry);
+ 
++    /*
++     * If the file is uncompressed, zz_csize and zz_usize should be the same
++     * If they are not, we cannot guarantee that either is correct, so ...
++     */
++    if (item->zz_compr == ZZIP_IS_STORED && item->zz_csize != item->zz_usize)
++    {
++        goto error;
++    }
+     /* zz_comment and zz_name are empty strings if not present on disk */
+     if (! item->zz_comment || ! item->zz_name)
+     {
diff --git a/CVE-2018-6484.patch b/CVE-2018-6484.patch
new file mode 100644
index 0000000..04ab98b
--- /dev/null
+++ b/CVE-2018-6484.patch
@@ -0,0 +1,43 @@
+Index: zziplib-0.13.67/zzip/zip.c
+===================================================================
+--- zziplib-0.13.67.orig/zzip/zip.c
++++ zziplib-0.13.67/zzip/zip.c
+@@ -320,6 +320,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o
+ #                  endif
+ 
+                     __fixup_rootseek(offset + tail - mapped, trailer);
++		    /*
++		     * "extract data from files archived in a single zip file."
++		     * So the file offsets must be within the current ZIP archive!
++		     */
++		    if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
++		        return(ZZIP_CORRUPTED);
+                     { return(0); }
+                 } else if ((*tail == 'P') &&
+                            end - tail >=
+@@ -338,6 +344,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_o
+                         zzip_disk64_trailer_finalentries(orig);
+                     trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig);
+                     trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig);
++		    /*
++		     * "extract data from files archived in a single zip file."
++		     * So the file offsets must be within the current ZIP archive!
++		     */
++		    if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
++		        return(ZZIP_CORRUPTED);
+                     { return(0); }
+ #                  endif
+                 }
+Index: zziplib-0.13.67/bins/unzzipcat-zip.c
+===================================================================
+--- zziplib-0.13.67.orig/bins/unzzipcat-zip.c
++++ zziplib-0.13.67/bins/unzzipcat-zip.c
+@@ -78,7 +78,7 @@ static int unzzip_cat (int argc, char **
+     
+     disk = zzip_dir_open (argv[1], &error);
+     if (! disk) {
+-	perror(argv[1]);
++	fprintf(stderr, "%s: %s\n", argv[1], zzip_strerror(error));
+ 	return -1;
+     }
+ 
diff --git a/zziplib.changes b/zziplib.changes
index 1ec93dd..34e890e 100644
--- a/zziplib.changes
+++ b/zziplib.changes
@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Fri Feb  2 09:31:49 UTC 2018 - josef.moellers@suse.com
+
+- Reject the ZIP file and report it as corrupt if the size of the
+  central directory and/or the offset of start of central directory
+  point beyond the end of the ZIP file.
+  [CVE-2018-6484, boo#1078701, CVE-2018-6484.patch]
+
+-------------------------------------------------------------------
+Thu Feb  1 10:49:56 UTC 2018 - josef.moellers@suse.com
+
+- If a file is uncompressed, compressed and uncompressed sizes
+  should be identical.
+  [CVE-2018-6381, bsc#1078497, CVE-2018-6381.patch]
+
 -------------------------------------------------------------------
 Tue Jan 23 20:18:19 UTC 2018 - tchvatal@suse.com
 
diff --git a/zziplib.spec b/zziplib.spec
index e15c293..4631cb1 100644
--- a/zziplib.spec
+++ b/zziplib.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package zziplib
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,6 +29,8 @@ Source2:        baselibs.conf
 Patch0:         zziplib-0.13.62.patch
 Patch1:         zziplib-0.13.62-wronglinking.patch
 Patch2:         zziplib-largefile.patch
+Patch3:         CVE-2018-6381.patch
+Patch4:         CVE-2018-6484.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  fdupes
@@ -66,6 +68,8 @@ ZZipLib.
 %patch0
 %patch1
 %patch2
+%patch3 -p1
+%patch4 -p1
 # do not bother with html docs saving us python2 dependency
 sed -i -e 's:docs ::g' Makefile.am