diff --git a/openexr-CVE-2017-14988.patch b/openexr-CVE-2017-14988.patch
new file mode 100644
index 0000000..e673479
--- /dev/null
+++ b/openexr-CVE-2017-14988.patch
@@ -0,0 +1,15 @@
+--- a/IlmImf/ImfHeader.cpp
++++ b/IlmImf/ImfHeader.cpp
+@@ -1185,6 +1185,11 @@ Header::readFrom (OPENEXR_IMF_INTERNAL_NAMESPACE::IStream &is, int &version)
+ 	checkIsNullTerminated (typeName, "attribute type name");
+ 	OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, size);
+ 
++    if( size < 0 )
++    {
++        throw IEX_NAMESPACE::InputExc("Invalid size field in header attribute");
++    }
++
+ 	AttributeMap::iterator i = _map.find (name);
+ 
+ 	if (i != _map.end())
+
diff --git a/openexr.changes b/openexr.changes
index d5ba947..057ee94 100644
--- a/openexr.changes
+++ b/openexr.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jul 15 14:06:20 UTC 2019 - pgajdos@suse.com
+
+- security update
+- added patches
+  CVE-2017-14988 [bsc#1061305]
+  + openexr-CVE-2017-14988.patch
+
 -------------------------------------------------------------------
 Fri Jun 14 19:30:32 UTC 2019 - pgajdos@suse.com
 
diff --git a/openexr.spec b/openexr.spec
index 8b64916..25c319b 100644
--- a/openexr.spec
+++ b/openexr.spec
@@ -40,6 +40,8 @@ Patch0:         openexr-CVE-2018-18444.patch
 # https://github.com/openexr/openexr/pull/401
 # CVE-2017-9111 [bsc#1040109], CVE-2017-9113 [bsc#1040113], CVE-2017-9115 [bsc#1040115]
 Patch1:         openexr-CVE-2017-9111,9113,9115.patch
+# CVE-2017-14988 [bsc#1061305]
+Patch2:         openexr-CVE-2017-14988.patch
 BuildRequires:  automake
 BuildRequires:  fltk-devel
 BuildRequires:  freeglut-devel
@@ -140,6 +142,7 @@ This package contains documentation.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 export PTHREAD_LIBS="-lpthread"