diff --git a/srcpkgs/zziplib/patches/0001-CVE-2018-17828.patch b/srcpkgs/zziplib/patches/0001-CVE-2018-17828.patch
new file mode 100644
index 00000000000..24ed5125d3a
--- /dev/null
+++ b/srcpkgs/zziplib/patches/0001-CVE-2018-17828.patch
@@ -0,0 +1,91 @@
+From 535fa8d4deedc1da59884ce4f2fcc6528bf07251 Mon Sep 17 00:00:00 2001
+From: Nathan Owens <ndowens04@gmail.com>
+Date: Sat, 12 Jan 2019 22:29:49 -0600
+Subject: [PATCH] CVE-2018-17828
+
+---
+ bins/unzzipcat-big.c |  57 ++++++++++++++++++++++++++++++++++++++++++-
+ test/test.zip        | Bin 1361 -> 0 bytes
+ 2 files changed, 56 insertions(+), 1 deletion(-)
+ delete mode 100644 test/test.zip
+
+diff --git bins/unzzipcat-big.c bins/unzzipcat-big.c
+index 982d262..88c4d65 100644
+--- bins/unzzipcat-big.c
++++ bins/unzzipcat-big.c
+@@ -53,6 +53,48 @@ static void unzzip_cat_file(FILE* disk, char* name, FILE* out)
+     }
+ }
+ 
++/*
++ * NAME: remove_dotdotslash
++ * PURPOSE: To remove any "../" components from the given pathname
++ * ARGUMENTS: path: path name with maybe "../" components
++ * RETURNS: Nothing, "path" is modified in-place
++ * NOTE: removing "../" from the path ALWAYS shortens the path, never adds to it!
++ *	Also, "path" is not used after creating it.
++ *	So modifying "path" in-place is safe to do.
++ */
++static inline void
++remove_dotdotslash(char *path)
++{
++    /* Note: removing "../" from the path ALWAYS shortens the path, never adds to it! */
++    char *dotdotslash;
++    int warned = 0;
++
++    dotdotslash = path;
++    while ((dotdotslash = strstr(dotdotslash, "../")) != NULL)
++    {
++        /*
++         * Remove only if at the beginning of the pathname ("../path/name")
++         * or when preceded by a slash ("path/../name"),
++         * otherwise not ("path../name..")!
++         */
++        if (dotdotslash == path || dotdotslash[-1] == '/')
++        {
++            char *src, *dst;
++            if (!warned)
++            {
++                /* Note: the first time through the pathname is still intact */
++                fprintf(stderr, "Removing \"../\" path component(s) in %s\n", path);
++                warned = 1;
++            }
++            /* We cannot use strcpy(), as there "The strings may not overlap" */
++            for (src = dotdotslash+3, dst=dotdotslash; (*dst = *src) != '\0'; src++, dst++)
++                ;
++        }
++        else
++            dotdotslash +=3;	/* skip this instance to prevent infinite loop */
++    }
++}
++
+ static void makedirs(const char* name)
+ {
+       char* p = strrchr(name, '/');
+@@ -70,6 +112,16 @@ static void makedirs(const char* name)
+ 
+ static FILE* create_fopen(char* name, char* mode, int subdirs)
+ {
++   char *name_stripped;
++   FILE *fp;
++   int mustfree = 0;
++
++   if ((name_stripped = strdup(name)) != NULL)
++   {
++       remove_dotdotslash(name_stripped);
++       name = name_stripped;
++       mustfree = 1;
++   }
+    if (subdirs)
+    {
+       char* p = strrchr(name, '/');
+@@ -79,7 +131,10 @@ static FILE* create_fopen(char* name, char* mode, int subdirs)
+           free (dir_name);
+       }
+    }
+-   return fopen(name, mode);      
++   fp = fopen(name, mode);
++   if (mustfree)
++       free(name_stripped);
++    return fp;
+ }
diff --git a/srcpkgs/zziplib/patches/CVE-2018-16548.patch b/srcpkgs/zziplib/patches/CVE-2018-16548.patch
new file mode 100644
index 00000000000..2bdca93ae00
--- /dev/null
+++ b/srcpkgs/zziplib/patches/CVE-2018-16548.patch
@@ -0,0 +1,172 @@
+From 59c36ebe29fddd832c7afecc26dc5fe3e61faf1f Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 13:55:35 +0200
+Subject: [PATCH 1/3] One more free() to avoid memory leak.
+
+---
+ zzip/zip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git zzip/zip.c zzip/zip.c
+index 14e2e06..a28456f 100644
+--- zzip/zip.c
++++ zzip/zip.c
+@@ -575,6 +575,8 @@ __zzip_parse_root_directory(int fd,
+         if (hdr_return)
+             *hdr_return = hdr0;
+     }                           /* else zero (sane) entries */
++    else
++        free(hdr0);
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+     return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
+ #  else
+-- 
+2.20.1
+
+
+From 490d6e72031790da0a4d229d13f7d5a389789977 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:49:28 +0200
+Subject: [PATCH 2/3] Avoid memory leak from __zzip_parse_root_directory().
+
+---
+ zzip/zip.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git zzip/zip.c zzip/zip.c
+index a28456f..51a1a4d 100644
+--- zzip/zip.c
++++ zzip/zip.c
+@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
+ int __zzip_parse_root_directory(int fd,
+                                 struct _disk_trailer *trailer,
+                                 struct zzip_dir_hdr **hdr_return,
+-                                zzip_plugin_io_t io);
++                                zzip_plugin_io_t io,
++				zzip_off_t filesize);
+ 
+ _zzip_inline static char *__zzip_aligned4(char *p);
+ 
+@@ -406,7 +407,8 @@ int
+ __zzip_parse_root_directory(int fd,
+                             struct _disk_trailer *trailer,
+                             struct zzip_dir_hdr **hdr_return,
+-                            zzip_plugin_io_t io)
++                            zzip_plugin_io_t io,
++                            zzip_off_t filesize)
+ {
+     auto struct zzip_disk_entry dirent;
+     struct zzip_dir_hdr *hdr;
+@@ -421,7 +423,8 @@ __zzip_parse_root_directory(int fd,
+     zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
+     __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
+ 
+-    if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
++    if (zz_entries <= 0 || zz_rootsize < 0 ||
++        zz_rootseek < 0 || zz_rootseek >= filesize)
+         return ZZIP_CORRUPTED;
+ 
+     hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize);
+@@ -472,9 +475,15 @@ __zzip_parse_root_directory(int fd,
+         } else
+         {
+             if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
++	    {
++	    	free(hdr0);
+                 return ZZIP_DIR_SEEK;
++	    }
+             if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
++	    {
++	    	free(hdr0);
+                 return ZZIP_DIR_READ;
++	    }
+             d = &dirent;
+         }
+ 
+@@ -574,13 +583,16 @@ __zzip_parse_root_directory(int fd,
+ 
+         if (hdr_return)
+             *hdr_return = hdr0;
++	else
++	{
++	    /* If it is not assigned to *hdr_return, it will never be free()'d */
++	    free(hdr0);
++	}
+     }                           /* else zero (sane) entries */
+-    else
+-        free(hdr0);
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+-    return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
++    return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  else
+-    return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
++    return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
+ #  endif
+ }
+ 
+@@ -757,7 +769,7 @@ __zzip_dir_parse(ZZIP_DIR * dir)
+           (long) _disk_trailer_rootseek(&trailer));
+ 
+     if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0,
+-                                          dir->io)) != 0)
++                                          dir->io, filesize)) != 0)
+         { goto error; }
+   error:
+     return rv;
+-- 
+2.20.1
+
+
+From aab49d23bc28d13183cb62e71b884e24595cbe65 Mon Sep 17 00:00:00 2001
+From: jmoellers <josef.moellers@suse.com>
+Date: Fri, 7 Sep 2018 11:32:04 +0200
+Subject: [PATCH 3/3] Avoid memory leak from __zzip_parse_root_directory().
+
+---
+ zzip/zip.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git zzip/zip.c zzip/zip.c
+index 51a1a4d..a685280 100644
+--- zzip/zip.c
++++ zzip/zip.c
+@@ -587,13 +587,34 @@ __zzip_parse_root_directory(int fd,
+ 	{
+ 	    /* If it is not assigned to *hdr_return, it will never be free()'d */
+ 	    free(hdr0);
++	    /* Make sure we don't free it again in case of error */
++	    hdr0 = NULL;
+ 	}
+     }                           /* else zero (sane) entries */
+ #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
+-    return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
++    if (entries != zz_entries)
++    {
++	/* If it was assigned to *hdr_return, undo assignment */
++	if (p_reclen && hdr_return)
++	    *hdr_return = NULL;
++	/* Free it, if it was not already free()'d */
++	if (hdr0 != NULL)
++	    free(hdr0);
++	return ZZIP_CORRUPTED;
++    }
+ #  else
+-    return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
++    if (((entries & (unsigned)0xFFFF) != zz_entries)
++    {
++	/* If it was assigned to *hdr_return, undo assignment */
++	if (p_reclen && hdr_return)
++	    *hdr_return = NULL;
++	/* Free it, if it was not already free()'d */
++	if (hdr0 != NULL)
++	    free(hdr0);
++	return ZZIP_CORRUPTED;
++    }
+ #  endif
++    return 0;
+ }
+ 
+ /* ------------------------- high-level interface ------------------------- */
+-- 
+2.20.1
+
diff --git a/srcpkgs/zziplib/template b/srcpkgs/zziplib/template
index 7f968cc790d..e1f785fc01f 100644
--- a/srcpkgs/zziplib/template
+++ b/srcpkgs/zziplib/template
@@ -1,14 +1,14 @@
 # Template file for 'zziplib'
 pkgname=zziplib
 version=0.13.69
-revision=1
+revision=2
 build_style=gnu-configure
 hostmakedepends="pkg-config python"
 makedepends="zlib-devel"
 short_desc="Lightweight library to extract data from zip files"
 maintainer="Juan RP <xtraeme@voidlinux.org>"
-homepage="https://github.com/gdraheim/zziplib"
 license="LGPL-2.1-or-later, MPL-1.1"
+homepage="https://github.com/gdraheim/zziplib"
 distfiles="https://github.com/gdraheim/zziplib/archive/v${version}.tar.gz"
 checksum=846246d7cdeee405d8d21e2922c6e97f55f24ecbe3b6dcf5778073a88f120544