diff --git a/pkgs/tools/compression/bzip2/CVE-2016-3189.patch b/pkgs/tools/compression/bzip2/CVE-2016-3189.patch
new file mode 100644
index 000000000000..eff324b32503
--- /dev/null
+++ b/pkgs/tools/compression/bzip2/CVE-2016-3189.patch
@@ -0,0 +1,12 @@
+diff --git a/bzip2recover.c b/bzip2recover.c
+index f9de049..252c1b7 100644
+--- a/bzip2recover.c
++++ b/bzip2recover.c
+@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;
diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix
index cabd412fe65d..51f478110659 100644
--- a/pkgs/tools/compression/bzip2/default.nix
+++ b/pkgs/tools/compression/bzip2/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl
+{ stdenv, fetchurl, fetchpatch
 , linkStatic ? (stdenv.system == "i686-cygwin")
 }:
 
@@ -20,10 +20,16 @@ stdenv.mkDerivation rec {
     sha256 = "0b5b5p8c7bslc6fslcr1nj9136412v3qcvbg6yxi9argq9g72v8c";
   };
 
+  patches = [
+    ./CVE-2016-3189.patch
+  ];
+
+
   postPatch = ''
     sed -i -e '/<sys\\stat\.h>/s|\\|/|' bzip2.c
   '';
 
+
   outputs = [ "bin" "dev" "out" "man" ];
 
   configureFlags =