diff --git a/enscript-CVE-vasnprintf.patch b/enscript-CVE-vasnprintf.patch
new file mode 100644
index 0000000..623f2ab
--- /dev/null
+++ b/enscript-CVE-vasnprintf.patch
@@ -0,0 +1,15 @@
+diff --git a/intl/vasnprintf.c b/intl/vasnprintf.c
+index 4a8e7f0..65ade71 100644
+--- a/intl/vasnprintf.c
++++ b/intl/vasnprintf.c
+@@ -758,7 +758,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
+   size_t a_len = a.nlimbs;
+   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
+   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
+-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
++  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
++     digits of a, followed by 1 byte for the terminating NUL.  */
++  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
+   if (c_ptr != NULL)
+     {
+       char *d_ptr = c_ptr;
diff --git a/enscript.spec b/enscript.spec
index 35a112d..7c96bfc 100644
--- a/enscript.spec
+++ b/enscript.spec
@@ -29,12 +29,24 @@ Patch15: enscript-bufpos-crash.patch
 # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1664367
 # upstream patch: http://lists.gnu.org/archive/html/bug-enscript/2018-04/msg00008.html
 Patch16: 0001-enscript-newencodings.patch
+# enscript bundles some gnulib source files, so some issues or CVEs in gnulib can be
+# present in enscript
+# gnulib CVE: https://bugzilla.redhat.com/show_bug.cgi?id=1635896
+Patch17: enscript-CVE-vasnprintf.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
 BuildRequires: autoconf, automake, gettext
 BuildRequires: gettext-devel
 
+# our downstreamed gnulib bundles some gnulib files, so we need to provide
+# this one. I'm not sure why we have gnulib files there, because upstream
+# does not have these files. The correct way would be to extract these files,
+# fix Makefiles to link correct gnulib and requires gnulib-'something' in spec
+# file, but enscript is lowly used+low maintenance+mostly dead upstream package,
+# so there is a little merit of doing it...
+Provides: bundled(gnulib)
+
 %description
 GNU enscript is a free replacement for Adobe's Enscript
 program. Enscript converts ASCII files to PostScript(TM) and spools
@@ -53,6 +65,8 @@ includes many options for customizing printouts
 %patch15 -p1 -b .bufpos-crash
 # 1664367 - [RFE] Add support for 885915 encoding in enscript
 %patch16 -p1 -b .newencodings
+# CVE in gnulib
+%patch17 -p1 -b .vasnprintf
 
 %{__tar} -C states/hl -zxf %{SOURCE1} ruby.st
 install -pm 644 %{SOURCE2} states/hl/php.st
@@ -101,6 +115,7 @@ done
 * Tue Jan 29 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1.6.6-19
 - 1664367 - [RFE] Add support for 885915 encoding in enscript
 - remove old Obsoletes/Provides
+- fix gnulib CVE
 
 * Tue Jul 24 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1.6.6-18
 - correcting license