diff --git a/libjpeg-turbo-CVE-2018-19664.patch b/libjpeg-turbo-CVE-2018-19664.patch
new file mode 100644
index 0000000..f99863e
--- /dev/null
+++ b/libjpeg-turbo-CVE-2018-19664.patch
@@ -0,0 +1,33 @@
+From 4a3f52b4d191d79f500831649037b9b24c730e37 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 1 Jan 2019 20:32:40 -0600
+Subject: [PATCH] wrbmp.c: Don't allow quantization w/ non-RGB CS
+
+If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will
+set cinfo->output_components to 1, and if cinfo->out_color_space is not
+RGB (or extended RGB), hilarity will ensue.
+
+Fixes #305
+---
+ wrbmp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/wrbmp.c b/wrbmp.c
+index 38a64e8..3489f14 100644
+--- a/wrbmp.c
++++ b/wrbmp.c
+@@ -506,8 +506,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2,
+       dest->pub.put_pixel_rows = put_gray_rows;
+     else
+       dest->pub.put_pixel_rows = put_pixel_rows;
+-  } else if (cinfo->out_color_space == JCS_RGB565 ||
+-             cinfo->out_color_space == JCS_CMYK) {
++  } else if (!cinfo->quantize_colors &&
++             (cinfo->out_color_space == JCS_RGB565 ||
++              cinfo->out_color_space == JCS_CMYK)) {
+     dest->pub.put_pixel_rows = put_pixel_rows;
+   } else {
+     ERREXIT(cinfo, JERR_BMP_COLORSPACE);
+-- 
+2.17.2
+
diff --git a/libjpeg-turbo.spec b/libjpeg-turbo.spec
index 3b1749c..f049c6e 100644
--- a/libjpeg-turbo.spec
+++ b/libjpeg-turbo.spec
@@ -1,6 +1,6 @@
 Name:           libjpeg-turbo
 Version:        2.0.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A MMX/SSE2/SIMD accelerated library for manipulating JPEG image files
 License:        IJG
 URL:            http://sourceforge.net/projects/libjpeg-turbo
@@ -8,6 +8,7 @@ URL:            http://sourceforge.net/projects/libjpeg-turbo
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 Patch0:         libjpeg-turbo-cmake.patch
 Patch1:         libjpeg-turbo-CVE-2018-20330.patch
+Patch2:         libjpeg-turbo-CVE-2018-19664.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake
@@ -71,6 +72,7 @@ manipulate JPEG files using the TurboJPEG library.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %{cmake} -DCMAKE_SKIP_RPATH:BOOL=YES \
@@ -170,6 +172,9 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} make test %{?_smp_mflags}
 %{_libdir}/pkgconfig/libturbojpeg.pc
 
 %changelog
+* Fri Jan 11 2019 Nikola Forró <nforro@redhat.com> - 2.0.0-3
+- Fix CVE-2018-19664 (#1656219)
+
 * Fri Jan 11 2019 Nikola Forró <nforro@redhat.com> - 2.0.0-2
 - Fix CVE-2018-20330 (#1665224)