diff --git a/.exiv2.metadata b/.exiv2.metadata
new file mode 100644
index 0000000..5f6d5eb
--- /dev/null
+++ b/.exiv2.metadata
@@ -0,0 +1 @@
+4e740e21f2e0d1fc4c81241ddc3a939f39b326c7 SOURCES/exiv2-0.27.2.tar.gz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bc6db92
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/exiv2-0.27.2.tar.gz
diff --git a/SOURCES/exiv2-CVE-2019-20421.patch b/SOURCES/exiv2-CVE-2019-20421.patch
new file mode 100644
index 0000000..ea8356a
--- /dev/null
+++ b/SOURCES/exiv2-CVE-2019-20421.patch
@@ -0,0 +1,97 @@
+From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
+From: clanmills <robin@clanmills.com>
+Date: Tue, 1 Oct 2019 17:39:44 +0100
+Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
+
+---
+ src/jp2image.cpp                             |  25 +++++++++++++++----
+ test/data/Jp2Image_readMetadata_loop.poc     | Bin 0 -> 738 bytes
+ tests/bugfixes/github/test_CVE_2017_17725.py |   4 +--
+ tests/bugfixes/github/test_issue_1011.py     |  13 ++++++++++
+ 4 files changed, 35 insertions(+), 7 deletions(-)
+ create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
+ create mode 100644 tests/bugfixes/github/test_issue_1011.py
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index d5cd1340a..0de088d62 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -18,10 +18,6 @@
+  * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
+  */
+
+-/*
+-  File:      jp2image.cpp
+-*/
+-
+ // *****************************************************************************
+
+ // included header files
+@@ -197,6 +193,16 @@ namespace Exiv2
+         return result;
+     }
+
++static void boxes_check(size_t b,size_t m)
++{
++    if ( b > m ) {
++#ifdef EXIV2_DEBUG_MESSAGES
++        std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
++#endif
++        throw Error(kerCorruptedMetadata);
++    }
++}
++
+     void Jp2Image::readMetadata()
+     {
+ #ifdef EXIV2_DEBUG_MESSAGES
+@@ -219,9 +225,12 @@ namespace Exiv2
+         Jp2BoxHeader      subBox    = {0,0};
+         Jp2ImageHeaderBox ihdr      = {0,0,0,0,0,0,0,0};
+         Jp2UuidBox        uuid      = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
++        size_t            boxes     = 0 ;
++        size_t            boxem     = 1000 ; // boxes max
+
+         while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
+         {
++            boxes_check(boxes++,boxem );
+             position   = io_->tell();
+             box.length = getLong((byte*)&box.length, bigEndian);
+             box.type   = getLong((byte*)&box.type, bigEndian);
+@@ -251,8 +260,12 @@ namespace Exiv2
+
+                     while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
+                     {
++                        boxes_check(boxes++, boxem) ;
+                         subBox.length = getLong((byte*)&subBox.length, bigEndian);
+                         subBox.type   = getLong((byte*)&subBox.type, bigEndian);
++                        if (subBox.length > io_->size() ) {
++                            throw Error(kerCorruptedMetadata);
++                        }
+ #ifdef EXIV2_DEBUG_MESSAGES
+                         std::cout << "Exiv2::Jp2Image::readMetadata: "
+                         << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+@@ -308,7 +321,9 @@ namespace Exiv2
+                         }
+
+                         io_->seek(restore,BasicIo::beg);
+-                        io_->seek(subBox.length, Exiv2::BasicIo::cur);
++                        if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
++                            throw Error(kerCorruptedMetadata);
++                        }
+                         restore = io_->tell();
+                     }
+                     break;
+diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py
+index 1127b9806..670a75d8d 100644
+--- a/tests/bugfixes/github/test_CVE_2017_17725.py
++++ b/tests/bugfixes/github/test_CVE_2017_17725.py
+@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
+     filename = "$data_path/poc_2017-12-12_issue188"
+     commands = ["$exiv2 " + filename]
+     stdout = [""]
+-    stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
+-$addition_overflow_message
++    stderr = ["""$exiv2_exception_message """ + filename + """:
++$kerCorruptedMetadata
+ """]
+     retval = [1]
diff --git a/SPECS/exiv2.spec b/SPECS/exiv2.spec
new file mode 100644
index 0000000..d163b60
--- /dev/null
+++ b/SPECS/exiv2.spec
@@ -0,0 +1,352 @@
+
+Summary: Exif and Iptc metadata manipulation library
+Name:    exiv2
+Version: 0.27.2
+Release: 5%{?dist}
+
+License: GPLv2+
+URL:     http://www.exiv2.org/
+Source0: https://github.com/Exiv2/%{name}/archive/exiv2-%{version}.tar.gz
+
+## upstream patches (lookaside cache)
+Patch0:  exiv2-CVE-2019-20421.patch
+
+## upstreamable patches
+
+BuildRequires: cmake
+BuildRequires: expat-devel
+BuildRequires: gettext
+BuildRequires: pkgconfig
+BuildRequires: pkgconfig(libcurl)
+BuildRequires: pkgconfig(libssh)
+BuildRequires: zlib-devel
+# docs
+BuildRequires: doxygen graphviz libxslt
+
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description
+A command line utility to access image metadata, allowing one to:
+* print the Exif metadata of Jpeg images as summary info, interpreted values,
+  or the plain data for each tag
+* print the Iptc metadata of Jpeg images
+* print the Jpeg comment of Jpeg images
+* set, add and delete Exif and Iptc metadata of Jpeg images
+* adjust the Exif timestamp (that's how it all started...)
+* rename Exif image files according to the Exif timestamp
+* extract, insert and delete Exif metadata (including thumbnails),
+  Iptc metadata and Jpeg comments
+
+%package devel
+Summary: Header files, libraries and development documentation for %{name}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+%description devel
+%{summary}.
+
+%package libs
+Summary: Exif and Iptc metadata manipulation library
+# not strictly required, but convenient and expected
+%if 0%{?rhel} && 0%{?rhel} <= 7
+Requires: %{name} = %{version}-%{release}
+%else
+Recommends: %{name} = %{version}-%{release}
+%endif
+%description libs
+A C++ library to access image metadata, supporting full read and write access
+to the Exif and Iptc metadata, Exif MakerNote support, extract and delete
+methods for Exif thumbnails, classes to access Ifd and so on.
+
+%package doc
+Summary: Api documentation for %{name}
+BuildArch: noarch
+%description doc
+%{summary}.
+
+
+%prep
+%autosetup -n %{name}-%{version} -p1
+
+
+%build
+%{cmake} . \
+  -DCMAKE_INSTALL_DOCDIR="%{_pkgdocdir}" \
+  -DEXIV2_BUILD_DOC:BOOL=ON \
+  -DEXIV2_ENABLE_NLS:BOOL=ON \
+  -DEXIV2_BUILD_SAMPLES:BOOL=OFF
+
+%make_build
+%make_build doc
+
+%install
+make install/fast DESTDIR=%{buildroot}
+
+%find_lang exiv2 --with-man
+
+## unpackaged files
+rm -fv %{buildroot}%{_libdir}/libexiv2.la
+#rm -fv %{buildroot}%{_libdir}/pkgconfig/exiv2.lsm
+
+%check
+export PKG_CONFIG_PATH="%{buildroot}%{_libdir}/pkgconfig${PKG_CONFIG_PATH:+:}${PKG_CONFIG_PATH}"
+test "$(pkg-config --modversion exiv2)" = "0.27.2"
+test "$(pkg-config --variable=libdir exiv2)" = "%{_libdir}"
+test -x %{buildroot}%{_libdir}/libexiv2.so
+
+
+%files -f exiv2.lang
+%license COPYING
+%doc doc/ChangeLog
+# README is mostly installation instructions
+#doc README.md
+%{_bindir}/exiv2
+%{_mandir}/man1/exiv2*.1*
+
+%ldconfig_scriptlets libs
+
+%files libs
+%{_libdir}/libexiv2.so.27*
+%{_libdir}/libexiv2.so.0.27.2
+
+%files devel
+%{_includedir}/exiv2/
+%{_libdir}/libexiv2.so
+%{_libdir}/pkgconfig/exiv2.pc
+%{_libdir}/cmake/exiv2/
+%{_libdir}/libexiv2-xmp.a
+
+%files doc
+%{_pkgdocdir}/
+
+
+
+%changelog
+* Wed Mar 04 2020 Jan Grulich <jgrulich@redhat.com> - 0.27.2-5
+- Fix failing test
+  Resolves: bz#1800472
+
+* Wed Mar 04 2020 Jan Grulich <jgrulich@redhat.com> - 0.27.2-4
+- Drop test for the previous CVE as we test it manually and we don't have POC available
+  Resolves: bz#1800472
+
+* Wed Feb 26 2020 Jan Grulich <jgrulich@redhat.com> - 0.27.2-3
+- Fix infinite loop and hang in Jp2Image::readMetadata()
+  Resolves: bz#1800472
+
+* Tue Oct 29 2019 Jan Grulich <jgrulich@redhat.com> - 0.27.2-2
+  Rebuild
+  Resolves: bz#1651917
+
+* Fri Sep 20 2019 Jan Grulich <jgrulich@redhat.com> - 0.27.2-1
+- Update to 0.27.2
+  Resolves: bz#1651917
+
+* Tue Sep 11 2018 Jan Grulich <jgrulich@redhat.com> - 0.26-10
+- Security fix for CVE-2018-16336
+
+* Tue Jul 24 2018 Jan Grulich <jgrulich@redhat.com> - 0.26-9
+- Security fix for CVE-2017-17723, CVE-2017-17725, CVE-2018-10958, CVE-2018-10998,
+  CVE-2018-11531, CVE-2018-12264, CVE-2018-12265, CVE-2018-14046, CVE-2018-5772,
+  CVE-2018-8976, CVE-2018-8977, CVE-2018-9144
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.26-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.26-7
+- Switch to %%ldconfig_scriptlets
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.26-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.26-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sun May 28 2017 Rex Dieter <rdieter@fedoraproject.org> - 0.26-4
+- Security fix for CVE-2017-9239 (#1455859,#1455860)
+
+* Sat May 20 2017 Rex Dieter <rdieter@fedoraproject.org> - 0.26-3
+- -libs: use Recommends: instead (#1452938)
+
+* Mon May 15 2017 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.26-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild
+
+* Tue May 02 2017 Rex Dieter <rdieter@fedoraproject.org> - 0.26-1
+- exiv2-0.26 (#1447129)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.25-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Feb 22 2016 Rex Dieter <rdieter@fedoraproject.org> 0.25-3
+- embedded copy of exempi should be compiled with BanAllEntityUsage (#888769)
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.25-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Jun 22 2015 Rex Dieter <rdieter@fedoraproject.org> 0.25-1
+- exiv2-0.25 (#1234185)
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.24-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Apr 14 2015 Rex Dieter <rdieter@fedoraproject.org> 0.24-6
+- rebuild (gcc5)
+
+* Thu Feb 19 2015 Rex Dieter <rdieter@fedoraproject.org> 0.24-5
+- rebuild (gcc5)
+
+* Mon Jan 05 2015 Rex Dieter <rdieter@fedoraproject.org> 0.24-4
+- CVE-2014-9449 exiv2: buffer overflow in RiffVideo::infoTagsHandler (#1178909)
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.24-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.24-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Mon Dec 02 2013 Rex Dieter <rdieter@fedoraproject.org> - 0.24-1
+- exiv2-0.24, abi bump
+- -doc subpkg
+- ready experimental cmake buildsystem support
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.23-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.23-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Tue Aug 14 2012 Rex Dieter <rdieter@fedoraproject.org> 0.23-3
+- empty html doc dir (#848025)
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.23-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Apr 24 2012 Rex Dieter <rdieter@fedoraproject.org> 0.23-1
+- exiv2-0.23
+- abi bump
+
+* Tue Feb 28 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.22-5
+- Rebuilt for c++ ABI breakage
+
+* Mon Jan 16 2012 Rex Dieter <rdieter@fedoraproject.org> 0.22-4
+- better rpath handling
+- revert locale change, move back to -libs
+
+* Mon Jan 16 2012 Rex Dieter <rdieter@fedoraproject.org> 0.22-3
+- move locale files to main pkg (from -libs)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.22-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Oct 14 2011 Rex Dieter <rdieter@fedoraproject.org> 0.22-1
+- exiv2-0.22
+
+* Tue Sep 27 2011 Rex Dieter <rdieter@fedoraproject.org> 0.21.1-3
+- New Tamron 70-300 mm lens improperly recognized (#708403)
+
+* Mon Sep 26 2011 Rex Dieter <rdieter@fedoraproject.org> 0.21.1-2
+- gthumb crashes because of bug in exiv2 0.21.1 (#741429)
+
+* Sat Feb 26 2011 Rex Dieter <rdieter@fedoraproject.org> 0.21.1-1
+- exiv2-0.21.1
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.21-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Jan 26 2011 Rex Dieter <rdieter@fedoraproject.org> 0.21-2
+- Move ldconfig scriptlet calls to -libs (#672361)
+
+* Wed Dec 01 2010 Rex Dieter <rdieter@fedoraproject.org> - 0.21-1
+- exiv2-0.21
+
+* Sun May 30 2010 Rex Dieter <rdieter@fedoraproject.org> - 0.20-1
+- exiv2-0.20
+
+* Wed Dec 30 2009 Rex Dieter <rdieter@fedoraproject.org> - 0.19-1
+- exiv2-0.19 (#552275)
+
+* Sun Dec 13 2009 Rex Dieter <rdieter@fedoraproject.org> - 0.18.2-3
+- -libs unconditional
+- tighten deps using %%?_isa
+
+* Fri Aug 07 2009 Rex Dieter <rdieter@fedoraproject.org> - 0.18.2-2
+- (again) drop -fvisibility-inlines-hidden (#496050)
+
+* Fri Jul 24 2009 Rex Dieter <rdieter@fedoraproject.org> - 0.18.2-1
+- exiv2-0.18.2
+- drop visibility patch
+
+* Fri Apr 17 2009 Rex Dieter <rdieter@fedoraproject.org> - 0.18.1-1
+- exiv2-0.18.1
+- drop -fvisibility-inlines-hidden (#496050)
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Dec 18 2008 Rex Dieter <rdieter@fedoraproject.org> 0.18-1
+- exiv2-0.18
+
+* Fri Dec 12 2008 Rex Dieter <rdieter@fedoraproject.org> 0.17.2-2
+- rebuild for pkgconfig deps
+
+* Mon Jun 23 2008 Rex Dieter <rdieter@fedoraproject.org> 0.17.1-1
+- exiv2-0.17.1
+
+* Mon Feb 11 2008 Rex Dieter <rdieter@fedoraproject.org> 0.16-2
+- respin (gcc43)
+- gcc43 patch
+
+* Sun Jan 13 2008 Rex Dieter <rdieter[AT]fedoraproject.org> 0.16-1
+- eviv2-0.16
+
+* Mon Dec 17 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.16-0.3.pre1
+- CVE-2007-6353 (#425924)
+
+* Mon Nov 26 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.16-0.2.pre1
+- -libs subpkg toggle (f8+)
+
+* Tue Nov 13 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.16-0.1.pre1
+- exiv2-0.16-pre1
+
+* Tue Sep 18 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.15-4
+- -libs: -Requires: %%name
+
+* Tue Aug 21 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.15-3
+- -libs subpkg to be multilib-friendlier (f8+)
+
+* Sat Aug 11 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.15-2
+- License: GPLv2+
+
+* Thu Jul 12 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.15-1
+- exiv2-0.15
+
+* Mon Apr 02 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.14-1
+- exiv2-0.14
+
+* Tue Nov 28 2006 Rex Dieter <rexdieter[AT]users.sf.net> 0.12-1
+- exiv2-0.12
+
+* Wed Oct 04 2006 Rex Dieter <rexdieter[AT]users.sf.net> 0.11-3
+- respin
+
+* Tue Sep 19 2006 Rex Dieter <rexdieter[AT]users.sf.net> 0.11-2
+- BR: zlib-devel
+
+* Tue Sep 19 2006 Rex Dieter <rexdieter[AT]users.sf.net> 0.11-1
+- exiv2-0.11
+
+* Tue Aug 29 2006 Rex Dieter <rexdieter[AT]users.sf.net> 0.10-2
+- fc6 respin
+
+* Sat Jun 03 2006 Rex Dieter <rexdieter[AT]users.sf.net> 0.10-1
+- 0.10
+
+* Wed May 17 2006 Rex Dieter <rexdieter[AT]users.sf.net> 0.9.1-3
+- cleanup %%description
+- set eXecute bit on installed lib.
+- no_rpath patch
+- deps patch (items get (re)compiled on *every* call to 'make')
+
+* Wed May 17 2006 Rex Dieter <rexdieter[AT]users.sf.net> 0.9.1-2
+- %%post/%%postun: /sbin/ldconfig
+
+* Tue May 16 2006 Rex Dieter <rexdieter[AT]users.sf.net> 0.9.1-1
+- first try