diff --git a/SOURCES/exiv2-CVE-2021-29470.patch b/SOURCES/exiv2-CVE-2021-29470.patch
new file mode 100644
index 0000000..6d9b165
--- /dev/null
+++ b/SOURCES/exiv2-CVE-2021-29470.patch
@@ -0,0 +1,21 @@
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 0de088d..6310c08 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
+         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+         int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+         int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++        enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
+         int32_t       length = getLong((byte*)&pBox->length, bigEndian);
++        enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+         int32_t       count  = sizeof (Jp2BoxHeader);
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+ 
+         while ( count < length || !bWroteColor ) {
++            enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+ 
+             // copy data.  pointer could be into a memory mapped file which we will decode!
diff --git a/SOURCES/exiv2-CVE-2021-29473.patch b/SOURCES/exiv2-CVE-2021-29473.patch
new file mode 100644
index 0000000..685dec0
--- /dev/null
+++ b/SOURCES/exiv2-CVE-2021-29473.patch
@@ -0,0 +1,21 @@
+From e6a0982f7cd9282052b6e3485a458d60629ffa0b Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 23 Apr 2021 11:44:44 +0100
+Subject: [PATCH 2/2] Add bounds check in Jp2Image::doWriteMetadata().
+
+---
+ src/jp2image.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 1694fed27..ca8c9ddbb 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -908,6 +908,7 @@ static void boxes_check(size_t b,size_t m)
+
+                 case kJp2BoxTypeUuid:
+                 {
++                    enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata);
+                     if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0)
+                     {
+ #ifdef EXIV2_DEBUG_MESSAGES
diff --git a/SPECS/exiv2.spec b/SPECS/exiv2.spec
index 53bcc88..b7ca494 100644
--- a/SPECS/exiv2.spec
+++ b/SPECS/exiv2.spec
@@ -2,7 +2,7 @@
 Summary: Exif and Iptc metadata manipulation library
 Name:    exiv2
 Version: 0.27.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 
 License: GPLv2+
 URL:     http://www.exiv2.org/
@@ -14,6 +14,8 @@ Source0: https://github.com/Exiv2/%{name}/archive/exiv2-%{version}.tar.gz
 Patch50: exiv2-CVE-2021-3482.patch
 Patch51: exiv2-CVE-2021-29458.patch
 Patch52: exiv2-CVE-2021-29457.patch
+Patch53: exiv2-CVE-2021-29470.patch
+Patch54: exiv2-CVE-2021-29473.patch
 
 ## upstreamable patches
 # don't unconditionally use -fcf-protection flag, not supported on all archs
@@ -128,6 +130,13 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 
 
 %changelog
+* Thu Apr 29 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-5
+- CVE-2021-29473 exiv2: out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata
+  Resolves: bz#1954065
+
+- CVE-2021-29470 exiv2: out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
+  Resolves: bz#1955014
+
 * Wed Apr 28 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-4
 - CVE-2021-29458 exiv2: out-of-bounds read in Exiv2::Internal::CrwMap::encode
   Resolves: bz#1953758