diff --git a/SOURCES/expat-2.2.5-CVE-2018-20843.patch b/SOURCES/expat-2.2.5-CVE-2018-20843.patch
new file mode 100644
index 0000000..8afbfd0
--- /dev/null
+++ b/SOURCES/expat-2.2.5-CVE-2018-20843.patch
@@ -0,0 +1,15 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20843
+https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
+
+--- libexpat-R_2_2_5/expat/lib/xmlparse.c.cve20843
++++ libexpat-R_2_2_5/expat/lib/xmlparse.c
+@@ -6057,7 +6057,7 @@ setElementTypePrefix(XML_Parser parser,
+       else
+         poolDiscard(&dtd->pool);
+       elementType->prefix = prefix;
+-
++      break;
+     }
+   }
+   return 1;
diff --git a/SOURCES/expat-2.2.5-CVE-2019-15903.patch b/SOURCES/expat-2.2.5-CVE-2019-15903.patch
new file mode 100644
index 0000000..72c0164
--- /dev/null
+++ b/SOURCES/expat-2.2.5-CVE-2019-15903.patch
@@ -0,0 +1,171 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1752592
+
+https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65
+
+--- libexpat-R_2_2_5/expat/lib/xmlparse.c.cve15903
++++ libexpat-R_2_2_5/expat/lib/xmlparse.c
+@@ -411,7 +411,7 @@ initializeEncoding(XML_Parser parser);
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+          const char *end, int tok, const char *next, const char **nextPtr,
+-         XML_Bool haveMore);
++                               XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+                       XML_Bool betweenDecl);
+@@ -4218,7 +4218,7 @@ externalParEntProcessor(XML_Parser parse
+ 
+   parser->m_processor = prologProcessor;
+   return doProlog(parser, parser->m_encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error PTRCALL
+@@ -4268,19 +4268,13 @@ prologProcessor(XML_Parser parser,
+   const char *next = s;
+   int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+   return doProlog(parser, parser->m_encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error
+-doProlog(XML_Parser parser,
+-         const ENCODING *enc,
+-         const char *s,
+-         const char *end,
+-         int tok,
+-         const char *next,
+-         const char **nextPtr,
+-         XML_Bool haveMore)
+-{
++doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
++         int tok, const char *next, const char **nextPtr, XML_Bool haveMore,
++         XML_Bool allowClosingDoctype) {
+ #ifdef XML_DTD
+   static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+ #endif /* XML_DTD */
+@@ -4458,6 +4452,11 @@ doProlog(XML_Parser parser,
+       }
+       break;
+     case XML_ROLE_DOCTYPE_CLOSE:
++      if (allowClosingDoctype != XML_TRUE) {
++        /* Must not close doctype from within expanded parameter entities */
++        return XML_ERROR_INVALID_TOKEN;
++      }
++
+       if (parser->m_doctypeName) {
+         parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
+                                 parser->m_doctypeSysid, parser->m_doctypePubid, 0);
+@@ -5395,7 +5394,7 @@ processInternalEntity(XML_Parser parser,
+   if (entity->is_param) {
+     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
++                      next, &next, XML_FALSE, XML_FALSE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -5442,7 +5441,7 @@ internalEntityProcessor(XML_Parser parse
+   if (entity->is_param) {
+     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
++                      next, &next, XML_FALSE, XML_TRUE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -5469,7 +5468,7 @@ internalEntityProcessor(XML_Parser parse
+     parser->m_processor = prologProcessor;
+     tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+     return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+-                    (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++                    (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+   }
+   else
+ #endif /* XML_DTD */
+--- libexpat-R_2_2_5/expat/tests/runtests.c.cve15903
++++ libexpat-R_2_2_5/expat/tests/runtests.c
+@@ -7193,6 +7193,69 @@ overwrite_end_checker(void *userData, co
+     CharData_AppendXMLChars(storage, XCS("\n"), 1);
+ }
+ 
++#ifdef XML_DTD
++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
++  const char *const inputOne = "<!DOCTYPE d [\n"
++                               "<!ENTITY % e ']><d/>'>\n"
++                               "\n"
++                               "%e;";
++  const char *const inputTwo = "<!DOCTYPE d [\n"
++                               "<!ENTITY % e1 ']><d/>'><!ENTITY % e2 '&e1;'>\n"
++                               "\n"
++                               "%e2;";
++  const char *const inputThree = "<!DOCTYPE d [\n"
++                                 "<!ENTITY % e ']><d'>\n"
++                                 "\n"
++                                 "%e;";
++  const char *const inputIssue317 = "<!DOCTYPE doc [\n"
++                                    "<!ENTITY % foo ']>\n"
++                                    "<doc>Hell<oc (#PCDATA)*>'>\n"
++                                    "%foo;\n"
++                                    "]>\n"
++                                    "<doc>Hello, world</dVc>";
++
++  const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
++  size_t inputIndex = 0;
++
++  for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
++    XML_Parser parser;
++    enum XML_Status parseResult;
++    int setParamEntityResult;
++    XML_Size lineNumber;
++    XML_Size columnNumber;
++    const char *const input = inputs[inputIndex];
++
++    parser = XML_ParserCreate(NULL);
++    setParamEntityResult
++        = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++    if (setParamEntityResult != 1)
++      fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
++
++    parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
++    if (parseResult != XML_STATUS_ERROR) {
++      parseResult = XML_Parse(parser, "", 0, 1);
++      if (parseResult != XML_STATUS_ERROR) {
++        fail("Parsing was expected to fail but succeeded.");
++      }
++    }
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
++      fail("Error code does not match XML_ERROR_INVALID_TOKEN");
++
++    lineNumber = XML_GetCurrentLineNumber(parser);
++    if (lineNumber != 4)
++      fail("XML_GetCurrentLineNumber does not work as expected.");
++
++    columnNumber = XML_GetCurrentColumnNumber(parser);
++    if (columnNumber != 0)
++      fail("XML_GetCurrentColumnNumber does not work as expected.");
++
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++#endif
++
+ static void
+ run_ns_tagname_overwrite_test(const char *text, const XML_Char *result)
+ {
+@@ -12210,6 +12273,10 @@ make_suite(void)
+     tcase_add_test(tc_misc, test_misc_features);
+     tcase_add_test(tc_misc, test_misc_attribute_leak);
+     tcase_add_test(tc_misc, test_misc_utf16le);
++#ifdef XML_DTD
++    tcase_add_test(tc_misc,
++                   test_misc_deny_internal_entity_closing_doctype_issue_317);
++#endif
+ 
+     suite_add_tcase(s, tc_alloc);
+     tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);
diff --git a/SPECS/expat.spec b/SPECS/expat.spec
index 233ae52..25338ac 100644
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@@ -3,12 +3,14 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 3%{?dist}
+Release: 4%{?dist}
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
 BuildRequires: autoconf, libtool, xmlto, gcc-c++
 Patch0: expat-2.2.5-doc2man.patch
+Patch1: expat-2.2.5-CVE-2018-20843.patch
+Patch2: expat-2.2.5-CVE-2019-15903.patch
 
 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -37,6 +39,9 @@ Install it if you need to link statically with expat.
 %prep
 %setup -q -n libexpat-R_%{unversion}/expat
 %patch0 -p2 -b .doc2man
+%patch1 -p2 -b .cve20843
+%patch2 -p2 -b .cve15903
+
 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
 ./buildconf.sh
 
@@ -74,6 +79,9 @@ make check
 %{_libdir}/lib*.a
 
 %changelog
+* Fri Apr 24 2020 Joe Orton <jorton@redhat.com> - 2.2.5-4
+- add security fixes for CVE-2018-20843, CVE-2019-15903
+
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild