diff --git a/SOURCES/0001-Fix-UAF-in-comps_objmrtree_unite-function.patch b/SOURCES/0001-Fix-UAF-in-comps_objmrtree_unite-function.patch
new file mode 100644
index 0000000..56c14dd
--- /dev/null
+++ b/SOURCES/0001-Fix-UAF-in-comps_objmrtree_unite-function.patch
@@ -0,0 +1,89 @@
+From e3a5d056633677959ad924a51758876d415e7046 Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <rschiron@redhat.com>
+Date: Mon, 21 Jan 2019 18:11:42 +0100
+Subject: [PATCH] Fix UAF in comps_objmrtree_unite function
+
+The added field is not used at all in many places and it is probably the
+left-over of some copy-paste.
+---
+ libcomps/src/comps_mradix.c    | 2 --
+ libcomps/src/comps_objmradix.c | 2 --
+ libcomps/src/comps_objradix.c  | 2 --
+ libcomps/src/comps_radix.c     | 1 -
+ 4 files changed, 7 deletions(-)
+
+diff --git a/libcomps/src/comps_mradix.c b/libcomps/src/comps_mradix.c
+index 8ef9640..dfdee8e 100644
+--- a/libcomps/src/comps_mradix.c
++++ b/libcomps/src/comps_mradix.c
+@@ -177,7 +177,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+@@ -195,7 +194,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {
+         parent_pair = (struct Pair*) it->data;
+         free(it);
+ 
+-        pair->added = 0;
+         for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+             pair = malloc(sizeof(struct Pair));
+             pair->subnodes = ((COMPS_MRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_objmradix.c b/libcomps/src/comps_objmradix.c
+index 9a2038b..22ad262 100644
+--- a/libcomps/src/comps_objmradix.c
++++ b/libcomps/src/comps_objmradix.c
+@@ -285,7 +285,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+@@ -303,7 +302,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {
+         parent_pair = (struct Pair*) it->data;
+         free(it);
+ 
+-        pair->added = 0;
+         for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+             pair = malloc(sizeof(struct Pair));
+             pair->subnodes = ((COMPS_ObjMRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_objradix.c b/libcomps/src/comps_objradix.c
+index c657b75..840592a 100644
+--- a/libcomps/src/comps_objradix.c
++++ b/libcomps/src/comps_objradix.c
+@@ -697,7 +697,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+@@ -716,7 +715,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {
+         //printf("key-part:%s\n", parent_pair->key);
+         free(it);
+ 
+-        //pair->added = 0;
+         for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+             pair = malloc(sizeof(struct Pair));
+             pair->subnodes = ((COMPS_ObjRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_radix.c b/libcomps/src/comps_radix.c
+index ada4fda..05dcaf2 100644
+--- a/libcomps/src/comps_radix.c
++++ b/libcomps/src/comps_radix.c
+@@ -529,7 +529,6 @@ void comps_rtree_unite(COMPS_RTree *rt1, COMPS_RTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+--
+libgit2 0.28.2
+
diff --git a/SPECS/libcomps.spec b/SPECS/libcomps.spec
index aa5c776..d3a161a 100644
--- a/SPECS/libcomps.spec
+++ b/SPECS/libcomps.spec
@@ -6,12 +6,13 @@
 
 Name:           libcomps
 Version:        0.1.8
-Release:        12%{?dist}
+Release:        13%{?dist}
 Summary:        Comps XML file manipulation library
 
 License:        GPLv2+
 URL:            https://github.com/rpm-software-management/libcomps
 Source0:        %{url}/archive/%{name}-%{version}/%{name}-%{version}.tar.gz
+Patch1:         0001-Fix-UAF-in-comps_objmrtree_unite-function.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc
@@ -70,7 +71,7 @@ Python3 bindings for libcomps library.
 %endif
 
 %prep
-%autosetup -n %{name}-%{name}-%{version}
+%autosetup -n %{name}-%{name}-%{version} -p1
 
 mkdir build
 
@@ -141,6 +142,9 @@ popd
 %endif
 
 %changelog
+* Tue Oct 08 2019 Pavla Kratochvilova <pkratoch@redhat.com> - 0.1.8-13
+- Fix UAF in comps_objmrtree_unite function (RhBug:1668683)
+
 * Mon Jun 11 2018 Marek Blaha <mblaha@redhat.com> - 0.1.8-12
 - Build for RHEL 7
 - Do not use %%ldconfig_scriptlets