diff --git a/SOURCES/chunked-decoding-buffer-overrun-CVE-2017-2885.patch b/SOURCES/chunked-decoding-buffer-overrun-CVE-2017-2885.patch
new file mode 100644
index 0000000..87970de
--- /dev/null
+++ b/SOURCES/chunked-decoding-buffer-overrun-CVE-2017-2885.patch
@@ -0,0 +1,57 @@
+From 34d361188adc4b4a81457bcffb14588d84078e79 Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw@gnome.org>
+Date: Thu, 3 Aug 2017 09:56:43 -0400
+Subject: [PATCH] Fix chunked decoding buffer overrun (CVE-2017-2885)
+
+https://bugzilla.gnome.org/show_bug.cgi?id=785774
+---
+ libsoup/soup-filter-input-stream.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c
+index cde4d12..2c30bf9 100644
+--- a/libsoup/soup-filter-input-stream.c
++++ b/libsoup/soup-filter-input-stream.c
+@@ -198,7 +198,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,
+ 				     GCancellable           *cancellable,
+ 				     GError                **error)
+ {
+-	gssize nread;
++	gssize nread, read_length;
+ 	guint8 *p, *buf, *end;
+ 	gboolean eof = FALSE;
+ 	GError *my_error = NULL;
+@@ -251,10 +251,11 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,
+ 	} else
+ 		buf = fstream->priv->buf->data;
+ 
+-	/* Scan for the boundary */
+-	end = buf + fstream->priv->buf->len;
+-	if (!eof)
+-		end -= boundary_length;
++	/* Scan for the boundary within the range we can possibly return. */
++	if (include_boundary)
++		end = buf + MIN (fstream->priv->buf->len, length) - boundary_length;
++	else
++		end = buf + MIN (fstream->priv->buf->len - boundary_length, length);
+ 	for (p = buf; p <= end; p++) {
+ 		if (*p == *(guint8*)boundary &&
+ 		    !memcmp (p, boundary, boundary_length)) {
+@@ -268,10 +269,9 @@ soup_filter_input_stream_read_until (SoupFilterInputStream  *fstream,
+ 	if (!*got_boundary && fstream->priv->buf->len < length && !eof)
+ 		goto fill_buffer;
+ 
+-	/* Return everything up to 'p' (which is either just after the boundary if
+-	 * include_boundary is TRUE, just before the boundary if include_boundary is
+-	 * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of-
+-	 * file).
+-	 */
+-	return read_from_buf (fstream, buffer, p - buf);
++	if (eof && !*got_boundary)
++		read_length = MIN (fstream->priv->buf->len, length);
++	else
++		read_length = p - buf;
++	return read_from_buf (fstream, buffer, read_length);
+ }
+-- 
+2.9.4
\ No newline at end of file
diff --git a/SPECS/libsoup.spec b/SPECS/libsoup.spec
index a8630d4..0b0b2c9 100644
--- a/SPECS/libsoup.spec
+++ b/SPECS/libsoup.spec
@@ -2,7 +2,7 @@
 
 Name: libsoup
 Version: 2.56.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Soup, an HTTP library implementation
 
 License: LGPLv2
@@ -19,6 +19,9 @@ Patch03: negotiate-internals.patch
 Patch04: negotiate-connection-close.patch
 # https://bugzilla.gnome.org/show_bug.cgi?id=783781
 Patch05: tcms-site-warning.patch
+# https://bugzilla.gnome.org/show_bug.cgi?id=785774
+# https://bugzilla.redhat.com/show_bug.cgi?id=1479281
+Patch06: chunked-decoding-buffer-overrun-CVE-2017-2885.patch
 
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: glib-networking
@@ -58,6 +61,7 @@ you to develop applications that use the libsoup library.
 %patch03 -p1 -b .negotiate-internals
 %patch04 -p1 -b .negotiate-connection-close
 %patch05 -p1 -b .tcms-site-warning
+%patch06 -p1 -b .cve-2017-2885
 
 %build
 %configure --disable-static
@@ -97,6 +101,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la
 %{_datadir}/vala/vapi/libsoup-2.4.vapi
 
 %changelog
+* Wed Aug 09 2017 Tomas Popela <tpopela@redhat.com> - 2.56.0-4
+- Fix chunked decoding buffer overrun (CVE-2017-2885) (rh #1479322)
+
 * Thu Jun 22 2017 Tomas Popela <tpopela@redhat.com> - 2.56.0-3
 - libsoup stuck on infinite loop for kerberized pages (rh #1439798)