diff --git a/SOURCES/libtirpc-0.2.4-badfree.patch b/SOURCES/libtirpc-0.2.4-badfree.patch
new file mode 100644
index 0000000..8b4587e
--- /dev/null
+++ b/SOURCES/libtirpc-0.2.4-badfree.patch
@@ -0,0 +1,42 @@
+diff -up libtirpc-0.2.4/src/getnetconfig.c.orig libtirpc-0.2.4/src/getnetconfig.c
+--- libtirpc-0.2.4/src/getnetconfig.c.orig	2018-12-17 10:42:21.296108473 -0500
++++ libtirpc-0.2.4/src/getnetconfig.c	2018-12-17 10:51:36.397454242 -0500
+@@ -682,6 +682,7 @@ struct netconfig	*ncp;
+ {
+     struct netconfig	*p;
+     char	*tmp;
++    char	*t;
+     u_int	i;
+ 
+     if ((tmp=malloc(MAXNETCONFIGLINE)) == NULL)
+@@ -701,22 +702,21 @@ struct netconfig	*ncp;
+      */
+     *p = *ncp;
+     p->nc_netid = (char *)strcpy(tmp,ncp->nc_netid);
+-    tmp = strchr(tmp, 0) + 1;
+-    p->nc_protofmly = (char *)strcpy(tmp,ncp->nc_protofmly);
+-    tmp = strchr(tmp, 0) + 1;
+-    p->nc_proto = (char *)strcpy(tmp,ncp->nc_proto);
+-    tmp = strchr(tmp, 0) + 1;
+-    p->nc_device = (char *)strcpy(tmp,ncp->nc_device);
++    t = strchr(tmp, 0) + 1;
++    p->nc_protofmly = (char *)strcpy(t,ncp->nc_protofmly);
++    t = strchr(t, 0) + 1;
++    p->nc_proto = (char *)strcpy(t,ncp->nc_proto);
++    t = strchr(t, 0) + 1;
++    p->nc_device = (char *)strcpy(t,ncp->nc_device);
+     p->nc_lookups = (char **)malloc((size_t)(p->nc_nlookups+1) * sizeof(char *));
+     if (p->nc_lookups == NULL) {
+-	free(p->nc_netid);
+ 	free(p);
+ 	free(tmp);
+ 	return(NULL);
+     }
+     for (i=0; i < p->nc_nlookups; i++) {
+-    	tmp = strchr(tmp, 0) + 1;
+-    	p->nc_lookups[i] = (char *)strcpy(tmp,ncp->nc_lookups[i]);
++	t = strchr(t, 0) + 1;
++	p->nc_lookups[i] = (char *)strcpy(t,ncp->nc_lookups[i]);
+     }
+     return(p);
+ }
diff --git a/SOURCES/libtirpc-0.2.4-eof.patch b/SOURCES/libtirpc-0.2.4-eof.patch
new file mode 100644
index 0000000..e325a0f
--- /dev/null
+++ b/SOURCES/libtirpc-0.2.4-eof.patch
@@ -0,0 +1,68 @@
+diff -up libtirpc-0.2.4/src/svc_vc.c.orig libtirpc-0.2.4/src/svc_vc.c
+--- libtirpc-0.2.4/src/svc_vc.c.orig	2018-12-17 10:54:46.174307476 -0500
++++ libtirpc-0.2.4/src/svc_vc.c	2018-12-17 11:00:53.841166947 -0500
+@@ -494,9 +494,14 @@ read_vc(xprtp, buf, len)
+ 	cfp = (struct cf_conn *)xprt->xp_p1;
+ 
+ 	if (cfp->nonblock) {
++		/* Since len == 0 is returned on zero length
++		 * read or EOF errno needs to be reset before
++		 * the read
++		 */
++		errno = 0;
+ 		len = read(sock, buf, (size_t)len);
+ 		if (len < 0) {
+-			if (errno == EAGAIN)
++			if (errno == EAGAIN || errno == EWOULDBLOCK)
+ 				len = 0;
+ 			else
+ 				goto fatal_err;
+diff -up libtirpc-0.2.4/src/xdr_rec.c.orig libtirpc-0.2.4/src/xdr_rec.c
+--- libtirpc-0.2.4/src/xdr_rec.c.orig	2013-12-09 15:59:51.000000000 -0500
++++ libtirpc-0.2.4/src/xdr_rec.c	2018-12-17 11:00:53.842166963 -0500
+@@ -63,6 +63,7 @@
+ #include <rpc/svc.h>
+ #include <rpc/clnt.h>
+ #include <stddef.h>
++#include <errno.h>
+ #include "rpc_com.h"
+ static bool_t	xdrrec_getlong(XDR *, long *);
+ static bool_t	xdrrec_putlong(XDR *, const long *);
+@@ -539,7 +540,13 @@ __xdrrec_getrec(xdrs, statp, expectdata)
+ 		n = rstrm->readit(rstrm->tcp_handle, rstrm->in_hdrp,
+ 		    (int)sizeof (rstrm->in_header) - rstrm->in_hdrlen);
+ 		if (n == 0) {
+-			*statp = expectdata ? XPRT_DIED : XPRT_IDLE;
++			/* EAGAIN or EWOULDBLOCK means a zero length
++			 * read not an EOF.
++			 */
++			if (errno == EAGAIN || errno == EWOULDBLOCK)
++				*statp = XPRT_IDLE;
++			else
++				*statp = expectdata ? XPRT_DIED : XPRT_IDLE;
+ 			return FALSE;
+ 		}
+ 		if (n < 0) {
+@@ -566,6 +573,7 @@ __xdrrec_getrec(xdrs, statp, expectdata)
+ 			rstrm->in_header &= ~LAST_FRAG;
+ 			rstrm->last_frag = TRUE;
+ 		}
++		rstrm->in_haveheader = 1;
+ 	}
+ 
+ 	n =  rstrm->readit(rstrm->tcp_handle,
+@@ -578,7 +586,13 @@ __xdrrec_getrec(xdrs, statp, expectdata)
+ 	}
+ 
+ 	if (n == 0) {
+-		*statp = expectdata ? XPRT_DIED : XPRT_IDLE;
++		/* EAGAIN or EWOULDBLOCK means a zero length
++		 * read not an EOF.
++		 */
++		if (errno == EAGAIN || errno == EWOULDBLOCK)
++			*statp = XPRT_IDLE;
++		else
++			*statp = expectdata ? XPRT_DIED : XPRT_IDLE;
+ 		return FALSE;
+ 	}
+ 
diff --git a/SPECS/libtirpc.spec b/SPECS/libtirpc.spec
index d0c060a..528880e 100644
--- a/SPECS/libtirpc.spec
+++ b/SPECS/libtirpc.spec
@@ -2,7 +2,7 @@
 
 Name:		   libtirpc
 Version:		0.2.4
-Release:		0.15%{?dist}
+Release:		0.16%{?dist}
 Summary:		Transport Independent RPC Library
 Group:		  	System Environment/Libraries
 License:		SISSL and BSD
@@ -41,9 +41,16 @@ Patch009: libtirpc-0.2.4-CVE-2017-8779.patch
 
 #
 # RHEL7.6
+#
 Patch010: libtirpc-0.2.4-xdrstdio.patch
 Patch011: libtirpc-0.2.4-covscan.patch
 
+#
+# RHEL7.7
+#
+Patch012: libtirpc-0.2.4-badfree.patch
+Patch013: libtirpc-0.2.4-eof.patch
+
 %description
 This package contains SunLib's implementation of transport-independent
 RPC (TI-RPC) documentation.  This library forms a piece of the base of 
@@ -91,6 +98,10 @@ developing programs which use the tirpc library.
 %patch010 -p1
 # 1627856 - Backport important issues found by covscan in...
 %patch011 -p1
+# 1631609 - BAD_FREE: "free" frees incorrect pointer "tmp" found by covscan
+%patch012 -p1
+# 1331554 - rpcbind closes connection when rpc fragment sent...
+%patch013 -p1
 
 # Remove .orig files
 find . -name "*.orig" | xargs rm -f
@@ -179,6 +190,10 @@ rm -rf %{buildroot}
 %{_mandir}/*/*
 
 %changelog
+* Mon Dec 17 2018 Steve Dickson <steved@redhat.com> 0.2.4-0.16
+- getnetconfig.c: fix a BAD_FREE (CWE-763) (bz 1631609)
+- Fix EOF detection on non-blocking socket (bz 1331554)
+
 * Wed Sep 19 2018 Steve Dickson <steved@redhat.com> 0.2.4-0.15
 - Fixed typo in spec file (bz 1627856)