diff --git a/SOURCES/0001-CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch b/SOURCES/0001-CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
new file mode 100644
index 0000000..8ade300
--- /dev/null
+++ b/SOURCES/0001-CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
@@ -0,0 +1,92 @@
+From 667ceb4aab60c1f74060143bb24e5f427b3cce5f Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Thu, 15 Mar 2018 14:15:31 -0700
+Subject: [PATCH 3/3] CVE-2018-5146: Prevent out-of-bounds write in codebook
+ decoding.
+
+Codebooks that are not an exact divisor of the partition size are now
+truncated to fit within the partition.
+---
+ lib/codebook.c | 48 ++++++++++--------------------------------------
+ 1 file changed, 10 insertions(+), 38 deletions(-)
+
+diff --git a/lib/codebook.c b/lib/codebook.c
+index 321a28f..78672e2 100644
+--- a/lib/codebook.c
++++ b/lib/codebook.c
+@@ -386,7 +386,7 @@ long vorbis_book_decodevs_add(codebook *book,float *a,oggpack_buffer *b,int n){
+       t[i] = book->valuelist+entry[i]*book->dim;
+     }
+     for(i=0,o=0;i<book->dim;i++,o+=step)
+-      for (j=0;j<step;j++)
++      for (j=0;o+j<n && j<step;j++)
+         a[o+j]+=t[j][i];
+   }
+   return(0);
+@@ -398,41 +398,12 @@ long vorbis_book_decodev_add(codebook *book,float *a,oggpack_buffer *b,int n){
+     int i,j,entry;
+     float *t;
+ 
+-    if(book->dim>8){
+-      for(i=0;i<n;){
+-        entry = decode_packed_entry_number(book,b);
+-        if(entry==-1)return(-1);
+-        t     = book->valuelist+entry*book->dim;
+-        for (j=0;j<book->dim;)
+-          a[i++]+=t[j++];
+-      }
+-    }else{
+-      for(i=0;i<n;){
+-        entry = decode_packed_entry_number(book,b);
+-        if(entry==-1)return(-1);
+-        t     = book->valuelist+entry*book->dim;
+-        j=0;
+-        switch((int)book->dim){
+-        case 8:
+-          a[i++]+=t[j++];
+-        case 7:
+-          a[i++]+=t[j++];
+-        case 6:
+-          a[i++]+=t[j++];
+-        case 5:
+-          a[i++]+=t[j++];
+-        case 4:
+-          a[i++]+=t[j++];
+-        case 3:
+-          a[i++]+=t[j++];
+-        case 2:
+-          a[i++]+=t[j++];
+-        case 1:
+-          a[i++]+=t[j++];
+-        case 0:
+-          break;
+-        }
+-      }
++    for(i=0;i<n;){
++      entry = decode_packed_entry_number(book,b);
++      if(entry==-1)return(-1);
++      t     = book->valuelist+entry*book->dim;
++      for(j=0;i<n && j<book->dim;)
++        a[i++]+=t[j++];
+     }
+   }
+   return(0);
+@@ -470,12 +441,13 @@ long vorbis_book_decodevv_add(codebook *book,float **a,long offset,int ch,
+   long i,j,entry;
+   int chptr=0;
+   if(book->used_entries>0){
+-    for(i=offset/ch;i<(offset+n)/ch;){
++    int m=(offset+n)/ch;
++    for(i=offset/ch;i<m;){
+       entry = decode_packed_entry_number(book,b);
+       if(entry==-1)return(-1);
+       {
+         const float *t = book->valuelist+entry*book->dim;
+-        for (j=0;j<book->dim;j++){
++        for (j=0;i<m && j<book->dim;j++){
+           a[chptr++][i]+=t[j];
+           if(chptr==ch){
+             chptr=0;
+-- 
+2.16.2
+
diff --git a/SPECS/libvorbis.spec b/SPECS/libvorbis.spec
index a348eb6..98449b6 100644
--- a/SPECS/libvorbis.spec
+++ b/SPECS/libvorbis.spec
@@ -3,7 +3,7 @@
 Summary:	The Vorbis General Audio Compression Codec
 Name:		libvorbis
 Version:	1.3.3
-Release:	8%{?dist}
+Release:	8%{?dist}.1
 Epoch:		1
 Group:		System Environment/Libraries
 License:	BSD
@@ -11,6 +11,7 @@ URL:		http://www.xiph.org/
 Source:		http://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz
 BuildRequires:	libogg-devel >= 2:1.1
 Patch2:		libvorbis-1.2.3-add-needed.patch
+Patch3:         0001-CVE-2018-5146-Prevent-out-of-bounds-write-in-codeboo.patch
 
 %description
 Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free,
@@ -44,7 +45,8 @@ Documentation for developing applications with libvorbis.
 
 %setup -q
 %patch2 -p1
-sed -i "s/-O20/$RPM_OPT_FLAGS/" configure
+%patch3 -p1
+sed -i "s|-O20|$RPM_OPT_FLAGS|" configure
 sed -i "s/-ffast-math//" configure
 sed -i "s/-mcpu=750//" configure
 
@@ -93,6 +95,9 @@ rm -rf $RPM_BUILD_ROOT
 %postun -p /sbin/ldconfig
 
 %changelog
+* Tue Mar 20 2018 Adam Jackson <ajax@redhat.com> - 1.3.3-8.1
+- Backport fix for CVE-2018-5146
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1:1.3.3-8
 - Mass rebuild 2014-01-24