diff --git a/SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch b/SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch
new file mode 100644
index 0000000..1cb6e65
--- /dev/null
+++ b/SOURCES/openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch
@@ -0,0 +1,103 @@
+From 4ef60df7edfdd7a49a565494142f86d93f9268b3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 31 Jul 2020 10:38:17 +0200
+Subject: [PATCH] Plug a memory leak
+
+==12029==    at 0x483A809: malloc (vg_replace_malloc.c:307)
+==12029==    by 0x51F1386: realpath@@GLIBC_2.3 (in /usr/lib64/libc-2.31.so)
+==12029==    by 0x489F8CA: oscap_realpath (util.c:251)
+==12029==    by 0x495E6EF: rpmverify_collect (rpmverifyfile_probe.c:248)
+==12029==    by 0x495F461: rpmverifyfile_probe_main (rpmverifyfile_probe.c:543)
+==12029==    by 0x4935598: probe_worker (worker.c:1090)
+==12029==    by 0x4932F10: probe_worker_runfn (worker.c:81)
+==12029==    by 0x4CDA431: start_thread (in /usr/lib64/libpthread-2.31.so)
+==12029==    by 0x52A8912: clone (in /usr/lib64/libc-2.31.so)
+
+==12029==    at 0x483CCE8: realloc (vg_replace_malloc.c:834)
+==12029==    by 0x4D9DCD8: rrealloc (in /usr/lib64/librpmio.so.9.0.1)
+==12029==    by 0x4D25B88: headerFormat (in /usr/lib64/librpm.so.9.0.1)
+==12029==    by 0x495E467: rpmverify_collect (rpmverifyfile_probe.c:230)
+==12029==    by 0x495F461: rpmverifyfile_probe_main
+(rpmverifyfile_probe.c:543)
+==12029==    by 0x4935598: probe_worker (worker.c:1090)
+==12029==    by 0x4932F10: probe_worker_runfn (worker.c:81)
+==12029==    by 0x4CDA431: start_thread (in
+/usr/lib64/libpthread-2.31.so)
+==12029==    by 0x52A8912: clone (in /usr/lib64/libc-2.31.so)
+
+Resolves: RHBZ#1861301
+---
+ .../probes/unix/linux/rpmverifyfile_probe.c   | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
+index c86818e72..57d69f552 100644
+--- a/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
++++ b/src/OVAL/probes/unix/linux/rpmverifyfile_probe.c
+@@ -61,10 +61,10 @@
+ 
+ struct rpmverify_res {
+ 	char *name;  /**< package name */
+-	const char *epoch;
+-	const char *version;
+-	const char *release;
+-	const char *arch;
++	char *epoch;
++	char *version;
++	char *release;
++	char *arch;
+ 	char *file;  /**< filepath */
+ 	char extended_name[1024];
+ 	rpmVerifyAttrs vflags; /**< rpm verify flags */
+@@ -272,14 +272,14 @@ static int rpmverify_collect(probe_ctx *ctx,
+ 						free(current_file_realpath);
+ 						continue;
+ 					}
+-					res.file = current_file_realpath ? current_file_realpath : strdup(current_file);
++					res.file = current_file_realpath ? oscap_strdup(current_file_realpath) : oscap_strdup(current_file);
+ 		      break;
+ 		    case OVAL_OPERATION_PATTERN_MATCH:
+ 					ret = pcre_exec(re, NULL, current_file, strlen(current_file), 0, 0, NULL, 0);
+ 
+ 		      switch(ret) {
+ 		      case 0: /* match */
+-						res.file = strdup(current_file);
++						res.file = oscap_strdup(current_file);
+ 			break;
+ 		      case -1:
+ 			/* mismatch */
+@@ -299,12 +299,18 @@ static int rpmverify_collect(probe_ctx *ctx,
+ 						free(current_file_realpath);
+ 		      goto ret;
+ 		    }
++		    free(current_file_realpath);
+ 
+ 			if (rpmVerifyFile(g_rpm->rpmts, fi, &res.vflags, omit) != 0)
+ 		      res.vflags = RPMVERIFY_FAILURES;
+ 
+ 		    if (callback(ctx, &res) != 0) {
+ 			    ret = 0;
++					free(res.name);
++					free(res.epoch);
++					free(res.version);
++					free(res.release);
++					free(res.arch);
+ 					free(res.file);
+ 			    goto ret;
+ 		    }
+@@ -313,6 +319,12 @@ static int rpmverify_collect(probe_ctx *ctx,
+ 
+ 		  rpmfiFree(fi);
+ 		}
++
++		free(res.name);
++		free(res.epoch);
++		free(res.version);
++		free(res.release);
++		free(res.arch);
+ 	}
+ 
+ 	match = rpmdbFreeIterator (match);
+-- 
+2.26.2
+
diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec
index 1095a6b..6836de2 100644
--- a/SPECS/openscap.spec
+++ b/SPECS/openscap.spec
@@ -1,6 +1,6 @@
 Name:           openscap
 Version:        1.3.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 Group:          System Environment/Libraries
 License:        LGPLv2+
@@ -11,6 +11,7 @@ Patch2:         openscap-1.3.4-fix-no-more-recursion.patch
 Patch3:	        openscap-1.3.4-add_compression_support-PR_1557.patch
 Patch4:	        openscap-1.3.4-add_compression_test-PR_1564.patch
 Patch5:	        openscap-1.3.4-add_compression_tracing-PR_1561.patch
+Patch6:         openscap-1.3.4-rpmverifyfile_leak-PR_1565.patch
 
 BuildRequires:  cmake >= 2.6
 BuildRequires:  swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser
@@ -136,6 +137,7 @@ for developing applications that use %{name}-engine-sce.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 mkdir build
 
 %build
@@ -223,6 +225,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Mon Aug 03 2020 Jan Černý <jcerny@redhat.com> - 1.3.3-4
+- Fix memory leaks in rpmverifyfile probe (RHBZ#1861301)
+
 * Tue Jul 21 2020 Matěj Týč <matyc@redhat.com> - 1.3.3-3
 - Added support for fetching remote content with compression (RHBZ#1855708)