diff --git a/pkgs/tools/compression/bzip2/cve-2019-12900.patch b/pkgs/tools/compression/bzip2/cve-2019-12900.patch
new file mode 100644
index 000000000000..bf3d13a7a691
--- /dev/null
+++ b/pkgs/tools/compression/bzip2/cve-2019-12900.patch
@@ -0,0 +1,13 @@
+https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d
+diff --git a/decompress.c b/decompress.c
+--- a/decompress.c
++++ b/decompress.c
+@@ -287,7 +287,7 @@
+       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
+       for (i = 0; i < nSelectors; i++) {
+          j = 0;
+          while (True) {
diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix
index ffdbcf463eab..a0ec6c07055b 100644
--- a/pkgs/tools/compression/bzip2/default.nix
+++ b/pkgs/tools/compression/bzip2/default.nix
@@ -22,6 +22,7 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./CVE-2016-3189.patch
+    ./cve-2019-12900.patch
   ];
 
   postPatch = ''