diff --git a/ghostscript-9.20-cve-2017-5951.patch b/ghostscript-9.20-cve-2017-5951.patch
new file mode 100644
index 0000000..a924c7f
--- /dev/null
+++ b/ghostscript-9.20-cve-2017-5951.patch
@@ -0,0 +1,39 @@
+From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Apr 2017 16:44:54 +0100
+Subject: [PATCH] Bug 697548: use the correct param list enumerator
+
+When we encountered dictionary in a ref_param_list, we were using the enumerator
+for the "parent" param_list, rather than the enumerator for the param_list
+we just created for the dictionary. That parent was usually the stack
+list enumerator, and caused a segfault.
+
+Using the correct enumerator works better.
+---
+ psi/iparam.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/psi/iparam.c b/psi/iparam.c
+index 4e63b6d..b2fa85f 100644
+--- a/psi/iparam.c
++++ b/psi/iparam.c
+@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
+                 gs_param_enumerator_t enumr;
+                 gs_param_key_t key;
+                 ref_type keytype;
++                dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
+ 
+                 param_init_enumerator(&enumr);
+-                if (!(*((iparam_list *) plist)->enumerate)
+-                    ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
++                if (!(*(dlist->enumerate))
++                    ((iparam_list *) dlist, &enumr, &key, &keytype)
+                     && keytype == t_integer) {
+-                    ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
++                    dlist->int_keys = 1;
+                     pvalue->type = gs_param_type_dict_int_keys;
+                 }
+             }
+-- 
+2.9.3
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 3dd5236..b2cb1a8 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -35,6 +35,7 @@ Patch14: ghostscript-9.20-cve-2016-10217.patch
 Patch15: ghostscript-9.20-cve-2016-10218.patch
 Patch16: ghostscript-9.20-cve-2016-10219.patch
 Patch17: ghostscript-9.20-cve-2016-10220.patch
+Patch18: ghostscript-9.20-cve-2017-5951.patch
 
 Requires: %{name}-core%{?_isa} = %{version}-%{release}
 Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@@ -175,6 +176,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib 
 # CVE-2016-10220 (bug #1441571):
 %patch17 -p1
 
+# CVE-2017-5951 (bug #1441572):
+%patch18 -p1
+
 # Convert manual pages to UTF-8
 from8859_1() {
         iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -377,6 +381,7 @@ rm -rf $RPM_BUILD_ROOT
   - CVE-2016-10218 (bug #1441568)
   - CVE-2016-10219 (bug #1441569)
   - CVE-2016-10220 (bug #1441571)
+  - CVE-2017-5951  (bug #1441572)
 
 * Thu Apr 06 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-8
   Added security fix for CVE-2017-7207 (bug #1434497)