diff --git a/netpbm-CVE-2017-2586.patch b/netpbm-CVE-2017-2586.patch
new file mode 100644
index 0000000..bae7fa2
--- /dev/null
+++ b/netpbm-CVE-2017-2586.patch
@@ -0,0 +1,12 @@
+diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
+--- old/converter/other/svgtopam.c	2017-02-08 12:11:02.593690917 +0100
++++ new/converter/other/svgtopam.c	2017-02-08 12:13:05.192846469 +0100
+@@ -676,7 +676,7 @@ stringToUint(const char *   const string
+ 
+     /* TODO: move this to nstring.c */
+ 
+-    if (strlen(string) == 0)
++    if (string == NULL || strlen(string) == 0)
+         pm_asprintf(errorP, "Value is a null string");
+     else {
+         char * tailptr;
diff --git a/netpbm-CVE-2017-2587.patch b/netpbm-CVE-2017-2587.patch
new file mode 100644
index 0000000..7e3bad7
--- /dev/null
+++ b/netpbm-CVE-2017-2587.patch
@@ -0,0 +1,26 @@
+diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
+--- old/converter/other/svgtopam.c	2017-02-08 12:11:02.593690917 +0100
++++ new/converter/other/svgtopam.c	2017-02-08 13:49:38.319029371 +0100
+@@ -771,12 +771,17 @@ createCanvas(unsigned int const width,
+ 
+     MALLOCVAR_NOFAIL(canvasP);
+ 
+-    canvasP->width  = width;
+-    canvasP->height = height;
+-    canvasP->pixels = ppm_allocarray(width, height);
+-    canvasP->maxval = maxval;
++    if(canvasP != NULL){
++        canvasP->width  = width;
++        canvasP->height = height;
++        canvasP->pixels = ppm_allocarray(width, height);
++        canvasP->maxval = maxval;
++
++        *canvasPP = canvasP;
++    } else {
++       pm_error("can't allocate memory for canvas");
++    }
+ 
+-    *canvasPP = canvasP;
+ }
+ 
+ 
diff --git a/netpbm.spec b/netpbm.spec
index bab833d..0070b9d 100644
--- a/netpbm.spec
+++ b/netpbm.spec
@@ -1,7 +1,7 @@
 Summary:         A library for handling different graphics file formats
 Name:            netpbm
 Version:         10.77.00
-Release:         2%{?dist}
+Release:         3%{?dist}
 # See copyright_summary for details
 License:         BSD and GPLv2 and IJG and MIT and Public Domain
 Group:           System Environment/Libraries
@@ -17,6 +17,8 @@ Patch0:          netpbm-security-scripts.patch
 Patch1:          netpbm-security-code.patch
 Patch2:          netpbm-ppmfadeusage.patch
 Patch3:          netpbm-noppmtompeg.patch
+Patch4:          netpbm-CVE-2017-2586.patch
+Patch5:          netpbm-CVE-2017-2587.patch
 BuildRequires:   libjpeg-devel, libpng-devel, libtiff-devel, flex
 BuildRequires:   libX11-devel, perl-generators, python, jasper-devel, libxml2-devel
 BuildRequires:   ghostscript-core
@@ -76,6 +78,8 @@ netpbm-doc.  You'll also need to install the netpbm-progs package.
 %patch1 -p1 -b .security-code
 %patch2 -p1 -b .ppmfadeusage
 %patch3 -p1 -b .noppmtompeg
+%patch4 -p1 -b .CVE-2586
+%patch5 -p1 -b .CVE-2587
 
 %build
 ./configure <<EOF
@@ -221,6 +225,9 @@ rm -rf $RPM_BUILD_ROOT
 %doc userguide/*
 
 %changelog
+* Wed Feb 08 2017 Josef Ridky <jridky@redhat.com> - 10.77.00-3
+- fix CVE-2017-2586, CVE-2017-2587 (#1419545)
+
 * Mon Jan 23 2017 Josef Ridky <jridky@redhat.com> - 10.77.00-2
 - fix #1404757 - add copyright_summary to doc section