diff --git a/sane-backends-1.0.25-CVE-2017-6318.patch b/sane-backends-1.0.25-CVE-2017-6318.patch
new file mode 100644
index 0000000..53de320
--- /dev/null
+++ b/sane-backends-1.0.25-CVE-2017-6318.patch
@@ -0,0 +1,42 @@
+diff -up sane-backends-1.0.25/frontend/saned.c.CVE-2017-6318 sane-backends-1.0.25/frontend/saned.c
+--- sane-backends-1.0.25/frontend/saned.c.CVE-2017-6318	2017-03-22 09:05:09.884788366 +0100
++++ sane-backends-1.0.25/frontend/saned.c	2017-03-22 16:58:20.393869129 +0100
+@@ -1986,6 +1986,38 @@ process_request (Wire * w)
+ 	    return 1;
+ 	  }
+ 
++        /* Addresses CVE-2017-6318 (#315576, Debian BTS #853804) */
++        /* This is done here (rather than in sanei/sanei_wire.c where
++         * it should be done) to minimize scope of impact and amount
++         * of code change.
++         */
++        if (w->direction == WIRE_DECODE
++            && req.value_type == SANE_TYPE_STRING
++            && req.action     == SANE_ACTION_GET_VALUE)
++          {
++            if (req.value)
++              {
++                /* FIXME: If req.value contains embedded NUL
++                 *        characters, this is wrong but we do not have
++                 *        access to the amount of memory allocated in
++                 *        sanei/sanei_wire.c at this point.
++                 */
++                w->allocated_memory -= (1 + strlen (req.value));
++                free (req.value);
++              }
++            req.value = malloc (req.value_size);
++            if (!req.value)
++              {
++                w->status = ENOMEM;
++                DBG (DBG_ERR,
++                     "process_request: (control_option) "
++                     "h=%d (%s)\n", req.handle, strerror (w->status));
++                return 1;
++              }
++            memset (req.value, 0, req.value_size);
++            w->allocated_memory += req.value_size;
++          }
++
+ 	can_authorize = 1;
+ 
+ 	memset (&reply, 0, sizeof (reply));	/* avoid leaking bits */
diff --git a/sane-backends.spec b/sane-backends.spec
index c32c0e1..ca022b4 100644
--- a/sane-backends.spec
+++ b/sane-backends.spec
@@ -33,7 +33,7 @@
 Summary: Scanner access software
 Name: sane-backends
 Version: 1.0.25
-Release: 6%{?dist}
+Release: 7%{?dist}
 # lib/ is LGPLv2+, backends are GPLv2+ with exceptions
 # Tools are GPLv2+, docs are public domain
 # see LICENSE for details
@@ -53,6 +53,8 @@ Patch1: sane-backends-1.0.23-soname.patch
 Patch2: sane-backends-1.0.23-sane-config-multilib.patch
 # Backported from upstream, commit 6585b6f60d07a196e42c99b935e2754bbc80b3c8
 Patch3: sane-backends-1.0.25-avision-skip-adf.patch
+# CVE-2017-6318 - backported from upstream 42896939822b44f44ecd1b6d35afdfa4473ed35d
+Patch4: sane-backends-1.0.25-CVE-2017-6318.patch
 
 URL: http://www.sane-project.org
 
@@ -180,6 +182,7 @@ access image acquisition devices available on the local host.
 %patch1 -p1 -b .soname
 %patch2 -p1 -b .sane-config-multilib
 %patch3 -p1 -b .avision-skip-adf
+%patch4 -p1 -b .CVE-2017-6318
 
 %build
 CFLAGS="%optflags -fno-strict-aliasing"
@@ -330,6 +333,9 @@ exit 0
 %{_unitdir}/saned@.service
 
 %changelog
+* Wed Mar 22 2017 Zdenek Dohnal <zdohnal@redhat.com> - 1.0.25-7
+- 1428886 - CVE-2017-6318 sane-backends: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server [fedora-all]
+
 * Tue Mar 14 2017 Nils Philippsen <nils@redhat.com> - 1.0.25-6
 - avision: add "skip-adf" option (#1288712)