diff --git a/texlive-base-CVE-2018-17407.patch b/texlive-base-CVE-2018-17407.patch
new file mode 100644
index 0000000..36d1139
--- /dev/null
+++ b/texlive-base-CVE-2018-17407.patch
@@ -0,0 +1,39 @@
+diff -up texlive-base-20180414/source/texk/dvipsk/writet1.c.CVE-2018-17407 texlive-base-20180414/source/texk/dvipsk/writet1.c
+--- texlive-base-20180414/source/texk/dvipsk/writet1.c.CVE-2018-17407	2018-10-01 11:03:50.140899732 -0400
++++ texlive-base-20180414/source/texk/dvipsk/writet1.c	2018-10-01 11:04:31.425999765 -0400
+@@ -1449,7 +1449,9 @@ static void t1_check_unusual_charstring(
+         *(strend(t1_buf_array) - 1) = ' ';
+ 
+         t1_getline();
++        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcat(t1_buf_array, t1_line_array);
++        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcpy(t1_line_array, t1_buf_array);
+         t1_line_ptr = eol(t1_line_array);
+     }
+diff -up texlive-base-20180414/source/texk/web2c/luatexdir/font/writet1.w.CVE-2018-17407 texlive-base-20180414/source/texk/web2c/luatexdir/font/writet1.w
+--- texlive-base-20180414/source/texk/web2c/luatexdir/font/writet1.w.CVE-2018-17407	2018-10-01 11:05:54.404187837 -0400
++++ texlive-base-20180414/source/texk/web2c/luatexdir/font/writet1.w	2018-10-01 11:06:33.537335758 -0400
+@@ -1625,7 +1625,9 @@ static void t1_check_unusual_charstring(
+     if (sscanf(p, "%i", &i) != 1) {
+         strcpy(t1_buf_array, t1_line_array);
+         t1_getline();
++        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcat(t1_buf_array, t1_line_array);
++        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcpy(t1_line_array, t1_buf_array);
+         t1_line_ptr = eol(t1_line_array);
+     }
+diff -up texlive-base-20180414/source/texk/web2c/pdftexdir/writet1.c.CVE-2018-17407 texlive-base-20180414/source/texk/web2c/pdftexdir/writet1.c
+--- texlive-base-20180414/source/texk/web2c/pdftexdir/writet1.c.CVE-2018-17407	2018-10-01 11:06:57.881806099 -0400
++++ texlive-base-20180414/source/texk/web2c/pdftexdir/writet1.c	2018-10-01 11:08:06.424314628 -0400
+@@ -1598,7 +1598,9 @@ static void t1_check_unusual_charstring(
+         *(strend(t1_buf_array) - 1) = ' ';
+ 
+         t1_getline();
++        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcat(t1_buf_array, t1_line_array);
++        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcpy(t1_line_array, t1_buf_array);
+         t1_line_ptr = eol(t1_line_array);
+     }
diff --git a/texlive-base.spec b/texlive-base.spec
index bcf344f..f58f21d 100644
--- a/texlive-base.spec
+++ b/texlive-base.spec
@@ -21,7 +21,7 @@
 
 Name: %{shortname}-base
 Version: %{source_date}
-Release: 22%{?dist}
+Release: 23%{?dist}
 Epoch: 7
 Summary: TeX formatting system
 # The only files in the base package are directories, cache, and license texts
@@ -407,6 +407,7 @@ Patch8: texlive-20180414-texinfo-path-fix.patch
 Patch11: texlive-20180215-disable-more-failing-tests.patch
 Patch12: texlive-20180414-poppler-0.64.patch
 Patch13: texlive-20180414-synctex-version.patch
+Patch14: texlive-base-CVE-2018-17407.patch
 
 # Can't do this because it causes everything else to be noarch
 # BuildArch: noarch
@@ -6389,6 +6390,7 @@ xz -dc %{SOURCE0} | tar x
 %patch11 -p0 -b .dt
 %patch12 -p1 -b .poppler-0.64
 %patch13 -p1 -b .synctex-version
+%patch14 -p1 -b .CVE-2018-17407
 # Setup copies of the licenses
 for l in `unxz -c %{SOURCE3} | tar t`; do
 ln -s %{_texdir}/licenses/$l $l
@@ -8732,6 +8734,9 @@ done <<< "$list"
 %doc %{_texdir}/texmf-dist/doc/latex/yplan/
 
 %changelog
+* Mon Oct  1 2018 Tom Callaway <spot@fedoraproject.org> - 7:20180414-23
+- apply upstream fix for CVE-2018-17407
+
 * Wed Sep 19 2018 Tom Callaway <spot@fedoraproject.org> - 7:20180414-22
 - fix lyluatex provides