diff --git a/backport-CVE-2017-9937.patch b/backport-CVE-2017-9937.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9b5733e17eeca01e2b7cdac4051a654516219120
--- /dev/null
+++ b/backport-CVE-2017-9937.patch
@@ -0,0 +1,54 @@
+From 535df935911c401d345cb004a2fa00eb7a727259 Mon Sep 17 00:00:00 2001
+From: wiz <wiz@pkgsrc.org>
+Date: Mon, 3 Aug 2020 21:34:06 +0000
+Subject: [PATCH] jbigkit: fix CVE-2017-9937 using upstream commit
+
+See e.g.
+https://gitlab.com/libtiff/libtiff/-/issues/97
+
+Bump PKGREVISION.
+
+---
+ libjbig/jbig.c | 5 +++++
+ libjbig/jbig.h | 2 ++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/libjbig/jbig.c b/libjbig/jbig.c
+index 751ceff..7b5b99e 100644
+--- a/libjbig/jbig.c
++++ b/libjbig/jbig.c
+@@ -2051,6 +2051,7 @@ void jbg_dec_init(struct jbg_dec_state *s)
+   s->xmax = 4294967295UL;
+   s->ymax = 4294967295UL;
+   s->dmax = 256;
++  s->maxmem = 2000000000;  /* no final image larger than 2 GB by default */
+   s->s = NULL;
+ 
+   return;
+@@ -2640,6 +2641,10 @@ int jbg_dec_in(struct jbg_dec_state *s, unsigned char *data, size_t len,
+       return JBG_EIMPL | 5;
+     s->options = s->buffer[19];
+ 
++    /* will the final image require more bytes than permitted by s->maxmem? */
++    if (s->maxmem / s->planes / s->yd / jbg_ceil_half(s->xd, 3) == 0)
++      return JBG_ENOMEM;   /* increase s->maxmem if needed */
++
+     /* calculate number of stripes that will be required */
+     s->stripes = jbg_stripes(s->l0, s->yd, s->d);
+     
+diff --git a/libjbig/jbig.h b/libjbig/jbig.h
+index 6799410..7a9cdf9 100644
+--- a/libjbig/jbig.h
++++ b/libjbig/jbig.h
+@@ -181,6 +181,8 @@ struct jbg_dec_state {
+   unsigned long xmax, ymax;         /* if possible abort before image gets *
+ 				     * larger than this size */
+   int dmax;                                      /* abort after this layer */
++  size_t maxmem;               /* return JBG_ENOMEM if final image layer D
++                                  would require more than maxmem bytes     */
+ };
+ 
+ 
+-- 
+2.23.0
+
diff --git a/jbigkit.spec b/jbigkit.spec
index 0449c9e28442b9ffaf8ef6c1280a953eba548b5c..a36ae7e8a0ad13ee3112475266469ee754dc41fb 100644
--- a/jbigkit.spec
+++ b/jbigkit.spec
@@ -1,6 +1,6 @@
 Name:           jbigkit
 Version:        2.1
-Release:        17
+Release:        19
 Summary:        Lossless image compression library
 
 License:        GPLv2+
@@ -11,8 +11,9 @@ Source0:        https://www.cl.cam.ac.uk/~mgk25/jbigkit/download/%{name}-%{versi
 Patch0:         jbigkit-2.1-shlib.patch
 Patch1:         jbigkit-2.0-warnings.patch
 Patch2:         jbigkit-ldflags.patch
+Patch6000:      backport-CVE-2017-9937.patch
 
-BuildRequires:  gcc
+BuildRequires:  gcc vim
 Requires:       %{name}-libs = %{version}-%{release}
 
 %description
@@ -41,6 +42,9 @@ files for %{name} development.
 %autosetup -n %{name}-%{version} -p1
 
 %build
+export CFLAGS="${CFLAGS:-%optflags}" 
+export CXXFLAGS="${CXXFLAGS:-%optflags}" 
+export FFLAGS="${FFLAGS:-%optflags}"
 %make_build
 
 %install
@@ -79,6 +83,12 @@ make test
 %{_mandir}/man1/*
 
 %changelog
+* Tue Feb 9 2021 jinzhimin <jinzhimin2@huawei.com> - 2.1-19
+- fix CVE-2017-9937
+
+* Tue Feb 9 2021 jinzhimin <jinzhimin2@huawei.com> - 2.1-18
+- add CFLAGS in build
+
 * Mon Feb 17 2020 hexiujun <hexiujun1@huawei.com> - 2.1-17
 - Type:enhancement
 - ID:NA