diff --git a/debian/patches/CVE-2017-14804-Improve-sanity-checks-in-extractbuild.patch b/debian/patches/CVE-2017-14804-Improve-sanity-checks-in-extractbuild.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fbc55eb0fa1fa851047f97c59f88b1c4c5456f3b
--- /dev/null
+++ b/debian/patches/CVE-2017-14804-Improve-sanity-checks-in-extractbuild.patch
@@ -0,0 +1,35 @@
+From: =?utf-8?b?SMOpY3RvciBPcsOzbiBNYXJ0w61uZXo=?=
+ <hector.oron@collabora.co.uk>
+Date: Thu, 1 Mar 2018 11:45:58 +0100
+Subject: CVE-2017-14804:Improve sanity checks in extractbuild
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: base64
+
+U2lnbmVkLW9mZi1ieTogSMOpY3RvciBPcsOzbiBNYXJ0w61uZXogPGhlY3Rvci5vcm9uQGNvbGxh
+Ym9yYS5jby51az4K
+---
+ extractbuild | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/extractbuild b/extractbuild
+index d2d56ad..bbc36f3 100755
+--- a/extractbuild
++++ b/extractbuild
+@@ -74,6 +74,8 @@ while (<S>) {
+   my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /);
+   die("invalid input '$_'\n") unless defined($file);
+   $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++  die("bad file '$file' (contains \\0)\n") if $file =~ /\0/;
++  die("already processed: $file\n") if $done{$file};
+   die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s;
+   if ($file =~ /^(.*)\//s) {
+     die("file without directory: $file\n") unless $done{$1} && $done{$1} eq 'd';
+@@ -88,6 +90,7 @@ while (<S>) {
+     my $target = $filesize;
+     die("symlink without target\n") unless defined $target;
+     $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++    die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/;
+     die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s;
+     if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+       my ($head, $tail) = ($1, $2);
diff --git a/debian/patches/series b/debian/patches/series
index c50822c03a4b178dd150d0bfaed0fc7d0d30d59a..fc285f6e03b5e27568855438389b79d80c94a741 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ build-pkg-deb-support-control.tar.xz.patch
 Deb.pm-support-Build-Depends-Arch.patch
 build-recipe-dsc-don-t-rebuild-the-source-package.patch
 debootstrap-add-fallback-for-Debian-SID-distro.patch
+CVE-2017-14804-Improve-sanity-checks-in-extractbuild.patch