diff --git a/unzip-5.52-cve-2008-0888.patch b/unzip-5.52-cve-2008-0888.patch
new file mode 100644
index 0000000..6fef131
--- /dev/null
+++ b/unzip-5.52-cve-2008-0888.patch
@@ -0,0 +1,42 @@
+diff -up unzip-5.52/inflate.c.pom unzip-5.52/inflate.c
+--- unzip-5.52/inflate.c.pom	2005-02-27 07:08:46.000000000 +0100
++++ unzip-5.52/inflate.c	2008-03-19 14:47:58.000000000 +0100
+@@ -983,6 +983,7 @@ static int inflate_dynamic(__G)
+   unsigned l;           /* last length */
+   unsigned m;           /* mask for bit lengths table */
+   unsigned n;           /* number of lengths to get */
++  struct huft *tlp;
+   struct huft *tl;      /* literal/length code table */
+   struct huft *td;      /* distance code table */
+   unsigned bl;          /* lookup bits for tl */
+@@ -995,6 +996,7 @@ static int inflate_dynamic(__G)
+   register unsigned k;  /* number of bits in bit buffer */
+   int retval = 0;       /* error code returned: initialized to "no error" */
+ 
++  td = tlp = tl = (struct huft *)NULL;
+ 
+   /* make local bit buffer */
+   Trace((stderr, "\ndynamic block"));
+@@ -1047,9 +1049,9 @@ static int inflate_dynamic(__G)
+   while (i < n)
+   {
+     NEEDBITS(bl)
+-    j = (td = tl + ((unsigned)b & m))->b;
++    j = (tlp = tl + ((unsigned)b & m))->b;
+     DUMPBITS(j)
+-    j = td->v.n;
++    j = tlp->v.n;
+     if (j < 16)                 /* length of code in bits (0..15) */
+       ll[i++] = l = j;          /* save last length in l */
+     else if (j == 16)           /* repeat last length 3 to 6 times */
+@@ -1149,8 +1151,8 @@ static int inflate_dynamic(__G)
+ 
+ cleanup_and_exit:
+   /* free the decoding tables, return */
+-  huft_free(tl);
+-  huft_free(td);
++  if (tl) huft_free(tl);
++  if (td) huft_free(td);
+   return retval;
+ }
+ 
diff --git a/unzip.spec b/unzip.spec
index 916a776..8eac084 100644
--- a/unzip.spec
+++ b/unzip.spec
@@ -1,7 +1,7 @@
 Summary: A utility for unpacking zip files
 Name: unzip
 Version: 5.52
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: BSD
 Group: Applications/Archiving
 Source: ftp://ftp.info-zip.org/pub/infozip/src/unzip552.tar.gz
@@ -17,6 +17,7 @@ Patch11: unzip-5.52-open.patch
 Patch12: unzip-5.52-4GB3.patch
 Patch13: unzip-5.52-4GB_types.patch
 Patch14: unzip-5.52-249057.patch
+Patch15: unzip-5.52-cve-2008-0888.patch
 URL: http://www.info-zip.org/pub/infozip/UnZip.html
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -45,6 +46,7 @@ a zip archive.
 %patch12 -p1 -b .4GB3
 %patch13 -p1 -b .4BG4
 %patch14 -p1 -b .err
+%patch15 -p1 -b .cve-2008-0888
 ln -s unix/Makefile Makefile
 
 %build
@@ -65,6 +67,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/*
 
 %changelog
+* Wed Mar 19 2008 Ivana Varekova <varekova@redhat.com> - 5.52-9
+- fix crash (double free) on malformed zip archive
+  CVE-2008-0888 (#431438)
+
 * Fri Feb  8 2008 Ivana Varekova <varekova@redhat.com> - 5.52-8
 - fix output when out of space error appears