diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix
index badf33074465..6205934084e8 100644
--- a/pkgs/tools/networking/dnsmasq/default.nix
+++ b/pkgs/tools/networking/dnsmasq/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, dbus_libs, nettle, libidn, libnetfilter_conntrack }:
+{ stdenv, fetchurl, pkgconfig, dbus_libs, nettle, libidn, libnetfilter_conntrack, fetchpatch }:
 
 with stdenv.lib;
 let
@@ -18,6 +18,16 @@ stdenv.mkDerivation rec {
     sha256 = "0ar5h5v3kas2qx2wgy5iqin15gc4jhqrqs067xacgc3lii1rz549";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2017-15107.patch";
+      url = "http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=patch;h=4fe6744a220eddd3f1749b40cac3dfc510787de6";
+      sha256 = "0r8grhh1q46z8v6manx1vvfpf2vmchfzsg7l1djh63b1fy1mbjkk";
+      # changelog does not apply cleanly but its safe to skip
+      excludes = [ "CHANGELOG" ];
+    })
+  ];
+
   preBuild = ''
     makeFlagsArray=("COPTS=${copts}")
   '';