diff --git a/libvorbis/trunk/PKGBUILD b/libvorbis/trunk/PKGBUILD
index 3578bb1b451..193ac8401eb 100644
--- a/libvorbis/trunk/PKGBUILD
+++ b/libvorbis/trunk/PKGBUILD
@@ -6,15 +6,25 @@
 
 pkgname=libvorbis
 pkgver=1.3.6
-pkgrel=2
+pkgrel=3
 pkgdesc='Vorbis codec library'
 arch=('x86_64')
 url='https://www.xiph.org/vorbis/'
 license=('BSD')
 depends=('libogg')
 provides=('libvorbis.so' 'libvorbisenc.so' 'libvorbisfile.so')
-source=("https://downloads.xiph.org/releases/vorbis/libvorbis-${pkgver}.tar.gz")
-sha256sums=('6ed40e0241089a42c48604dc00e362beee00036af2d8b3f46338031c9e0351cb')
+source=("https://downloads.xiph.org/releases/vorbis/libvorbis-${pkgver}.tar.gz"
+        'CVE-2017-14160.patch::https://github.com/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25.patch'
+        'CVE-2018-10392.oatch::https://github.com/xiph/vorbis/commit/112d3bd0aaacad51305e1464d4b381dabad0e88b.patch')
+sha256sums=('6ed40e0241089a42c48604dc00e362beee00036af2d8b3f46338031c9e0351cb'
+            '9b600b43a2212f1ca5170970460901e4b64f3d57226d4fd28e17c7d4faec0e76'
+            '25bce8e273a79603d99c9610f9318c868ccc82ab8eb427f6ab1ede811aede9a6')
+
+prepare() {
+  cd libvorbis-${pkgver}
+  patch -Np1 < ../CVE-2017-14160.patch
+  patch -Np1 < ../CVE-2018-10392.oatch
+}
 
 build() {
   cd libvorbis-${pkgver}