diff --git a/srcpkgs/xbps/patches/CVE-2020-7450.patch b/srcpkgs/xbps/patches/CVE-2020-7450.patch
new file mode 100644
index 00000000000..30854f22ecf
--- /dev/null
+++ b/srcpkgs/xbps/patches/CVE-2020-7450.patch
@@ -0,0 +1,36 @@
+commit cf20e53d34446bcf8d1dd6c8da9fedf4dd5447ab
+Author: Duncan Overbruck <mail@duncano.de>
+Date:   Tue Jan 28 20:03:56 2020 +0100
+
+    lib/fetch: fix CVE-2020-7450
+
+diff --git lib/fetch/fetch.c lib/fetch/fetch.c
+index d0cce7b8..feaf768d 100644
+--- lib/fetch/fetch.c
++++ lib/fetch/fetch.c
+@@ -331,6 +331,8 @@ fetch_pctdecode(char *dst, const char *src, size_t dlen)
+ 		}
+ 		if (dlen-- > 0)
+ 			*dst++ = c;
++		else
++			return (NULL);
+ 	}
+ 	return (s);
+ }
+@@ -481,10 +483,14 @@ find_user:
+ 	if (p != NULL && *p == '@') {
+ 		/* username */
+ 		q = fetch_pctdecode(u->user, URL, URL_USERLEN);
++		if (q == NULL)
++			goto ouch;
+ 		/* password */
+-		if (*q == ':')
++		if (*q == ':') {
+ 			q = fetch_pctdecode(u->pwd, q + 1, URL_PWDLEN);
+-
++			if (q == NULL)
++				goto ouch;
++		}
+ 		p++;
+ 	} else {
+ 		p = URL;
diff --git a/srcpkgs/xbps/template b/srcpkgs/xbps/template
index 53194baeeaa..14ed2b008db 100644
--- a/srcpkgs/xbps/template
+++ b/srcpkgs/xbps/template
@@ -1,7 +1,7 @@
 # Template file for 'xbps'
 pkgname=xbps
 version=0.57.1
-revision=8
+revision=9
 bootstrap=yes
 build_style=configure
 short_desc="XBPS package system utilities"