diff --git a/Image-ExifTool-12.16-CVE-2021-22204.patch b/Image-ExifTool-12.16-CVE-2021-22204.patch
new file mode 100644
index 0000000..6a200f0
--- /dev/null
+++ b/Image-ExifTool-12.16-CVE-2021-22204.patch
@@ -0,0 +1,28 @@
+diff -up Image-ExifTool-12.16/lib/Image/ExifTool/DjVu.pm.CVE-2021-22204 Image-ExifTool-12.16/lib/Image/ExifTool/DjVu.pm
+--- Image-ExifTool-12.16/lib/Image/ExifTool/DjVu.pm.CVE-2021-22204	2021-04-26 11:06:57.868813858 -0400
++++ Image-ExifTool-12.16/lib/Image/ExifTool/DjVu.pm	2021-04-26 11:07:46.734614214 -0400
+@@ -18,7 +18,7 @@ use strict;
+ use vars qw($VERSION);
+ use Image::ExifTool qw(:DataAccess :Utils);
+ 
+-$VERSION = '1.06';
++$VERSION = '1.07';
+ 
+ sub ParseAnt($);
+ sub ProcessAnt($$$);
+@@ -227,10 +227,11 @@ Tok: for (;;) {
+                 last unless $tok =~ /(\\+)$/ and length($1) & 0x01;
+                 $tok .= '"';    # quote is part of the string
+             }
+-            # must protect unescaped "$" and "@" symbols, and "\" at end of string
+-            $tok =~ s{\\(.)|([\$\@]|\\$)}{'\\'.($2 || $1)}sge;
+-            # convert C escape sequences (allowed in quoted text)
+-            $tok = eval qq{"$tok"};
++            # convert C escape sequences, allowed in quoted text
++            # (note: this only converts a few of them!)
++            my %esc = ( a => "\a", b => "\b", f => "\f", n => "\n",
++                        r => "\r", t => "\t", '"' => '"', '\\' => '\\' );
++            $tok =~ s/\\(.)/$esc{$1}||'\\'.$1/egs;
+         } else {                # key name
+             pos($$dataPt) = pos($$dataPt) - 1;
+             # allow anything in key but whitespace, braces and double quotes
diff --git a/perl-Image-ExifTool.spec b/perl-Image-ExifTool.spec
index a9c5190..4cedda1 100644
--- a/perl-Image-ExifTool.spec
+++ b/perl-Image-ExifTool.spec
@@ -1,10 +1,12 @@
 Name:		perl-Image-ExifTool
 Version:	12.16
-Release:	2%{?dist}
+Release:	3%{?dist}
 License:	GPL+ or Artistic
 Summary:	Utility for reading and writing image meta info
 URL:		http://www.sno.phy.queensu.ca/%7Ephil/exiftool/
 Source0:	http://www.sno.phy.queensu.ca/%7Ephil/exiftool/Image-ExifTool-%{version}.tar.gz
+# https://github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031#diff-fa0d652d10dbcd246e6b1df16c1e992931d3bb717a7e36157596b76bdadb3800
+Patch0:		Image-ExifTool-12.16-CVE-2021-22204.patch
 BuildArch:	noarch
 BuildRequires:	coreutils
 BuildRequires:	findutils
@@ -54,6 +56,7 @@ Sigma/Foveon, and Sony.
 
 %prep
 %setup -q -n Image-ExifTool-%{version}
+%patch0 -p1
 
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -81,6 +84,9 @@ make test
 %{_mandir}/man3/*.3*
 
 %changelog
+* Mon Apr 26 2021 Tom Callaway <spot@fedoraproject.org> - 12.16-3
+- apply upstream fix for CVE-2021-22204
+
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 12.16-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild