diff --git a/audio/libid3tag/libid3tag-0.15.1b-CVE-2008-2109.patch b/audio/libid3tag/libid3tag-0.15.1b-CVE-2008-2109.patch
new file mode 100644
index 000000000..584641145
--- /dev/null
+++ b/audio/libid3tag/libid3tag-0.15.1b-CVE-2008-2109.patch
@@ -0,0 +1,33 @@
+# --- SDE-COPYRIGHT-NOTE-BEGIN ---
+# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
+#
+# Filename: package/.../libid3tag/libid3tag-0.15.1b-CVE-2008-2109.patch
+# Copyright (C) 2011 The OpenSDE Project
+#
+# More information can be found in the files COPYING and README.
+#
+# This patch file is dual-licensed. It is available under the license the
+# patched project is licensed under, as long as it is an OpenSource license
+# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
+# of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+# --- SDE-COPYRIGHT-NOTE-END ---
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2109
+
+field.c in the libid3tag 0.15.0b library allows context-dependent attackers to
+cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST
+field that ends in '\0', which triggers an infinite loop.
+
+--- libid3tag-0.15.1b/field.c.orig	2011-06-02 22:29:39.028006695 +0200
++++ libid3tag-0.15.1b/field.c	2011-06-02 22:30:35.064005391 +0200
+@@ -291,7 +291,7 @@
+ 
+       end = *ptr + length;
+ 
+-      while (end - *ptr > 0) {
++      while (end - *ptr > 0 && **ptr != '\0') {
+ 	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
+ 	if (ucs4 == 0)
+ 	  goto fail;