diff --git a/pkgs/development/tools/jq/default.nix b/pkgs/development/tools/jq/default.nix
index c509af87124..2951cbe9aa9 100644
--- a/pkgs/development/tools/jq/default.nix
+++ b/pkgs/development/tools/jq/default.nix
@@ -1,33 +1,39 @@
-{stdenv, fetchurl, oniguruma}:
-let
-  s = # Generated upstream information
-  rec {
-    baseName="jq";
-    version="1.5";
-    name="${baseName}-${version}";
+{ stdenv, lib, fetchurl, fetchpatch, oniguruma }:
+
+stdenv.mkDerivation rec {
+  name = "jq-${version}";
+  version="1.5";
+
+  src = fetchurl {
     url="https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz";
     sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
   };
-  buildInputs = [
-    oniguruma
+
+  buildInputs = [ oniguruma ];
+
+  patches = [
+    (fetchpatch {
+      name = "CVE-2015-8863.patch";
+      url = https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.diff;
+      sha256 = "18bjanzvklfzlzzd690y88725l7iwl4f6wnr429na5pfmircbpvh";
+    })
+    (fetchpatch {
+      name = "CVE-2016-4074.patch";
+      url = https://patch-diff.githubusercontent.com/raw/stedolan/jq/pull/1214.diff;
+      sha256 = "1w8bapnyp56di6p9casbfczfn8258rw0z16grydavdjddfm280l9";
+    })
   ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-  };
+  patchFlags = [ "-p2" ]; # `src` subdir was introduced after v1.5 was released
 
   # jq is linked to libjq:
   configureFlags = [
     "LDFLAGS=-Wl,-rpath,\\\${libdir}"
   ];
+
   meta = {
-    inherit (s) version;
     description = ''A lightweight and flexible command-line JSON processor'';
-    license = stdenv.lib.licenses.mit ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ raskin ];
+    platforms = with lib.platforms; linux ++ darwin;
   };
 }