diff --git a/main/pkgconf/APKBUILD b/main/pkgconf/APKBUILD
index b4d9ae55e06..6f5bb800739 100644
--- a/main/pkgconf/APKBUILD
+++ b/main/pkgconf/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Ariadne Conill <ariadne@dereferenced.org>
 pkgname=pkgconf
 pkgver=1.7.4
-pkgrel=0
+pkgrel=1
 pkgdesc="development framework configuration tools"
 url="https://git.sr.ht/~kaniini/pkgconf"
 arch="all"
@@ -9,9 +9,14 @@ license="ISC"
 replaces="pkgconfig"
 provides="pkgconfig=1"
 subpackages="$pkgname-doc $pkgname-dev"
-source="https://distfiles.dereferenced.org/pkgconf/pkgconf-$pkgver.tar.xz"
+source="https://distfiles.dereferenced.org/pkgconf/pkgconf-$pkgver.tar.xz
+	CVE-2023-24056.patch"
 checkdepends="kyua atf"
 
+# secfixes:
+#   1.7.4-r1:
+#     - CVE-2023-24056
+
 prepare() {
 	default_prepare
 	update_config_sub
@@ -50,4 +55,7 @@ dev() {
 	mv "$subpkgdir"/usr/share/aclocal/pkg.m4 "$pkgdir"/usr/share/aclocal/
 }
 
-sha512sums="92c080684898b42824a1f1a7e3ce8a600896fc9c20fcf263f032b856fa4c7139607f87ba44d18ed358b8c5f4f04477708800d20a4e10f96e4268a55682f7f0c1  pkgconf-1.7.4.tar.xz"
+sha512sums="
+92c080684898b42824a1f1a7e3ce8a600896fc9c20fcf263f032b856fa4c7139607f87ba44d18ed358b8c5f4f04477708800d20a4e10f96e4268a55682f7f0c1  pkgconf-1.7.4.tar.xz
+fad38c14b0e91ccc4c82e1a1f688262e81f7cc63cf9372dd603d6bdacdd5288a2452aa19a2e0ac2a0f2ba4ab0262814d3ed5ef864f26ab1961ae9a01e80a98bc  CVE-2023-24056.patch
+"
diff --git a/main/pkgconf/CVE-2023-24056.patch b/main/pkgconf/CVE-2023-24056.patch
new file mode 100644
index 00000000000..a8e48f57c52
--- /dev/null
+++ b/main/pkgconf/CVE-2023-24056.patch
@@ -0,0 +1,70 @@
+From 81cc9b3e6dafcdd02579bcccec6ac47d91e5d023 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill <ariadne@dereferenced.org>
+Date: Fri, 20 Jan 2023 22:07:03 +0000
+Subject: [PATCH] tuple: test for, and stop string processing, on truncation
+
+otherwise a buffer overflow occurs.
+this has been a bug in pkgconf since the beginning, it seems.
+instead of disclosing the bug correctly, a "hotshot" developer
+decided to blog about it instead.  sigh.
+
+https://nullprogram.com/blog/2023/01/18/
+---
+ libpkgconf/tuple.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c
+index 2d550d8..707fdf8 100644
+--- a/libpkgconf/tuple.c
++++ b/libpkgconf/tuple.c
+@@ -293,12 +293,23 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
+ 				}
+ 			}
+ 
++			PKGCONF_TRACE(client, "lookup tuple %s", varname);
++
++			size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
+ 			ptr += (pptr - ptr);
+ 			kv = pkgconf_tuple_find_global(client, varname);
+ 			if (kv != NULL)
+ 			{
+-				strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
+-				bptr += strlen(kv);
++				size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
++				if (nlen > remain)
++				{
++					pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
++
++					bptr = buf + (PKGCONF_BUFSIZE - 1);
++					break;
++				}
++
++				bptr += nlen;
+ 			}
+ 			else
+ 			{
+@@ -306,12 +317,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
+ 
+ 				if (kv != NULL)
+ 				{
++					size_t nlen;
++
+ 					parsekv = pkgconf_tuple_parse(client, vars, kv);
++					nlen = pkgconf_strlcpy(bptr, parsekv, remain);
++					free(parsekv);
+ 
+-					strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
+-					bptr += strlen(parsekv);
++					if (nlen > remain)
++					{
++						pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+ 
+-					free(parsekv);
++						bptr = buf + (PKGCONF_BUFSIZE - 1);
++						break;
++					}
++
++					bptr += nlen;
+ 				}
+ 			}
+ 		}