diff --git a/security/libgpg-error/Makefile b/security/libgpg-error/Makefile
index 7ad4b7df6950..078f15c45470 100644
--- a/security/libgpg-error/Makefile
+++ b/security/libgpg-error/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.43 2014/10/20 10:13:16 wiz Exp $
+# $NetBSD: Makefile,v 1.44 2014/10/29 12:28:50 he Exp $
 
 DISTNAME=	libgpg-error-1.17
+PKGREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.gnupg.org/gcrypt/libgpg-error/ \
 		ftp://ftp.ring.gr.jp/pub/net/gnupg/libgpg-error/ \
@@ -32,7 +33,7 @@ CONFIGURE_ENV+=		CC_FOR_BUILD=${CC:Q}\ ${CFLAGS:M*:Q}
 
 # XXX See HACKS
 .if ${OPSYS} == "IRIX" || !empty(MACHINE_PLATFORM:MNetBSD-[3-9]*)
-USE_TOOLS+=		nawk
+USE_TOOLS+=		awk
 .else
 USE_TOOLS+=		gawk
 .endif
diff --git a/security/libgpg-error/distinfo b/security/libgpg-error/distinfo
index 33d3cfa31a43..0faeea8c290c 100644
--- a/security/libgpg-error/distinfo
+++ b/security/libgpg-error/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.20 2014/10/20 10:13:16 wiz Exp $
+$NetBSD: distinfo,v 1.21 2014/10/29 12:28:50 he Exp $
 
 SHA1 (libgpg-error-1.17.tar.bz2) = ba5858b2947e7272dd197c87bac9f32caf29b256
 RMD160 (libgpg-error-1.17.tar.bz2) = 3a86ef8773527b2e235e007981eda3472719e6b3
 Size (libgpg-error-1.17.tar.bz2) = 669914 bytes
+SHA1 (patch-src_estream.c) = e3086b363ef14f1b24cac7334c8ecbf8e94ddd3b
 SHA1 (patch-src_gpg-error-config.in) = e22e99208192971f8c123d7ee9b22c5f615669e1
diff --git a/security/libgpg-error/patches/patch-src_estream.c b/security/libgpg-error/patches/patch-src_estream.c
new file mode 100644
index 000000000000..cf2473a5a4dd
--- /dev/null
+++ b/security/libgpg-error/patches/patch-src_estream.c
@@ -0,0 +1,34 @@
+$NetBSD: patch-src_estream.c,v 1.1 2014/10/29 12:28:50 he Exp $
+
+Don't use atexit(), since this library mey be dlopen()ed
+and dlclose()d before exit() is called.
+
+Instead mark the do_deinit() function as a destructor.
+
+--- src/estream.c.orig	2014-09-11 09:38:21.000000000 +0000
++++ src/estream.c
+@@ -471,6 +471,7 @@ do_list_remove (estream_t stream, int wi
+ 
+ 
+ 
++__attribute__((destructor,used))
+ static void
+ do_deinit (void)
+ {
+@@ -503,7 +504,16 @@ _gpgrt_es_init (void)
+   if (!initialized)
+     {
+       initialized = 1;
++#if 0
++      /* This library may be unloaded via dlclose() before
++       * exit() is called, causing the atexit handler to try
++       * to jump into unmapped address space, causing a segfault.
++       * This has been observed with apache and php.  Instead, use
++       * the destructor attribute, since that will cause it
++       * to be called on dlclose() as well.
++       */
+       atexit (do_deinit);
++#endif
+     }
+   return 0;
+ }