diff --git a/CVE-2024-28219.patch b/CVE-2024-28219.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b8333c41d0f067109a3d0451012120cd92af0aca
--- /dev/null
+++ b/CVE-2024-28219.patch
@@ -0,0 +1,24 @@
+diff --git a/src/_imagingcms.c b/src/_imagingcms.c
+--- a/src/_imagingcms.c
++++ b/src/_imagingcms.c
+@@ -212,8 +212,8 @@ cms_transform_new(cmsHTRANSFORM transform, char* mode_in, char* mode_out)
+ 
+     self->transform = transform;
+ 
+-    strcpy(self->mode_in, mode_in);
+-    strcpy(self->mode_out, mode_out);
++    strncpy(self->mode_in, mode_in, 8);
++    strncpy(self->mode_out, mode_out, 8);
+ 
+     return (PyObject*) self;
+ }
+@@ -286,8 +286,8 @@ findLCMStype(char* PILmode)
+     }
+ 
+     else {
+-        /* take a wild guess... but you probably should fail instead. */
+-        return TYPE_GRAY_8; /* so there's no buffer overrun... */
++        /* take a wild guess... */
++        return TYPE_GRAY_8;
+     }
+ }
diff --git a/python-pillow.spec b/python-pillow.spec
index 695b0ef284a2300318ba37fb375324914d51e6c0..f25afe4156afc40ce767d5f01351f8c7e1c2ede9 100644
--- a/python-pillow.spec
+++ b/python-pillow.spec
@@ -8,7 +8,7 @@
 
 Name:           python-%{srcname}
 Version:        5.1.1
-Release:        20%{?dist}
+Release:        21%{?dist}
 Summary:        Python image processing library
 
 # License: see http://www.pythonware.com/products/pil/license.htm
@@ -119,6 +119,9 @@ Patch21:	CVE-2023-50447.patch
 #https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
 Patch22:        CVE-2023-44271.patch
 
+# https://github.com/python-pillow/Pillow/pull/7928/files
+Patch23:        CVE-2024-28219.patch
+
 BuildRequires:  freetype-devel
 BuildRequires:  gcc
 BuildRequires:  ghostscript
@@ -262,6 +265,9 @@ popd
 
 
 %changelog
+* Tue Jul 09 2024 songmingliang <songmingliang@uniontech.com> - 5.1.1-21
+- Fix CVE-2024-28219
+
 * Fri Jun 07 2024 Kai Song <songkai01@inspur.com> - -5.1.1-20
 - Fix CVE-2023-44271