diff --git a/CVE-2024-28085.patch b/CVE-2024-28085.patch
new file mode 100644
index 0000000000000000000000000000000000000000..989317eb15f1e76b56520426dceebc4a94ea6504
--- /dev/null
+++ b/CVE-2024-28085.patch
@@ -0,0 +1,193 @@
+From 2b8157a75c95c6931b16e7e8156b298be026fd62 Mon Sep 17 00:00:00 2001
+From: pangqing <pangqing@uniontech.com>
+Date: Mon, 2 Sep 2024 15:43:45 +0800
+Subject: [PATCH] CVE-2024-28085
+
+---
+ term-utils/wall.1 | 13 ++++---
+ term-utils/wall.c | 90 ++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 65 insertions(+), 38 deletions(-)
+
+diff --git a/term-utils/wall.1 b/term-utils/wall.1
+index 88e816c..cd196d8 100644
+--- a/term-utils/wall.1
++++ b/term-utils/wall.1
+@@ -33,15 +33,17 @@
+ .\"
+ .\" Modified for Linux, Mon Mar  8 18:07:38 1993, faith@cs.unc.edu
+ .\"
+-.TH WALL "1" "September 2011" "util-linux" "User Commands"
++.TH WALL "1" "August 2013" "util-linux" "User Commands"
+ .SH NAME
+ wall \- write a message to users
+ .SH SYNOPSIS
+ .B wall
+-[-n] [-t TIMEOUT] [file]
++[-n] [-t TIMEOUT] [file | message]
+ .SH DESCRIPTION
+ .B Wall
+-displays the contents of
++displays a
++.I message
++or contents of
+ .I file
+ or, by default, its standard input, on the terminals of all currently logged
+ in users.  The command will cut over 79 character long lines to new lines.
+@@ -51,8 +53,9 @@ always put carriage return and new line at the end of each line.
+ Only the super-user can write on the terminals of users who have chosen to
+ deny messages or are using a program which automatically denies messages.
+ .PP
+-Reading from a file is refused when the invoker is not superuser and the
+-program is suid or sgid.
++Reading from a
++.I file
++is refused when the invoker is not superuser and the program is suid or sgid.
+ .SH OPTIONS
+ .TP
+ \fB\-n\fR, \fB\-\-nobanner\fR
+diff --git a/term-utils/wall.c b/term-utils/wall.c
+index 4865ac7..d1db980 100644
+--- a/term-utils/wall.c
++++ b/term-utils/wall.c
+@@ -73,14 +73,15 @@
+ #define WRITE_TIME_OUT	300		/* in seconds */
+ 
+ /* Function prototypes */
+-char *makemsg(char *fname, size_t *mbufsize, int print_banner);
+-static void usage(FILE *out);
++static char *makemsg(char *fname, char **mvec, int mvecsz,
++		    size_t *mbufsize, int print_banner);
+ 
+ static void __attribute__((__noreturn__)) usage(FILE *out)
+ {
+ 	fputs(_("\nUsage:\n"), out);
+ 	fprintf(out,
+-		_(" %s [options] [<file>]\n"),program_invocation_short_name);
++		_(" %s [options] [<file> | <message>]\n"),
++		program_invocation_short_name);
+ 
+ 	fputs(_("\nOptions:\n"), out);
+ 	fputs(_(" -n, --nobanner          do not print banner, works only for root\n"
+@@ -99,10 +100,11 @@ main(int argc, char **argv) {
+ 	char *p;
+ 	char line[sizeof(utmpptr->ut_line) + 1];
+ 	int print_banner = TRUE;
+-	char *mbuf;
++	char *mbuf, *fname = NULL;
+ 	size_t mbufsize;
+ 	unsigned timeout = WRITE_TIME_OUT;
+-
++	char **mvec = NULL;
++	int mvecsz = 0;
+ 	static const struct option longopts[] = {
+ 		{ "nobanner",	no_argument,		0, 'n' },
+ 		{ "timeout",	required_argument,	0, 't' },
+@@ -141,10 +143,14 @@ main(int argc, char **argv) {
+ 	}
+ 	argc -= optind;
+ 	argv += optind;
+-	if (argc > 1)
+-		usage(stderr);
++	if (argc == 1 && access(argv[0], F_OK) == 0)
++		fname = argv[0];
++	else if (argc >= 1) {
++		mvec = argv;
++		mvecsz = argc;
++	}
+ 
+-	mbuf = makemsg(*argv, &mbufsize, print_banner);
++	mbuf = makemsg(fname, mvec, mvecsz, &mbufsize, print_banner);
+ 
+ 	iov.iov_base = mbuf;
+ 	iov.iov_len = mbufsize;
+@@ -173,8 +179,7 @@ main(int argc, char **argv) {
+ 	exit(EXIT_SUCCESS);
+ }
+ 
+-char *
+-makemsg(char *fname, size_t *mbufsize, int print_banner)
++static char *makemsg(char *fname, char **mvec, int mvecsz, size_t *mbufsize, int print_banner)
+ {
+ 	register int ch, cnt;
+ 	struct tm *lt;
+@@ -228,35 +233,54 @@ makemsg(char *fname, size_t *mbufsize, int print_banner)
+ 		fprintf(fp, "%-79.79s\r\n", lbuf);
+ 	}
+ 	fprintf(fp, "%79s\r\n", " ");
++	 if (mvec) {
++		/*
++		 * Read message from argv[]
++		 */
++		int i;
+ 
++		for (i = 0; i < mvecsz; i++) {
++			fputs_careful(mvec[i], fs, '^', true, TERM_WIDTH);
++			if (i < mvecsz - 1)
++				fputc(' ', fp);
++		}
++		fputc('\r', fp);
++		fputc('\n', fp);
+ 
+-	if (fname) {
++	} else {
+ 		/*
+-		 * When we are not root, but suid or sgid, refuse to read files
+-		 * (e.g. device files) that the user may not have access to.
+-		 * After all, our invoker can easily do "wall < file"
+-		 * instead of "wall file".
++		 * read message from <file>
+ 		 */
+-		uid_t uid = getuid();
+-		if (uid && (uid != geteuid() || getgid() != getegid()))
+-			errx(EXIT_FAILURE, _("will not read %s - use stdin."),
+-			     fname);
++		if (fname) {
++			/*
++			 * When we are not root, but suid or sgid, refuse to read files
++			 * (e.g. device files) that the user may not have access to.
++			 * After all, our invoker can easily do "wall < file"
++			 * instead of "wall file".
++			 */
++			uid_t uid = getuid();
++			if (uid && (uid != geteuid() || getgid() != getegid()))
++				errx(EXIT_FAILURE, _("will not read %s - use stdin."),
++				     fname);
++			if (!freopen(fname, "r", stdin))
++				err(EXIT_FAILURE, _("cannot open %s"), fname);
+ 
+-		if (!freopen(fname, "r", stdin))
+-			err(EXIT_FAILURE, _("cannot open %s"), fname);
+-	}
+-
+-	while (fgets(lbuf, line_max, stdin)) {
+-		for (cnt = 0, p = lbuf; (ch = *p) != '\0'; ++p, ++cnt) {
+-			if (cnt == 79 || ch == '\n') {
+-				for (; cnt < 79; ++cnt)
+-					putc(' ', fp);
+-				putc('\r', fp);
+-				putc('\n', fp);
+-				cnt = 0;
++		}
++		/*
++		 * Read message from stdin.
++		 */
++		while (fgets(lbuf, line_max, stdin)) {
++			for (cnt = 0, p = lbuf; (ch = *p) != '\0'; ++p, ++cnt) {
++				if (cnt == 79 || ch == '\n') {
++					for (; cnt < 79; ++cnt)
++						putc(' ', fp);
++					putc('\r', fp);
++					putc('\n', fp);
++					cnt = 0;
++				}
++				if (ch != '\n')
++					carefulputc(ch, fp);
+ 			}
+-			if (ch != '\n')
+-				carefulputc(ch, fp);
+ 		}
+ 	}
+ 	fprintf(fp, "%79s\r\n", " ");
+-- 
+2.39.3
+
diff --git a/util-linux.spec b/util-linux.spec
index 9162308fdd4d9fd5b4f79f7221ebc30ee51b897a..d157183722cbda176b47d9e523974541eef5c23d 100644
--- a/util-linux.spec
+++ b/util-linux.spec
@@ -1,8 +1,9 @@
 ### Header
+%define anolis_release .0.1
 Summary: A collection of basic system utilities
 Name: util-linux
 Version: 2.23.2
-Release: 66%{?dist}
+Release: 66%{anolis_release}%{?dist}
 License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 Group: System Environment/Base
 URL: http://en.wikipedia.org/wiki/Util-linux
@@ -499,6 +500,7 @@ Patch201: 0201-chrt-use-SCHED_FLAG_RESET_ON_FORK-for-sched_setattr.patch
 # Anolis
 Patch202: 0202-libmount-add-support-for-MS_LAZYTIME.patch
 Patch203: 0203-mount-fix-lazytime-docs.patch
+Patch204: CVE-2024-28085.patch
 
 %description
 The util-linux package contains a large variety of low-level system
@@ -1279,6 +1281,9 @@ fi
 %{_libdir}/pkgconfig/uuid.pc
 
 %changelog
+* Mon Sep 02 2024 pangqing <pangqing@uniontech.com> 2.23.2-66.0.1
+- fix CVE-2024-28085
+
 * Wed Jun 07 2023 Ferry Meng <mengferry@linux.alibaba.com> 2.23.2-66
 - Add lazytime/nolazytime vfs mount option recognization