diff --git a/backport-CVE-2021-42374.patch b/backport-CVE-2021-42374.patch
new file mode 100644
index 0000000000000000000000000000000000000000..290d8ba940a0927f2846c35ca1449ca1eee8247a
--- /dev/null
+++ b/backport-CVE-2021-42374.patch
@@ -0,0 +1,90 @@
+From 6dc145a1656fcd50796f5608b88749b6a6a0ebc9 Mon Sep 17 00:00:00 2001
+From: xiechengliang <xiechengliang1@huawei.com>
+Date: Sat, 20 Nov 2021 09:50:28 +0800
+Subject: [PATCH 1/2] unlzma: fix a case where we could read before beginning
+ of buffer
+
+Testcase:
+
+  21 01 01 00 00 00 00 00 e7 01 01 01 ef 00 df b6
+  00 17 02 10 11 0f ff 00 16 00 00
+
+Unfortunately, the bug is not reliably causing a segfault,
+the behavior depends on what's in memory before the buffer.
+
+function                                             old     new   delta
+unpack_lzma_stream                                  2762    2768      +6
+
+backport from upstream:
+https://git.busybox.net/busybox/commit/?id=04f052c56ded5ab6a904e3a264a73dc0412b2e78
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ archival/libarchive/decompress_unlzma.c |   5 ++++-
+ testsuite/unlzma.tests                  |  17 +++++++++++++----
+ testsuite/unlzma_issue_3.lzma           | Bin 0 -> 27 bytes
+ 3 files changed, 17 insertions(+), 5 deletions(-)
+ create mode 100644 testsuite/unlzma_issue_3.lzma
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index 668b01618..57a5c4a37 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -290,8 +290,11 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 				uint32_t pos;
+ 
+ 				pos = buffer_pos - rep0;
+-				if ((int32_t)pos < 0)
++				if ((int32_t)pos < 0) {
+ 					pos += header.dict_size;
++					if ((int32_t)pos < 0)
++						goto bad;
++				}
+ 				match_byte = buffer[pos];
+ 				do {
+ 					int bit;
+diff --git a/testsuite/unlzma.tests b/testsuite/unlzma.tests
+index 0e98afe09..fcc6e9441 100755
+--- a/testsuite/unlzma.tests
++++ b/testsuite/unlzma.tests
+@@ -8,14 +8,23 @@
+ 
+ # Damaged encrypted streams
+ testing "unlzma (bad archive 1)" \
+-	"unlzma <unlzma_issue_1.lzma >/dev/null; echo \$?" \
+-"1
++	"unlzma <unlzma_issue_1.lzma 2>&1 >/dev/null; echo \$?" \
++"unlzma: corrupted data
++1
+ " "" ""
+ 
+ # Damaged encrypted streams
+ testing "unlzma (bad archive 2)" \
+-	"unlzma <unlzma_issue_2.lzma >/dev/null; echo \$?" \
+-"1
++	"unlzma <unlzma_issue_2.lzma 2>&1 >/dev/null; echo \$?" \
++"unlzma: corrupted data
++1
++" "" ""
++
++# Damaged encrypted streams
++testing "unlzma (bad archive 3)" \
++	"unlzma <unlzma_issue_3.lzma 2>&1 >/dev/null; echo \$?" \
++"unlzma: corrupted data
++1
+ " "" ""
+ 
+ exit $FAILCOUNT
+diff --git a/testsuite/unlzma_issue_3.lzma b/testsuite/unlzma_issue_3.lzma
+new file mode 100644
+index 0000000000000000000000000000000000000000..cc60f29e413dd8686f957b0f8ee657a7409fbe28
+GIT binary patch
+literal 27
+gcmY#nWMlw==ZuVu?-}lIV-RN&5aj>QAjZG|06v2R@Bjb+
+
+literal 0
+HcmV?d00001
+
+-- 
+2.27.0
+
diff --git a/backport-CVE-2021-42376.patch b/backport-CVE-2021-42376.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7ff4ad8540ccc3c8b9554f76adf92441129048ec
--- /dev/null
+++ b/backport-CVE-2021-42376.patch
@@ -0,0 +1,134 @@
+From 32eeace23c100a733e2b7fa980683b9939892b55 Mon Sep 17 00:00:00 2001
+From: xiechengliang <xiechengliang1@huawei.com>
+Date: Sat, 20 Nov 2021 10:07:35 +0800
+Subject: [PATCH 2/2] hush: fix handling of \^C and "^C"
+
+function                                             old     new   delta
+parse_stream                                        2238    2252     +14
+encode_string                                        243     256     +13
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 27/0)               Total: 27 bytes
+
+backport from upstream:
+https://git.busybox.net/busybox/commit/?id=1b7a9b68d0e9aa19147d7fda16eb9a6b54156985
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ shell/ash_test/ash-misc/control_char3.right   |  1 +
+ shell/ash_test/ash-misc/control_char3.tests   |  2 ++
+ shell/ash_test/ash-misc/control_char4.right   |  1 +
+ shell/ash_test/ash-misc/control_char4.tests   |  2 ++
+ shell/hush.c                                  | 11 +++++++++++
+ shell/hush_test/hush-misc/control_char3.right |  1 +
+ shell/hush_test/hush-misc/control_char3.tests |  2 ++
+ shell/hush_test/hush-misc/control_char4.right |  1 +
+ shell/hush_test/hush-misc/control_char4.tests |  2 ++
+ 9 files changed, 23 insertions(+)
+ create mode 100644 shell/ash_test/ash-misc/control_char3.right
+ create mode 100755 shell/ash_test/ash-misc/control_char3.tests
+ create mode 100644 shell/ash_test/ash-misc/control_char4.right
+ create mode 100755 shell/ash_test/ash-misc/control_char4.tests
+ create mode 100644 shell/hush_test/hush-misc/control_char3.right
+ create mode 100755 shell/hush_test/hush-misc/control_char3.tests
+ create mode 100644 shell/hush_test/hush-misc/control_char4.right
+ create mode 100755 shell/hush_test/hush-misc/control_char4.tests
+
+diff --git a/shell/ash_test/ash-misc/control_char3.right b/shell/ash_test/ash-misc/control_char3.right
+new file mode 100644
+index 000000000..283e02cbb
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char3.right
+@@ -0,0 +1 @@
++SHELL: line 1: : not found
+diff --git a/shell/ash_test/ash-misc/control_char3.tests b/shell/ash_test/ash-misc/control_char3.tests
+new file mode 100755
+index 000000000..4359db3f3
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char3.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '\' SHELL
+diff --git a/shell/ash_test/ash-misc/control_char4.right b/shell/ash_test/ash-misc/control_char4.right
+new file mode 100644
+index 000000000..2bf18e684
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char4.right
+@@ -0,0 +1 @@
++SHELL: line 1: -: not found
+diff --git a/shell/ash_test/ash-misc/control_char4.tests b/shell/ash_test/ash-misc/control_char4.tests
+new file mode 100755
+index 000000000..48010f154
+--- /dev/null
++++ b/shell/ash_test/ash-misc/control_char4.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '"-"' SHELL
+diff --git a/shell/hush.c b/shell/hush.c
+index 8d9ab244e..f1ceb80bb 100644
+--- a/shell/hush.c
++++ b/shell/hush.c
+@@ -5167,6 +5167,11 @@ static int encode_string(o_string *as_string,
+ 	}
+ #endif
+ 	o_addQchr(dest, ch);
++	if (ch == SPECIAL_VAR_SYMBOL) {
++		/* Convert "^C" to corresponding special variable reference */
++		o_addchr(dest, SPECIAL_VAR_QUOTED_SVS);
++		o_addchr(dest, SPECIAL_VAR_SYMBOL);
++	}
+ 	goto again;
+ #undef as_string
+ }
+@@ -5278,6 +5283,11 @@ static struct pipe *parse_stream(char **pstring,
+ 			if (ch == '\n')
+ 				continue; /* drop \<newline>, get next char */
+ 			nommu_addchr(&ctx.as_string, '\\');
++			if (ch == SPECIAL_VAR_SYMBOL) {
++				nommu_addchr(&ctx.as_string, ch);
++				/* Convert \^C to corresponding special variable reference */
++				goto case_SPECIAL_VAR_SYMBOL;
++			}
+ 			o_addchr(&ctx.word, '\\');
+ 			if (ch == EOF) {
+ 				/* Testcase: eval 'echo Ok\' */
+@@ -5596,6 +5606,7 @@ static struct pipe *parse_stream(char **pstring,
+ 		/* Note: nommu_addchr(&ctx.as_string, ch) is already done */
+ 
+ 		switch (ch) {
++		case_SPECIAL_VAR_SYMBOL:
+ 		case SPECIAL_VAR_SYMBOL:
+ 			/* Convert raw ^C to corresponding special variable reference */
+ 			o_addchr(&ctx.word, SPECIAL_VAR_SYMBOL);
+diff --git a/shell/hush_test/hush-misc/control_char3.right b/shell/hush_test/hush-misc/control_char3.right
+new file mode 100644
+index 000000000..94b4f8699
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char3.right
+@@ -0,0 +1 @@
++hush: can't execute '': No such file or directory
+diff --git a/shell/hush_test/hush-misc/control_char3.tests b/shell/hush_test/hush-misc/control_char3.tests
+new file mode 100755
+index 000000000..4359db3f3
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char3.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '\' SHELL
+diff --git a/shell/hush_test/hush-misc/control_char4.right b/shell/hush_test/hush-misc/control_char4.right
+new file mode 100644
+index 000000000..698e21427
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char4.right
+@@ -0,0 +1 @@
++hush: can't execute '-': No such file or directory
+diff --git a/shell/hush_test/hush-misc/control_char4.tests b/shell/hush_test/hush-misc/control_char4.tests
+new file mode 100755
+index 000000000..48010f154
+--- /dev/null
++++ b/shell/hush_test/hush-misc/control_char4.tests
+@@ -0,0 +1,2 @@
++# (set argv0 to "SHELL" to avoid "/path/to/shell: blah" in error messages)
++$THIS_SH -c '"-"' SHELL
+-- 
+2.27.0
+
diff --git a/busybox.spec b/busybox.spec
index f5be2a4e0af139303b9866ec85b7e784bf82d8b3..cac918ba3bac0243e6a39e9dea789d8f36126ca9 100644
--- a/busybox.spec
+++ b/busybox.spec
@@ -4,7 +4,7 @@
 %endif
 
 %if "%{!?RELEASE:1}"
-%define RELEASE 9
+%define RELEASE 10
 %endif
 
 Name: busybox
@@ -21,6 +21,8 @@ Source3: busybox-dynamic.config
 
 Patch6000: backport-CVE-2018-1000500.patch
 Patch6001: backport-CVE-2021-28831.patch
+Patch6002: backport-CVE-2021-42374.patch
+Patch6003: backport-CVE-2021-42376.patch
 
 BuildRoot:      %_topdir/BUILDROOT
 #Dependency
@@ -96,6 +98,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Sat Apr 17 2021 xiechengliang<xiechengliang1@huawei.com> - 1:1.31.1-10
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC: fix CVE-2021-42374 and CVE-2021-42376
+
 * Fri Aug 13 2021 jikui <jikui2@huawei.com> - 1:1.31.1-9
 - Type:bugfix
 - Id:NA