diff --git a/backport-CVE-2025-30305,30306,30307,30308,30309.patch b/backport-CVE-2025-30305,30306,30307,30308,30309.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0c78c0b5b3aa0de4842ef29b751617ded43cbbe5
--- /dev/null
+++ b/backport-CVE-2025-30305,30306,30307,30308,30309.patch
@@ -0,0 +1,111 @@
+From 8c4d72c924b296aaceb2dd97a2b6dcdc76a905b4 Mon Sep 17 00:00:00 2001
+From: Manish Upadhyay <59823396+maupadhyay@users.noreply.github.com>
+Date: Fri, 28 Mar 2025 15:19:20 +0530
+Subject: [PATCH] Security fixes (#102)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Cherry-pick from Adobe SDK
+
+Protect from buffer overruns.
+
+Fixes:
+- https://gitlab.freedesktop.org/libopenraw/exempi/-/issues/33
+
+Fixes:
+- GHSL-2024-083
+- GHSL-2024-084
+- GHSL-2024-085
+- GHSL-2024-086
+- GHSL-2024-087
+
+Signed-off-by: Hubert Figuière <hub@figuiere.net>
+---
+ XMPFiles/source/FileHandlers/MPEG4_Handler.cpp      | 3 +++
+ XMPFiles/source/FormatSupport/ASF_Support.cpp       | 4 ++--
+ XMPFiles/source/FormatSupport/ReconcileTIFF.cpp     | 4 +++-
+ XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp | 2 ++
+ 4 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/XMPFiles/source/FileHandlers/MPEG4_Handler.cpp b/XMPFiles/source/FileHandlers/MPEG4_Handler.cpp
+index f0f58c11..9c3e9f5f 100644
+--- a/XMPFiles/source/FileHandlers/MPEG4_Handler.cpp
++++ b/XMPFiles/source/FileHandlers/MPEG4_Handler.cpp
+@@ -635,6 +635,8 @@ static bool ImportISOCopyrights ( const std::vector<MOOV_Manager::BoxInfo> & cpr
+ 		XMP_StringPtr textPtr = (XMP_StringPtr) (currBox.content + 6);
+ 		XMP_StringLen textLen = currBox.contentSize - 6;
+ 
++		if ( *(textPtr + textLen - 1) != '\0' ) continue; // make sure textPtr points to a null terminated string
++
+ 		if ( (textLen >= 2) && (GetUns16BE(textPtr) == 0xFEFF) ) {
+ 			FromUTF16 ( (UTF16Unit*)textPtr, textLen/2, &tempStr, true /* big endian */ );
+ 			textPtr = tempStr.c_str();
+@@ -2244,6 +2246,7 @@ bool MPEG4_MetaHandler::ParseTimecodeTrack()
+ 	XMP_Uns32 stsdTrailerSize = stsdEntrySize - sizeof ( MOOV_Manager::Content_stsd_entry );
+ 	if ( stsdTrailerSize > 8 ) {	// Room for a non-empty 'name' box?
+ 
++		if ( stsdInfo.contentSize < (stsdTrailerSize + 8 + sizeof ( MOOV_Manager::Content_stsd_entry )) ) return false; //Not enough data
+ 		const XMP_Uns8 * trailerStart = stsdInfo.content + 8 + sizeof ( MOOV_Manager::Content_stsd_entry );
+ 		const XMP_Uns8 * trailerLimit = trailerStart + stsdTrailerSize;
+ 		const XMP_Uns8 * trailerPos;
+diff --git a/XMPFiles/source/FormatSupport/ASF_Support.cpp b/XMPFiles/source/FormatSupport/ASF_Support.cpp
+index 4a39b7e8..cb2675f5 100644
+--- a/XMPFiles/source/FormatSupport/ASF_Support.cpp
++++ b/XMPFiles/source/FormatSupport/ASF_Support.cpp
+@@ -163,7 +163,7 @@ bool ASF_Support::ReadHeaderObject ( XMP_IO* fileRef, ObjectState& inOutObjectSt
+ 				XMP_Throw("Failure reading ASF header object", kXMPErr_InternalFailure);
+ 			}
+ 
+-			if ( IsEqualGUID ( ASF_File_Properties_Object, objectBase.guid) && (objectBase.size >= 104 ) ) {
++			if ( IsEqualGUID ( ASF_File_Properties_Object, objectBase.guid) && ( XMP_Int32(objectBase.size) >= 104 ) ) {
+ 
+ 				buffer.clear();
+ 				buffer.reserve ( XMP_Uns32( objectBase.size ) );
+@@ -184,7 +184,7 @@ bool ASF_Support::ReadHeaderObject ( XMP_IO* fileRef, ObjectState& inOutObjectSt
+ 
+ 				legacyManager->SetObjectExists ( ASF_LegacyManager::objectFileProperties );
+ 
+-			} else if ( IsEqualGUID ( ASF_Content_Description_Object, objectBase.guid) && (objectBase.size >= 34 ) ) {
++			} else if ( IsEqualGUID ( ASF_Content_Description_Object, objectBase.guid) && ( XMP_Int32(objectBase.size) >= 34 ) ) {
+ 
+ 				buffer.clear();
+ 				buffer.reserve ( XMP_Uns32( objectBase.size ) );
+diff --git a/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp b/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp
+index 0435f618..ccd51d19 100644
+--- a/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp
++++ b/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp
+@@ -1517,6 +1517,8 @@ ImportConversionTable ( const TIFF_Manager::TagInfo & tagInfo, bool nativeEndian
+ 			rows = Flip2 ( rows );
+ 		}
+ 
++		if ( (XMP_Uns64)(byteEnd - bytePtr) < (8ULL * columns * rows) ) XMP_Throw ( "OECF-SFR data underflow", kXMPErr_BadValue );
++
+ 		char buffer[40];
+ 
+ 		snprintf ( buffer, sizeof(buffer), "%d", columns );	// AUDIT: Use of sizeof(buffer) is safe.
+@@ -1537,7 +1539,7 @@ ImportConversionTable ( const TIFF_Manager::TagInfo & tagInfo, bool nativeEndian
+ 			bytePtr += nameLen;
+ 		}
+ 
+-		if ( (byteEnd - bytePtr) != (8 * columns * rows) ) XMP_Throw ( "OECF-SFR data overflow", kXMPErr_BadValue );
++		if ( (XMP_Uns64)(byteEnd - bytePtr) != (8ULL * columns * rows) ) XMP_Throw ( "OECF-SFR data overflow", kXMPErr_BadValue );
+ 		SXMPUtils::ComposeStructFieldPath ( xmpNS, xmpProp, kXMP_NS_EXIF, "Values", &arrayPath );
+ 
+ 		XMP_Uns32 * binPtr = (XMP_Uns32*)bytePtr;
+diff --git a/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp b/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp
+index 5a5e8ded..ff247dea 100644
+--- a/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp
++++ b/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp
+@@ -224,6 +224,8 @@ bool TIFF_MemoryReader::GetTag ( XMP_Uns8 ifd, XMP_Uns16 id, TagInfo* info ) con
+ 	
+ 	if ( (thisType < kTIFF_ByteType) || (thisType > kTIFF_LastType) ) return false;	// Bad type, skip this tag.
+ 
++	if ( thisBytes > tiffLength ) return false; // Bad data length, skip this tag.
++
+ 	if ( info != 0 ) {
+ 
+ 		info->id = GetUns16AsIs ( &thisTag->id );
+-- 
+GitLab
+
diff --git a/exempi.spec b/exempi.spec
index 8d02297a8b64592a22d1cd0e87e1c61d545da688..0b4246539ad13f3cb203c53b8719f69cbf8a9c46 100644
--- a/exempi.spec
+++ b/exempi.spec
@@ -1,10 +1,11 @@
 Name:		exempi
 Version:	2.6.4
-Release:	1
+Release:	2
 Summary:	Exempi is an implementation of XMP (Adobe's Extensible Metadata Platform)
 License:	BSD
 URL:		https://wiki.freedesktop.org/libopenraw/Exempi/
 Source0:	http://libopenraw.freedesktop.org/download/%{name}-%{version}.tar.bz2
+Patch0:		backport-CVE-2025-30305,30306,30307,30308,30309.patch
 
 BuildRequires:	gcc-c++ autoconf automake libtool
 BuildRequires:	boost-devel expat-devel zlib-devel pkgconfig
@@ -17,27 +18,20 @@ Version 2.x is based on Adobe XMP SDK and released under a BSD-style license lik
 %package devel
 Summary:	exempi's development files
 Requires:	%{name} = %{version}-%{release}
-Requires:	pkgconfig
 
 %description devel
 this package provides development files, including headers and libraries.
 
-%package help
-Summary:	Help information for user
-
-%description help
-Help information for user
+%package_help
 
 %prep
-%autosetup -n exempi-2.6.4 -p1
+%autosetup -n exempi-%{version} -p1
 
 %build
 libtoolize -vi
 ./autogen.sh
 %configure CPPFLAGS="-I%{_includedir} -fno-strict-aliasing -DBanAllEntityUsage=1"
-# Disable rpath
-sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
-sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+%disable_rpath
 %make_build
 
 %check
@@ -45,9 +39,11 @@ make check
 
 %install
 %make_install
+%delete_la_and_a
 
 %files
-%doc AUTHORS ChangeLog COPYING
+%license COPYING
+%doc AUTHORS ChangeLog
 %{_libdir}/*.so.*
 %{_bindir}/exempi
 
@@ -55,13 +51,15 @@ make check
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc
 %{_includedir}/exempi-2.0/
-%exclude %{_libdir}/*.a
-%exclude %{_libdir}/*.la
 
 %files help
 %{_mandir}/man1/exempi.1*
 
 %changelog
+* Tue Sep 02 2025 Funda Wang <fundawang@yeah.net> - 2.6.4-2
+- fix CVE-2025-30305, CVE-2025-30306, CVE-2025-30307, CVE-2025-30308,
+  CVE-2025-30309
+
 * Wed Jul 12 2023 chenzixuan <chenzixuan@kylinos.cn> - 2.6.4-1
 - Update to 2.6.4