diff --git a/backport-CVE-2023-4813.patch b/backport-CVE-2023-4813.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0da53ee0ae17b0939d5f89adbfcc05dec2de5b2f
--- /dev/null
+++ b/backport-CVE-2023-4813.patch
@@ -0,0 +1,285 @@
+From 228cdb00a045ae3b68a91b35c7548bab6029446e Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Thu, 17 Mar 2022 11:44:34 +0530
+Subject: [PATCH] Simplify allocations and fix merge and continue actions [BZ
+ #28931]
+
+Allocations for address tuples is currently a bit confusing because of
+the pointer chasing through PAT, making it hard to observe the sequence
+in which allocations have been made.  Narrow scope of the pointer
+chasing through PAT so that it is only used where necessary.
+
+This also tightens actions behaviour with the hosts database in
+getaddrinfo to comply with the manual text.  The "continue" action
+discards previous results and the "merge" action results in an immedate
+lookup failure.  Consequently, chaining of allocations across modules is
+no longer necessary, thus opening up cleanup opportunities.
+
+A test has been added that checks some combinations to ensure that they
+work correctly.
+
+Resolves: BZ #28931
+
+---
+ sysdeps/posix/getaddrinfo.c | 143 +++++++++++++++++++++++-------------
+ 1 file changed, 91 insertions(+), 52 deletions(-)
+
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index c91b281e..3b2f0941 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -473,11 +473,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+   if (name != NULL)
+     {
+-      at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
+-      at->family = AF_UNSPEC;
+-      at->scopeid = 0;
+-      at->next = NULL;
+-
+       if (req->ai_flags & AI_IDN)
+ 	{
+ 	  char *out;
+@@ -488,13 +483,21 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	  malloc_name = true;
+ 	}
+ 
+-      if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
++      uint32_t addr[4];
++      if (__inet_aton_exact (name, (struct in_addr *) addr) != 0)
+ 	{
++	  at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
++	  at->scopeid = 0;
++	  at->next = NULL;
++
+ 	  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
+-	    at->family = AF_INET;
++	    {
++	      memcpy (at->addr, addr, sizeof (at->addr));
++	      at->family = AF_INET;
++	    }
+ 	  else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED))
+ 	    {
+-	      at->addr[3] = at->addr[0];
++	      at->addr[3] = addr[0];
+ 	      at->addr[2] = htonl (0xffff);
+ 	      at->addr[1] = 0;
+ 	      at->addr[0] = 0;
+@@ -508,49 +511,62 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 	  if (req->ai_flags & AI_CANONNAME)
+ 	    canon = name;
++
++	  goto process_list;
+ 	}
+-      else if (at->family == AF_UNSPEC)
++
++      char *scope_delim = strchr (name, SCOPE_DELIMITER);
++      int e;
++
++      if (scope_delim == NULL)
++	e = inet_pton (AF_INET6, name, addr);
++      else
++	e = __inet_pton_length (AF_INET6, name, scope_delim - name, addr);
++
++      if (e > 0)
+ 	{
+-	  char *scope_delim = strchr (name, SCOPE_DELIMITER);
+-	  int e;
+-	  if (scope_delim == NULL)
+-	    e = inet_pton (AF_INET6, name, at->addr);
++	  at = alloca_account (sizeof (struct gaih_addrtuple),
++			       alloca_used);
++	  at->scopeid = 0;
++	  at->next = NULL;
++
++	  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
++	    {
++	      memcpy (at->addr, addr, sizeof (at->addr));
++	      at->family = AF_INET6;
++	    }
++	  else if (req->ai_family == AF_INET
++		   && IN6_IS_ADDR_V4MAPPED (addr))
++	    {
++	      at->addr[0] = addr[3];
++	      at->addr[1] = addr[1];
++	      at->addr[2] = addr[2];
++	      at->addr[3] = addr[3];
++	      at->family = AF_INET;
++	    }
+ 	  else
+-	    e = __inet_pton_length (AF_INET6, name, scope_delim - name,
+-				    at->addr);
+-	  if (e > 0)
+ 	    {
+-	      if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
+-		at->family = AF_INET6;
+-	      else if (req->ai_family == AF_INET
+-		       && IN6_IS_ADDR_V4MAPPED (at->addr))
+-		{
+-		  at->addr[0] = at->addr[3];
+-		  at->family = AF_INET;
+-		}
+-	      else
+-		{
+-		  result = -EAI_ADDRFAMILY;
+-		  goto free_and_return;
+-		}
+-
+-	      if (scope_delim != NULL
+-		  && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
+-					   scope_delim + 1,
+-					   &at->scopeid) != 0)
+-		{
+-		  result = -EAI_NONAME;
+-		  goto free_and_return;
+-		}
++	      result = -EAI_ADDRFAMILY;
++	      goto free_and_return;
++	    }
+ 
+-	      if (req->ai_flags & AI_CANONNAME)
+-		canon = name;
++	  if (scope_delim != NULL
++	      && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
++				       scope_delim + 1,
++				       &at->scopeid) != 0)
++	    {
++	      result = -EAI_NONAME;
++	      goto free_and_return;
+ 	    }
++
++	  if (req->ai_flags & AI_CANONNAME)
++	    canon = name;
++
++	  goto process_list;
+ 	}
+ 
+-      if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0)
++      if ((req->ai_flags & AI_NUMERICHOST) == 0)
+ 	{
+-	  struct gaih_addrtuple **pat = &at;
+ 	  int no_data = 0;
+ 	  int no_inet6_data = 0;
+ 	  service_user *nip;
+@@ -559,6 +575,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	  int no_more;
+ 	  struct resolv_context *res_ctx = NULL;
+ 	  bool res_enable_inet6 = false;
++	  bool do_merge = false;
+ 
+ 	  /* If we do not have to look for IPv6 addresses or the canonical
+ 	     name, use the simple, old functions, which do not support
+@@ -595,7 +612,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 			  result = -EAI_MEMORY;
+ 			  goto free_and_return;
+ 			}
+-		      *pat = addrmem;
++		      at = addrmem;
+ 		    }
+ 		  else
+ 		    {
+@@ -648,6 +665,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		    }
+ 
+ 		  struct gaih_addrtuple *addrfree = addrmem;
++		  struct gaih_addrtuple **pat = &at;
++
+ 		  for (int i = 0; i < air->naddrs; ++i)
+ 		    {
+ 		      socklen_t size = (air->family[i] == AF_INET
+@@ -711,12 +730,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 		  free (air);
+ 
+-		  if (at->family == AF_UNSPEC)
+-		    {
+-		      result = -EAI_NONAME;
+-		      goto free_and_return;
+-		    }
+-
+ 		  goto process_list;
+ 		}
+ 	      else if (err == 0)
+@@ -755,6 +768,22 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 	  while (!no_more)
+ 	    {
++	      /* Always start afresh; continue should discard previous results
++		 and the hosts database does not support merge.  */
++	      at = NULL;
++	      free (canonbuf);
++	      free (addrmem);
++	      canon = canonbuf = NULL;
++	      addrmem = NULL;
++	      got_ipv6 = false;
++
++	      if (do_merge)
++		{
++		  __set_h_errno (NETDB_INTERNAL);
++		  __set_errno (EBUSY);
++		  break;
++		}
++
+ 	      no_data = 0;
+ 	      nss_gethostbyname4_r fct4 = NULL;
+ 
+@@ -767,12 +796,14 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		{
+ 		  while (1)
+ 		    {
+-		      status = DL_CALL_FCT (fct4, (name, pat,
++		      status = DL_CALL_FCT (fct4, (name, &at,
+ 						   tmpbuf->data, tmpbuf->length,
+ 						   &errno, &h_errno,
+ 						   NULL));
+ 		      if (status == NSS_STATUS_SUCCESS)
+ 			break;
++		      /* gethostbyname4_r may write into AT, so reset it.  */
++		      at = NULL;
+ 		      if (status != NSS_STATUS_TRYAGAIN
+ 			  || errno != ERANGE || h_errno != NETDB_INTERNAL)
+ 			{
+@@ -799,7 +830,9 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		      no_data = 1;
+ 
+ 		      if ((req->ai_flags & AI_CANONNAME) != 0 && canon == NULL)
+-			canon = (*pat)->name;
++			canon = at->name;
++
++		      struct gaih_addrtuple **pat = &at;
+ 
+ 		      while (*pat != NULL)
+ 			{
+@@ -851,6 +884,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 
+ 		  if (fct != NULL)
+ 		    {
++		      struct gaih_addrtuple **pat = &at;
++
+ 		      if (req->ai_family == AF_INET6
+ 			  || req->ai_family == AF_UNSPEC)
+ 			{
+@@ -926,6 +961,10 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	      if (nss_next_action (nip, status) == NSS_ACTION_RETURN)
+ 		break;
+ 
++              /* The hosts database does not support MERGE.  */
++              if (nss_next_action (nip, status) == NSS_ACTION_MERGE)
++                do_merge = true;
++
+ 	      if (nip->next == NULL)
+ 		no_more = -1;
+ 	      else
+@@ -959,7 +998,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	}
+ 
+     process_list:
+-      if (at->family == AF_UNSPEC)
++      if (at == NULL)
+ 	{
+ 	  result = -EAI_NONAME;
+ 	  goto free_and_return;
+-- 
+2.33.0
+
diff --git a/glibc.spec b/glibc.spec
index ceef9111dbed237725f89afaafa76bae43a4fff8..727720c0c8d0baa137f8befbe3c4696922a29869 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -67,7 +67,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.38
-Release: 	10
+Release: 	11
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -110,6 +110,7 @@ Patch21: 0001-getaddrinfo-Fix-use-after-free-in-getcanonname-CVE-2.patch
 Patch22: 0002-iconv-restore-verbosity-with-unrecognized-encoding-n.patch
 Patch23: 0003-string-Fix-tester-build-with-fortify-enable-with-gcc.patch
 Patch24: 0004-manual-jobs.texi-Add-missing-item-EPERM-for-getpgid.patch
+Patch25: backport-CVE-2023-4813.patch
 
 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: locale-delete-no-hard-link-to-avoid-all_language-pac.patch 
@@ -1323,6 +1324,9 @@ fi
 %endif
 
 %changelog
+* Sat Sep 23 2023 zhanghao <zhanghao383@huawei.com> - 2.38-11
+- fix CVE-2023-4813
+
 * Sat Sep 16 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-10
 - backport patches from glibc upstream 2.38 branch
 - revert some customization modification