diff --git a/backport-CVE-2024-36474-and-CVE-2024-42415.patch b/backport-CVE-2024-36474-and-CVE-2024-42415.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8dc0a64cd4854f5617f19e087f4c25b76abb7229
--- /dev/null
+++ b/backport-CVE-2024-36474-and-CVE-2024-42415.patch
@@ -0,0 +1,106 @@
+From 06d0cb92a4c02e7126ef2ff6f5e29fd74b4be9e0 Mon Sep 17 00:00:00 2001
+From: Morten Welinder <terra@gnome.org>
+Date: Mon, 30 Sep 2024 20:47:29 -0400
+Subject: [PATCH] OLE2: Fix allocation problems.
+
+---
+ gsf/gsf-infile-msole.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/gsf/gsf-infile-msole.c b/gsf/gsf-infile-msole.c
+index e0a1cc5..b1f1c22 100644
+--- a/gsf/gsf-infile-msole.c
++++ b/gsf/gsf-infile-msole.c
+@@ -302,7 +302,7 @@ datetime_from_filetime (guint64 ft)
+  * parent is optional. */
+ static MSOleDirent *
+ ole_dirent_new (GsfInfileMSOle *ole, guint32 entry, MSOleDirent *parent,
+-		guint8 *seen_before)
++		GByteArray *seen_before)
+ {
+ 	MSOleDirent *dirent;
+ 	guint32 block, next, prev, child, size;
+@@ -315,12 +315,13 @@ ole_dirent_new (GsfInfileMSOle *ole, guint32 entry, MSOleDirent *parent,
+ 		return NULL;
+ 
+ 	g_return_val_if_fail (entry <= G_MAXUINT / DIRENT_SIZE, NULL);
++	g_return_val_if_fail (entry < seen_before->len, NULL);
+ 
+ 	block = OLE_BIG_BLOCK (entry * DIRENT_SIZE, ole);
+ 	g_return_val_if_fail (block < ole->bat.num_blocks, NULL);
+ 
+-	g_return_val_if_fail (!seen_before[entry], NULL);
+-	seen_before[entry] = TRUE;
++	g_return_val_if_fail (!seen_before->data[entry], NULL);
++	seen_before->data[entry] = TRUE;
+ 
+ 	data = ole_get_block (ole, ole->bat.block [block], NULL);
+ 	if (data == NULL)
+@@ -494,13 +495,14 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
+ {
+ 	static guint8 const signature[] =
+ 		{ 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 };
+-	guint8 *seen_before;
++	GByteArray *seen_before;
+ 	guint8 const *header, *tmp;
+ 	guint32 *metabat = NULL;
+ 	MSOleInfo *info;
+ 	guint32 bb_shift, sb_shift, num_bat, num_sbat, num_metabat, threshold, last, dirent_start;
+ 	guint32 metabat_block, *ptr;
+ 	gboolean fail;
++	size_t num_blocks, isize;
+ 
+ 	/* check the header */
+ 	if (gsf_input_seek (ole->input, 0, G_SEEK_SET) ||
+@@ -536,8 +538,9 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
+ 	 * 2) It makes no sense to have a block larger than 2^31 for now.
+ 	 *    Maybe relax this later, but not much.
+ 	 */
++	isize = gsf_input_size (ole->input);
+ 	if (6 > bb_shift || bb_shift >= 31 || sb_shift > bb_shift ||
+-	    (gsf_input_size (ole->input) >> bb_shift) < 1) {
++	    (isize >> bb_shift) < 1) {
+ 		if (err != NULL)
+ 			*err = g_error_new (gsf_input_error_id (), 0,
+ 					    _("Unreasonable block sizes"));
+@@ -557,7 +560,7 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
+ 	info->threshold	     = threshold;
+         info->sbat_start     = GSF_LE_GET_GUINT32 (header + OLE_HEADER_SBAT_START);
+ 	info->num_sbat       = num_sbat;
+-	info->max_block	     = (gsf_input_size (ole->input) - OLE_HEADER_SIZE + info->bb.size -1) / info->bb.size;
++	info->max_block	     = (isize - OLE_HEADER_SIZE + info->bb.size -1) / info->bb.size;
+ 	info->sb_file	     = NULL;
+ 
+ 	if (info->num_sbat == 0 &&
+@@ -566,9 +569,11 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
+ 		g_warning ("There are not supposed to be any blocks in the small block allocation table, yet there is a link to some.  Ignoring it.");
+ 	}
+ 
++	num_blocks = num_bat * (info->bb.size / BAT_INDEX_SIZE);
++
+ 	/* very rough heuristic, just in case */
+-	if (num_bat < info->max_block && info->num_sbat < info->max_block) {
+-		info->bb.bat.num_blocks = num_bat * (info->bb.size / BAT_INDEX_SIZE);
++	if (num_bat < info->max_block && info->num_sbat < info->max_block && num_blocks < G_MAXINT) {
++		info->bb.bat.num_blocks = num_blocks;
+ 		info->bb.bat.block	= g_new0 (guint32, info->bb.bat.num_blocks);
+ 
+ 		metabat = g_try_new (guint32, MAX (info->bb.size, OLE_HEADER_SIZE));
+@@ -648,10 +653,12 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
+ 	}
+ 
+ 	/* Read the directory */
+-	seen_before = g_malloc0 ((ole->bat.num_blocks << info->bb.shift) * DIRENT_SIZE + 1);
++	seen_before = g_byte_array_new ();
++	g_byte_array_set_size (seen_before, ((size_t)(ole->bat.num_blocks) << info->bb.shift) / DIRENT_SIZE + 1);
++	memset (seen_before->data, 0, seen_before->len);
+ 	ole->dirent = info->root_dir =
+ 		ole_dirent_new (ole, 0, NULL, seen_before);
+-	g_free (seen_before);
++	g_byte_array_unref (seen_before);
+ 	if (ole->dirent == NULL) {
+ 		if (err != NULL)
+ 			*err = g_error_new (gsf_input_error_id (), 0,
+-- 
+GitLab
+
diff --git a/libgsf.spec b/libgsf.spec
index 9472f77bc996597ffbda961424bd5b04a4ff70d4..0aee0b2e6741b1ff63bb0e64de211ef49056b92e 100644
--- a/libgsf.spec
+++ b/libgsf.spec
@@ -1,10 +1,11 @@
 Name:		libgsf
 Version: 	1.14.50
-Release:	1
+Release:	2
 Summary: 	GNOME Structured File library
-License: 	LGPLv2
+License: 	LGPL-2.1-only
 URL: 		https://gitlab.gnome.org/GNOME/libgsf
 Source: 	https://download.gnome.org/sources/%{name}/1.14/%{name}-%{version}.tar.xz
+Patch0: 	backport-CVE-2024-36474-and-CVE-2024-42415.patch
 
 BuildRequires: 	bzip2-devel chrpath gettext glib2-devel gobject-introspection-devel
 BuildRequires: 	libxml2-devel intltool gdk-pixbuf2-devel
@@ -20,37 +21,26 @@ Requires: 	libgsf = %{version}-%{release}, glib2-devel, libxml2-devel pkgconfig
 %description devel
 Support files necessary to compile applications with libgsf
 
-%package help
-Summary:	The man for %{name}
-Requires:       libgsf = %{version}-%{release}
-
-%description help
-This sub-package provides the man for %{name}
+%package_help
 
 %prep
 %autosetup -n %{name}-%{version} -p1
 
 %build
-%configure --disable-gtk-doc --enable-introspection=yes
-
-make %{?_smp_mflags} V=1
+%configure --disable-gtk-doc --enable-introspection=yes --disable-static
+%make_build
 
 %install
-export GCONF_DISABLE_MAKEFILE_SCHEMA_INSTALL=1
 %make_install
+%delete_la
 
 %find_lang %{name}
 
 chrpath --delete %{buildroot}%{_bindir}/gsf*
 
-%delete_la_and_a
-
-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
-
 %files -f libgsf.lang
-%doc AUTHORS COPYING COPYING.LIB README
+%license COPYING COPYING.LIB
+%doc AUTHORS README
 %{_libdir}/libgsf-1.so.*
 %{_libdir}/girepository-1.0/Gsf-1.typelib
 %{_bindir}/gsf-office-thumbnailer
@@ -66,11 +56,12 @@ chrpath --delete %{buildroot}%{_bindir}/gsf*
 %{_datadir}/gir-1.0/Gsf-1.gir
 
 %files help
-%{_mandir}/man1/gsf-office-thumbnailer.1.gz
-%{_mandir}/man1/gsf.1.gz
-%{_mandir}/man1/gsf-vba-dump.1.gz
+%{_mandir}/man1/*
 
 %changelog
+* Fri Oct 04 2024 Funda Wang <fundawang@yeah.net> - 1.14.50-2
+- fix CVE-2024-36474, CVE-2024-42415
+
 * Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 1.14.50-1
 - Update to 1.14.50