diff --git a/CVE-2023-39976.patch b/CVE-2023-39976.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5c5fd35529a9b54acedb2cc90560e84fd556a8c2
--- /dev/null
+++ b/CVE-2023-39976.patch
@@ -0,0 +1,57 @@
+From 1bbaa929b77113532785c408dd1b41cd0521ffc8 Mon Sep 17 00:00:00 2001
+From: Chrissie Caulfield <ccaulfie@redhat.com>
+Date: Thu, 20 Jul 2023 07:19:01 +0100
+Subject: [PATCH] log: fix potential overflow with long log messages (#490)
+
+qb_vsnprintf_serialize was called with 'max_size' as the
+limiting number for the length of the formatted log
+message. But the buffer also needs to contain the
+log header (given by 'actual_size'), so we now pass
+'t->max_line_length' as the maximum length of the
+formatted log message to limit space to the actual
+bytes left
+
+Also added error checks to the blackbox calls at
+the end of the test, as these now provide a proper
+test that the BB is functioning. Before they were
+masking failures.
+---
+ lib/log_blackbox.c | 4 ++--
+ tests/check_log.c  | 6 ++++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/log_blackbox.c b/lib/log_blackbox.c
+index 3e30504..8519a48 100644
+--- a/lib/log_blackbox.c
++++ b/lib/log_blackbox.c
+@@ -110,8 +110,8 @@ _blackbox_vlogger(int32_t target,
+ 	chunk += sizeof(uint32_t);
+ 
+ 	/* log message */
+-	msg_len = qb_vsnprintf_serialize(chunk, max_size, cs->format, ap);
+-	if (msg_len >= max_size) {
++	msg_len = qb_vsnprintf_serialize(chunk, t->max_line_length, cs->format, ap);
++	if (msg_len >= t->max_line_length) {
+ 	    chunk = msg_len_pt + sizeof(uint32_t); /* Reset */
+ 
+ 	    /* Leave this at QB_LOG_MAX_LEN so as not to overflow the blackbox */
+diff --git a/tests/check_log.c b/tests/check_log.c
+index 039a4bb..e5abf40 100644
+--- a/tests/check_log.c
++++ b/tests/check_log.c
+@@ -832,8 +832,10 @@ START_TEST(test_log_long_msg)
+ 		qb_log(LOG_INFO, "Message %d %d - %s", lpc, lpc%600, buffer);
+ 	}
+ 
+-        qb_log_blackbox_write_to_file("blackbox.dump");
+-        qb_log_blackbox_print_from_file("blackbox.dump");
++        rc = qb_log_blackbox_write_to_file("blackbox.dump");
++	ck_assert_int_gt(rc, 0);
++        rc = qb_log_blackbox_print_from_file("blackbox.dump");
++	ck_assert_int_le(rc, 0);
+ 	unlink("blackbox.dump");
+ 	qb_log_fini();
+ }
+-- 
+2.33.0
+
diff --git a/libqb.spec b/libqb.spec
index a21c931e0cafe6952194de8c16847719e2403f9f..222a2f17730808ea97cc1da1356f4213115a2eba 100644
--- a/libqb.spec
+++ b/libqb.spec
@@ -1,10 +1,12 @@
 Name:                libqb
 Version:             2.0.0
-Release:             1
+Release:             2
 Summary:             Library providing high performance logging, tracing, ipc, and poll
 License:             LGPLv2+
 URL:                 https://github.com/ClusterLabs/libqb
 Source0:             https://github.com/ClusterLabs/libqb/releases/download/v%{version}/%{name}-%{version}.tar.xz
+
+Patch1:              CVE-2023-39976.patch
 BuildRequires:       autoconf automake libtool check-devel doxygen gcc procps pkgconfig(glib-2.0)
 BuildRequires:       git-core
 # For doxygen2man
@@ -73,6 +75,9 @@ This package contains a program to create nicely-formatted man pages from Doxyge
 %{_mandir}/man1/doxygen2man.1.gz
 
 %changelog
+* Mon Aug 14 2023 liningjie <liningjie@xfusion.com> - 2.0.0-2
+- fix CVE-2023-39976
+
 * Wed Feb 16 2022 jiangxinyu <jiangxinyu@kylinos.cn> - 2.0.0-1
 - upgrade to 2.0.0