diff --git a/0004-fix-CVE-2022-3064.patch b/0004-fix-CVE-2022-3064.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bc2d9e6c5a9ada31ed15a4b6f63cc49213ef2c6c
--- /dev/null
+++ b/0004-fix-CVE-2022-3064.patch
@@ -0,0 +1,129 @@
+From 7f111ea7f83130a91dde47cfc66df5d95771519e Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Tue, 30 Apr 2024 09:27:20 +0800
+Subject: [PATCH] fix CVE-2022-3064
+
+Add large document benchmarks, tune alias heuristic, add max depth limits
+@liggitt
+liggitt committed on Oct 3, 2019
+---
+ .../vendor/gopkg.in/yaml.v2/decode.go         | 38 +++++++++++++++++++
+ .../vendor/gopkg.in/yaml.v2/scannerc.go       | 16 ++++++++
+ 2 files changed, 54 insertions(+)
+
+diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/decode.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/decode.go
+index e4e56e2..5310876 100644
+--- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/decode.go
++++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/decode.go
+@@ -229,6 +229,10 @@ type decoder struct {
+ 	mapType reflect.Type
+ 	terrors []string
+ 	strict  bool
++
++	decodeCount int
++	aliasCount  int
++	aliasDepth  int
+ }
+ 
+ var (
+@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
+ 	return out, false, false
+ }
+ 
++const (
++	// 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion
++	alias_ratio_range_low = 400000
++	// 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion
++	alias_ratio_range_high = 4000000
++	// alias_ratio_range is the range over which we scale allowed alias ratios
++	alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low)
++)
++
++func allowedAliasRatio(decodeCount int) float64 {
++	switch {
++	case decodeCount <= alias_ratio_range_low:
++		// allow 99% to come from alias expansion for small-to-medium documents
++		return 0.99
++	case decodeCount >= alias_ratio_range_high:
++		// allow 10% to come from alias expansion for very large documents
++		return 0.10
++	default:
++		// scale smoothly from 99% down to 10% over the range.
++		// this maps to 396,000 - 400,000 allowed alias-driven decodes over the range.
++		// 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps).
++		return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range)
++	}
++}
++
+ func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
++	d.decodeCount++
++	if d.aliasDepth > 0 {
++		d.aliasCount++
++	}
++	if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) {
++		failf("document contains excessive aliasing")
++	}
+ 	switch n.kind {
+ 	case documentNode:
+ 		return d.document(n, out)
+@@ -353,7 +389,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) {
+ 		failf("anchor '%s' value contains itself", n.value)
+ 	}
+ 	d.aliases[n] = true
++	d.aliasDepth++
+ 	good = d.unmarshal(n.alias, out)
++	d.aliasDepth--
+ 	delete(d.aliases, n)
+ 	return good
+ }
+diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/scannerc.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/scannerc.go
+index 077fd1d..570b8ec 100644
+--- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/scannerc.go
++++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/scannerc.go
+@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_flow_level limits the flow_level
++const max_flow_level = 10000
++
+ // Increase the flow level and resize the simple key list if needed.
+ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 	// Reset the simple key on the next level.
+@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 
+ 	// Increase the flow level.
+ 	parser.flow_level++
++	if parser.flow_level > max_flow_level {
++		return yaml_parser_set_scanner_error(parser,
++			"while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++			fmt.Sprintf("exceeded max depth of %d", max_flow_level))
++	}
+ 	return true
+ }
+ 
+@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_indents limits the indents stack size
++const max_indents = 10000
++
+ // Push the current indentation level to the stack and set the new level
+ // the current column is greater than the indentation level.  In this case,
+ // append or insert the specified token into the token queue.
+@@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
+ 		// indentation level.
+ 		parser.indents = append(parser.indents, parser.indent)
+ 		parser.indent = column
++		if len(parser.indents) > max_indents {
++			return yaml_parser_set_scanner_error(parser,
++				"while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++				fmt.Sprintf("exceeded max depth of %d", max_indents))
++		}
+ 
+ 		// Create a token and insert it into the queue.
+ 		token := yaml_token_t{
+-- 
+2.20.1
+
diff --git a/podman.spec b/podman.spec
index 4c0137081ab6d41f6af64a3ea241b772ddd0e1d8..4eb1d3e3c5b140f50b6e2c35cdeff1a9972d60ba 100644
--- a/podman.spec
+++ b/podman.spec
@@ -2,7 +2,7 @@
 
 Name:          podman
 Version:       4.9.4
-Release:       7
+Release:       8
 Summary:       A tool for managing OCI containers and pods.
 Epoch:         1
 License:       Apache-2.0 and MIT
@@ -16,6 +16,7 @@ Patch0:        0001-podman-4.9.4-add-support-for-loongarch64.patch
 Patch0001:    0001-fix-CVE-2024-28180.patch
 Patch0002:    0002-fix-CVE-2023-3978.patch
 Patch0003:    0003-fix-CVE-2023-48795.patch
+Patch0004:    0004-fix-CVE-2022-3064.patch
 
 BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
 BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel
@@ -119,6 +120,7 @@ sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
 # untar dnsname
 tar zxf %{SOURCE1}
 %patch0002 -p1
+%patch0004 -p1
 # untar %%{name}-gvproxy
 tar zxf %{SOURCE2}
 %patch0003 -p1
@@ -297,6 +299,12 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 %{_bindir}/%{name}sh
 
 %changelog
+* Tue Apr 30 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-3064
+
 * Mon Apr 29 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-7
 - Type:bugfix
 - CVE:NA