diff --git a/0001-fix-CVE-2024-28180.patch b/0001-fix-CVE-2024-28180.patch
new file mode 100644
index 0000000000000000000000000000000000000000..56ff9fd6ded6512b04646bbdee4b0c437472be76
--- /dev/null
+++ b/0001-fix-CVE-2024-28180.patch
@@ -0,0 +1,117 @@
+From e311b724eaeeda39b5c23cc23953cbee16103a18 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Tue, 23 Apr 2024 18:34:28 +0800
+Subject: [PATCH] fix CVE-2024-28180
+
+---
+ .../github.com/go-jose/go-jose/v3/encoding.go | 21 +++++++++++++++----
+ .../gopkg.in/go-jose/go-jose.v2/encoding.go   | 21 +++++++++++++++----
+ 2 files changed, 34 insertions(+), 8 deletions(-)
+
+diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v3/encoding.go
+index 968a424..d083db8 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/encoding.go
++++ b/vendor/github.com/go-jose/go-jose/v3/encoding.go
+@@ -25,6 +25,7 @@ import (
+ 	"math/big"
+ 	"strings"
+ 	"unicode"
++	"fmt"
+ 
+ 	"github.com/go-jose/go-jose/v3/json"
+ )
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger.
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
+index 40b688b..9111733 100644
+--- a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
++++ b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
+@@ -25,6 +25,7 @@ import (
+ 	"math/big"
+ 	"strings"
+ 	"unicode"
++	"fmt"
+ 
+ 	"gopkg.in/go-jose/go-jose.v2/json"
+ )
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger.
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+-- 
+2.20.1
+
diff --git a/podman.spec b/podman.spec
index aba22ab4a14a9bf9f5f3aab60e287cc07842140e..3dbb3fec5553bf914771ddecbcfc4d06fb68a2ae 100644
--- a/podman.spec
+++ b/podman.spec
@@ -2,7 +2,7 @@
 
 Name:          podman
 Version:       4.9.4
-Release:       4
+Release:       5
 Summary:       A tool for managing OCI containers and pods.
 Epoch:         1
 License:       Apache-2.0 and MIT
@@ -13,6 +13,8 @@ Source2:       https://github.com/containers/gvisor-tap-vsock/archive/refs/tags/
 Source3:       https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
 Patch0:        0001-podman-4.9.4-add-support-for-loongarch64.patch
 
+Patch0001:    0001-fix-CVE-2024-28180.patch
+
 BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
 BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel
 BuildRequires: ostree-devel pkgconfig make git-core systemd systemd-devel shadow-subid-devel man-db
@@ -111,6 +113,7 @@ when `%{_bindir}/%{name}sh` is set as a login shell or set as os.Args[0].
 %prep
 %setup -n %{name}-%{version}
 sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
+%patch0001 -p1
 # untar dnsname
 tar zxf %{SOURCE1}
 # untar %%{name}-gvproxy
@@ -290,6 +293,12 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 %{_bindir}/%{name}sh
 
 %changelog
+* Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-5
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-28180
+
 * Wed Apr 24 2024 Pengda Dou <doupengda@loongson.cn> - 1:4.9.4-4
 - add support for loongarch64