diff --git a/backport-CVE-2023-0286.patch b/backport-CVE-2023-0286.patch
new file mode 100644
index 0000000000000000000000000000000000000000..09c39465f1350ffe620afe6b3f729fc37a3d9087
--- /dev/null
+++ b/backport-CVE-2023-0286.patch
@@ -0,0 +1,38 @@
+From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001
+From: Hugo Landau <hlandau@openssl.org>
+Date: Tue, 17 Jan 2023 17:45:42 +0000
+Subject: [PATCH] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ crypto/x509v3/v3_genn.c  |  2 +-
+ include/openssl/x509v3.h |  2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+ 
+diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
+index 87a5eff47cd9..e54ddc55c957 100644
+--- a/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
++++ b/Cryptlib/OpenSSL/crypto/x509v3/v3_genn.c
+@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
+-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+         break;
+ 
+     case GEN_EDIPARTY:
+diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
+index 90fa3592ce58..e61c0f29d4b4 100644
+--- a/Cryptlib/Include/openssl/x509v3.h
++++ b/Cryptlib/Include/openssl/x509v3.h
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+         OTHERNAME *otherName;   /* otherName */
+         ASN1_IA5STRING *rfc822Name;
+         ASN1_IA5STRING *dNSName;
+-        ASN1_TYPE *x400Address;
++        ASN1_STRING *x400Address;
+         X509_NAME *directoryName;
+         EDIPARTYNAME *ediPartyName;
+         ASN1_IA5STRING *uniformResourceIdentifier;
diff --git a/shim.spec b/shim.spec
index f30fa578680374cc5ee1f8afa68056a68dbaa6e5..e233430b28c45702d0f3a739246b91702f944d41 100644
--- a/shim.spec
+++ b/shim.spec
@@ -25,7 +25,7 @@
 
 Name:	   	   shim
 Version:	   15.6
-Release:	   8
+Release:	   9
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -46,6 +46,7 @@ Patch9:backport-0004-CVE-2020-1971.patch
 Patch10:backport-CVE-2021-23841.patch
 Patch11:backport-CVE-2021-3712.patch
 Patch12:backport-CVE-2022-0778.patch
+Patch13:backport-CVE-2023-0286.patch
 
 # Feature for shim SMx support
 Patch9000:Feature-shim-openssl-add-ec-support.patch
@@ -54,7 +55,7 @@ Patch9002:Feature-shim-openssl-add-sm2-and-sm3-support.patch
 Patch9003:Feature-shim-cryptlib-support-sm2-signature-verify.patch
 Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch
 
-BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc
+BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel
 %ifarch aarch64
 BuildRequires: binutils >= 2.37-7
 %endif
@@ -146,6 +147,9 @@ install -m 644 shim%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shime
 
 cd ..
 
+%check
+make test
+
 %files
 %license COPYRIGHT
 %{shimBOOT}/fb%{efi_arch}.efi
@@ -166,6 +170,9 @@ cd ..
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Tue Feb 14 2023 jinlun <jinlun@huawei.com> - 15.6-9
+- fix CVE-2023-0286 and add code check
+
 * Tue Dec 13 2022 jinlun <jinlun@huawei.com> - 15.6-8
 - add edition number