diff --git a/backport-Only-strip-double-quotes-from-an-include-path-if-len.patch b/backport-Only-strip-double-quotes-from-an-include-path-if-len.patch
new file mode 100644
index 0000000000000000000000000000000000000000..89f7bd2c3c9267f2b3f6319c178365836700161e
--- /dev/null
+++ b/backport-Only-strip-double-quotes-from-an-include-path-if-len.patch
@@ -0,0 +1,108 @@
+From 665f8d2e3e52c3260bfc682044843a4183ecc210 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 3 Feb 2021 16:50:04 -0700
+Subject: [PATCH] Only strip double quotes from an include path if len >= 2.
+ Found locally using libfuzzer/oss-fuzz.
+
+---
+ plugins/sudoers/toke.c | 13 ++++++++-----
+ plugins/sudoers/toke.l | 13 ++++++++-----
+ 2 files changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c
+index 6717e4f..f8dd1e1 100644
+--- a/plugins/sudoers/toke.c
++++ b/plugins/sudoers/toke.c
+@@ -5201,26 +5201,29 @@ init_lexer(void)
+  * Returns a reference-counted string.
+  */
+ static char *
+-expand_include(const char *opath, size_t olen)
++expand_include(const char *opath)
+ {
+     const char *cp, *ep;
+     char *path, *pp;
+-    int dirlen = 0, len;
++    size_t len, olen, dirlen = 0;
+     size_t shost_len = 0;
+     bool subst = false;
+     debug_decl(expand_include, SUDOERS_DEBUG_PARSER);
+ 
+     /* Strip double quotes if present. */
+-    if (*opath == '"') {
++    olen = strlen(opath);
++    if (olen > 1 && opath[0] == '"' && opath[olen - 1] == '"') {
+ 	opath++;
+ 	olen -= 2;
+     }
++    if (olen == 0)
++	debug_return_ptr(NULL);
+ 
+     /* Relative paths are located in the same dir as the sudoers file. */
+     if (*opath != '/') {
+ 	char *dirend = strrchr(sudoers, '/');
+ 	if (dirend != NULL)
+-	    dirlen = (int)(dirend - sudoers) + 1;
++	    dirlen = (size_t)(dirend - sudoers) + 1;
+     }
+ 
+     len = olen;
+@@ -5278,7 +5281,7 @@ push_include(const char *opath, bool isdir)
+     FILE *fp;
+     debug_decl(push_include, SUDOERS_DEBUG_PARSER);
+ 
+-    if ((path = expand_include(opath, strlen(opath))) == NULL)
++    if ((path = expand_include(opath)) == NULL)
+ 	debug_return_bool(false);
+ 
+     /* push current state onto stack */
+diff --git a/plugins/sudoers/toke.l b/plugins/sudoers/toke.l
+index 499f3b1..22430ac 100644
+--- a/plugins/sudoers/toke.l
++++ b/plugins/sudoers/toke.l
+@@ -1006,26 +1006,29 @@ init_lexer(void)
+  * Returns a reference-counted string.
+  */
+ static char *
+-expand_include(const char *opath, size_t olen)
++expand_include(const char *opath)
+ {
+     const char *cp, *ep;
+     char *path, *pp;
+-    int dirlen = 0, len;
++    size_t len, olen, dirlen = 0;
+     size_t shost_len = 0;
+     bool subst = false;
+     debug_decl(expand_include, SUDOERS_DEBUG_PARSER);
+ 
+     /* Strip double quotes if present. */
+-    if (*opath == '"') {
++    olen = strlen(opath);
++    if (olen > 1 && opath[0] == '"' && opath[olen - 1] == '"') {
+ 	opath++;
+ 	olen -= 2;
+     }
++    if (olen == 0)
++	debug_return_ptr(NULL);
+ 
+     /* Relative paths are located in the same dir as the sudoers file. */
+     if (*opath != '/') {
+ 	char *dirend = strrchr(sudoers, '/');
+ 	if (dirend != NULL)
+-	    dirlen = (int)(dirend - sudoers) + 1;
++	    dirlen = (size_t)(dirend - sudoers) + 1;
+     }
+ 
+     len = olen;
+@@ -1083,7 +1086,7 @@ push_include(const char *opath, bool isdir)
+     FILE *fp;
+     debug_decl(push_include, SUDOERS_DEBUG_PARSER);
+ 
+-    if ((path = expand_include(opath, strlen(opath))) == NULL)
++    if ((path = expand_include(opath)) == NULL)
+ 	debug_return_bool(false);
+ 
+     /* push current state onto stack */
+-- 
+1.8.3.1
+
diff --git a/backport-Strict-tz-offset-parsing.patch b/backport-Strict-tz-offset-parsing.patch
new file mode 100644
index 0000000000000000000000000000000000000000..03534e427704888778489fe967c95ce83d111207
--- /dev/null
+++ b/backport-Strict-tz-offset-parsing.patch
@@ -0,0 +1,32 @@
+From 439660c7fb02c17f43497fab3fa04bd59fe7ac53 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Sat, 30 Jan 2021 09:29:31 -0700
+Subject: [PATCH] Strict tz offset parsing. Fixes an out of bounds read found
+ locally using libfuzzer/oss-fuzz.
+
+---
+ plugins/sudoers/gentime.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/plugins/sudoers/gentime.c b/plugins/sudoers/gentime.c
+index efee05e..eb6d081 100644
+--- a/plugins/sudoers/gentime.c
++++ b/plugins/sudoers/gentime.c
+@@ -104,6 +104,14 @@ parse_gentime(const char *timestr)
+ 
+ 	/* No DST */
+ 	tm.tm_isdst = 0;
++	/* time zone offset must be hh or hhmm */
++	len = strspn(cp + 1, "0123456789");
++	if (len != 2 && len != 4) {
++	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++		"unable to parse time zone offset in %s, bad tz offset",
++		timestr);
++	    debug_return_time_t(-1);
++	}
+ 	/* parse time zone offset */
+ 	items = sscanf(cp + 1, "%2d%2d", &hour, &min);
+ 	if (items == EOF || items < 1) {
+-- 
+1.8.3.1
+
diff --git a/backport-Stricter-parsing-of-generalized-time.patch b/backport-Stricter-parsing-of-generalized-time.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b1962349f4a8404c9cbf38233cf35a2d9bceb71d
--- /dev/null
+++ b/backport-Stricter-parsing-of-generalized-time.patch
@@ -0,0 +1,67 @@
+From 995601c621b5f6d1e57bccf267308b37b0d7ad49 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Sat, 30 Jan 2021 05:39:23 -0700
+Subject: [PATCH] Stricter parsing of generalized time. Fixes potential out of
+ bounds read found by libfuzzer/oss-fuzz.
+
+---
+ plugins/sudoers/gentime.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/plugins/sudoers/gentime.c b/plugins/sudoers/gentime.c
+index 7f7cf7e..efee05e 100644
+--- a/plugins/sudoers/gentime.c
++++ b/plugins/sudoers/gentime.c
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2017 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2017, 2021 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -47,7 +47,7 @@
+ time_t
+ parse_gentime(const char *timestr)
+ {
+-    char tcopy[sizeof("yyyymmddHHMMSS.F")];
++    char tcopy[sizeof("yyyymmddHHMMSS")];
+     const char *cp;
+     time_t result;
+     struct tm tm;
+@@ -56,9 +56,9 @@ parse_gentime(const char *timestr)
+     bool islocal = false;
+     debug_decl(parse_gentime, SUDOERS_DEBUG_PARSER);
+ 
+-    /* Make a copy of the time without time zone for easy parsing. */
+-    len = strspn(timestr, "0123456789.,");
+-    if (len >= sizeof(tcopy)) {
++    /* Make a copy of the non-fractional time without zone for easy parsing. */
++    len = strspn(timestr, "0123456789");
++    if (len >= sizeof(tcopy) || len < sizeof("yyyymmddHH") -1 || (len & 1)) {
+ 	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ 	    "unable to parse general time string %s", timestr);
+ 	debug_return_time_t(-1);
+@@ -75,9 +75,9 @@ parse_gentime(const char *timestr)
+ 	    "only parsed %d items in general time string %s", items, timestr); 
+ 	debug_return_time_t(-1);
+     }
+-    cp = timestr + ((items + 1) * 2);
+ 
+     /* Parse optional fractional hours/minute/second if present. */
++    cp = timestr + len;
+     if ((cp[0] == '.' || cp[0] == ',') && isdigit((unsigned char)cp[1])) {
+ 	int frac = cp[1] - '0';
+ 	switch (items) {
+@@ -96,6 +96,7 @@ parse_gentime(const char *timestr)
+ 	cp += 2;	/* skip over radix and fraction */
+     }
+ 
++    /* Parse optional time zone. */
+     switch (*cp) {
+     case '-':
+     case '+': {
+-- 
+1.8.3.1
+
diff --git a/sudo.spec b/sudo.spec
index 6689ce3f3143a1d310354b1cb42a10ec77dc5ed0..8169349225fbf3fd0a5c4ce1f15c4a8e0323f281 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,6 +1,6 @@
 Name: sudo
 Version: 1.9.2
-Release: 4
+Release: 5
 Summary: Allows restricted root access for specified users
 License: ISC
 URL: http://www.courtesan.com/sudo/
@@ -20,6 +20,9 @@ Patch6:  backport-0004-CVE-2021-3156-Fix-the-memset-offset.patch
 Patch7:  backport-0005-CVE-2021-3156-Dont-assume-that-argv.patch
 Patch8:  backport-Fix-runstatedir-handling-for-distros-that-do-not-support-it.patch
 Patch9:  backport-In-json_stack_push-treat-stack-exhaustion-like-memory-allocation-failure.patch
+Patch10: backport-Stricter-parsing-of-generalized-time.patch
+Patch11: backport-Strict-tz-offset-parsing.patch
+Patch12: backport-Only-strip-double-quotes-from-an-include-path-if-len.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: pam
@@ -160,6 +163,12 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
 %exclude %{_pkgdocdir}/ChangeLog
 
 %changelog
+* Thu Dec 23 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.2-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix an out of bounds read and another issue found by fuzz
+
 * Thu Sep 16 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.9.2-4
 - Type:bugfix
 - ID:NA