diff --git a/backport-CVE-2023-39804.patch b/backport-CVE-2023-39804.patch
new file mode 100644
index 0000000000000000000000000000000000000000..977c650f550d4787f665672aafb77e878f88ab22
--- /dev/null
+++ b/backport-CVE-2023-39804.patch
@@ -0,0 +1,59 @@
+From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 28 Aug 2021 16:02:12 +0300
+Subject: Fix handling of extended header prefixes
+
+* src/xheader.c (locate_handler): Recognize prefix keywords only
+when followed by a dot.
+(xattr_decoder): Use xmalloc/xstrdup instead of alloc
+---
+ src/xheader.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/xheader.c b/src/xheader.c
+index 4f8b2b2..3cd694d 100644
+--- a/src/xheader.c
++++ b/src/xheader.c
+@@ -637,11 +637,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+   struct xhdr_tab const *p;
+-
+   for (p = xhdr_tab; p->keyword; p++)
+     if (p->prefix)
+       {
+-        if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
++	size_t kwlen = strlen (p->keyword);
++        if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
+           return p;
+       }
+     else
+@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
+                char const *keyword, char const *arg, size_t size)
+ {
+   char *xstr, *xkey;
+-
++  
+   /* copy keyword */
+-  size_t klen_raw = strlen (keyword);
+-  xkey = alloca (klen_raw + 1);
+-  memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
++  xkey = xstrdup (keyword);
+ 
+   /* copy value */
+-  xstr = alloca (size + 1);
++  xstr = xmalloc (size + 1);
+   memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
+ 
+   xattr_decode_keyword (xkey);
+ 
+-  xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
++  xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
++
++  free (xkey);
++  free (xstr);
+ }
+ 
+ static void
+-- 
+cgit v1.1
diff --git a/tar.spec b/tar.spec
index 562f936bada7f9d743f173fabd8a8014e1495bea..29cd530295d0c0a0a83151acdc45da00f8cc2938 100644
--- a/tar.spec
+++ b/tar.spec
@@ -1,6 +1,6 @@
 Name:          tar
 Version:       1.32
-Release:       3
+Release:       4
 Epoch:         2
 Summary:       An organized and systematic method of controlling a large amount of data
 License:       GPLv3+
@@ -19,6 +19,7 @@ Patch0002:     tar-1.28-vfatTruncate.patch
 Patch0003:     tar-1.29-wildcards.patch
 Patch0004:     tar-1.28-atime-rofs.patch
 Patch0005:     tar-1.28-document-exclude-mistakes.patch
+Patch0006:     backport-CVE-2023-39804.patch
 
 %description
 GNU Tar provides the ability to create tar archives, as well as various other
@@ -77,6 +78,9 @@ make check
 %{_infodir}/tar.info*
 
 %changelog
+* Mon Dec 04 2023 liningjie <liningjie@xfusion.com> 2:1.32-4
+- fix CVE-2023-39804
+
 * Wed Feb 08 2023 wangjiang <wangjiang37@h-partners.com> 2:1.32-3
 - fix CVE-2022-48303