diff --git a/CVE-2024-4853.patch b/CVE-2024-4853.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fac29d96de0187c224611b3680c6d06ce26079e6
--- /dev/null
+++ b/CVE-2024-4853.patch
@@ -0,0 +1,33 @@
+From 3911c7b7d21b7708b9773d61e30b8b5507b62f65 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Fri, 29 Mar 2024 09:42:44 -0400
+Subject: [PATCH] editcap: Don't memmove more than allocated in the buffer
+
+When moving from the begining with a beginning offset specified,
+don't run off the end. Subtract the source memory area's full offset
+from the beginning of the buffer from the capture length.
+
+Fix #19724
+
+
+(cherry picked from commit 7c744e7933794b09e7af4d9703194ad0b01be282)
+---
+ editcap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/editcap.c b/editcap.c
+index ef99e507b9f..6ac325751db 100644
+--- a/editcap.c
++++ b/editcap.c
+@@ -2594,7 +2594,7 @@ handle_chopping(chop_t chop, wtap_packet_header *out_phdr,
+         if (chop.off_begin_pos > 0) {
+             memmove(*buf + chop.off_begin_pos,
+                     *buf + chop.off_begin_pos + chop.len_begin,
+-                    out_phdr->caplen - chop.len_begin);
++                    out_phdr->caplen - (chop.off_begin_pos + chop.len_begin));
+         } else {
+             *buf += chop.len_begin;
+         }
+-- 
+GitLab
+
diff --git a/CVE-2024-4854.patch b/CVE-2024-4854.patch
new file mode 100644
index 0000000000000000000000000000000000000000..acb688c81d078a174158324537474ca94d04500e
--- /dev/null
+++ b/CVE-2024-4854.patch
@@ -0,0 +1,48 @@
+From e9965fe303422ee742ac98ea1da4f2fdeed67e4e Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 30 Mar 2024 08:07:26 -0400
+Subject: [PATCH] Mongo: Ensure the offset advances
+
+The MongoDB Wire Protocol uses _signed_ 32 bit integers for lengths.
+dissect_bson_document checks for bogus values and ensures that a
+non-negative (and at least 5) size is returned, but we need to make
+sure to use that return value instead of trusting the value read
+from the packet in dissect_op_msg_section.
+
+Fix #19726
+
+
+(cherry picked from commit 38c0efcee8d22d922e446888b268effc3ccf725f)
+---
+ epan/dissectors/packet-mongo.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-mongo.c b/epan/dissectors/packet-mongo.c
+index db23a06312f..346b1324e12 100644
+--- a/epan/dissectors/packet-mongo.c
++++ b/epan/dissectors/packet-mongo.c
+@@ -831,7 +831,10 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
+ 
+   switch (e_type) {
+     case KIND_BODY:
+-      dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
++      section_len = dissect_bson_document(tvb, pinfo, offset, section_tree, hf_mongo_msg_sections_section_body);
++      /* If section_len is bogus (e.g., negative), dissect_bson_document sets
++       * an expert info and can return a different value than read above.
++       */
+       break;
+     case KIND_DOCUMENT_SEQUENCE: {
+       gint32 dsi_length;
+@@ -840,6 +843,9 @@ dissect_op_msg_section(tvbuff_t *tvb, packet_info *pinfo, guint offset, proto_tr
+       proto_tree *documents_tree;
+ 
+       proto_tree_add_item(section_tree, hf_mongo_msg_sections_section_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
++      /* This is redundant with the lengths in the documents, we don't use this
++       * size at all. We could still report an expert info if it's bogus.
++       */
+       offset += 4;
+       to_read -= 4;
+ 
+-- 
+GitLab
+
diff --git a/CVE-2024-4855.patch b/CVE-2024-4855.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7b0bdb01efaba80f15c4d48b78c0f1a005c0425c
--- /dev/null
+++ b/CVE-2024-4855.patch
@@ -0,0 +1,158 @@
+From 32bde22d9bfde5e0ad2700e3a6d6053d8fbae5b0 Mon Sep 17 00:00:00 2001
+From: John Thacker <johnthacker@gmail.com>
+Date: Sat, 20 Apr 2024 13:04:27 +0000
+Subject: [PATCH] editcap, libwiretap: Don't use array of initial DSBs after
+ freeing
+
+wtap_dump_close frees the passed in GArray of initial DSBs, used
+by editcap for injecting DSBs from a file or list of files.
+
+Add functions to increment and decrement the reference count of
+an array of wtap blocks. Dereference the block of initial DSBs
+in wtap_dump_close() instead of freeing it. In editcap, before
+closing the dump file in cases where we intend to open a new
+file (e.g., with a maximum time value or a maximum packet count),
+reference the block.
+
+Fix #19782, #19783, #19784.
+
+
+(cherry picked from commit be3550b3b138f39bebb87ac0b8490e75fc8cc847)
+
+Co-authored-by: John Thacker <johnthacker@gmail.com>
+---
+ editcap.c               |  9 +++++++++
+ wiretap/file_access.c   |  2 +-
+ wiretap/wtap.h          |  3 ++-
+ wiretap/wtap_opttypes.c | 26 ++++++++++++++++++++++++++
+ wiretap/wtap_opttypes.h | 23 +++++++++++++++++++++++
+ 5 files changed, 61 insertions(+), 2 deletions(-)
+
+diff --git a/editcap.c b/editcap.c
+index 6ac325751db..8c03af3f847 100644
+--- a/editcap.c
++++ b/editcap.c
+@@ -1943,6 +1943,10 @@ main(int argc, char *argv[])
+                 }
+                 while (nstime_cmp(&rec->ts, &block_next) > 0) { /* time for the next file */
+ 
++                    /* We presumably want to write the DSBs from files given
++                     * on the command line to every file.
++                     */
++                    wtap_block_array_ref(params.dsbs_initial);
+                     if (!wtap_dump_close(pdh, NULL, &write_err, &write_err_info)) {
+                         cfile_close_failure_message(filename, write_err,
+                                                     write_err_info);
+@@ -1978,6 +1982,11 @@ main(int argc, char *argv[])
+         if (split_packet_count != 0) {
+             /* time for the next file? */
+             if (written_count > 0 && (written_count % split_packet_count) == 0) {
++
++                /* We presumably want to write the DSBs from files given
++                 * on the command line to every file.
++                 */
++                wtap_block_array_ref(params.dsbs_initial);
+                 if (!wtap_dump_close(pdh, NULL, &write_err, &write_err_info)) {
+                     cfile_close_failure_message(filename, write_err,
+                                                 write_err_info);
+diff --git a/wiretap/file_access.c b/wiretap/file_access.c
+index 01317da07b7..ca4d2f69de0 100644
+--- a/wiretap/file_access.c
++++ b/wiretap/file_access.c
+@@ -2680,7 +2680,7 @@ wtap_dump_close(wtap_dumper *wdh, gboolean *needs_reload,
+ 		*needs_reload = wdh->needs_reload;
+ 	g_free(wdh->priv);
+ 	wtap_block_array_free(wdh->interface_data);
+-	wtap_block_array_free(wdh->dsbs_initial);
++	wtap_block_array_unref(wdh->dsbs_initial);
+ 	g_free(wdh);
+ 	return ret;
+ }
+diff --git a/wiretap/wtap.h b/wiretap/wtap.h
+index 93bcca42587..2b25c03f026 100644
+--- a/wiretap/wtap.h
++++ b/wiretap/wtap.h
+@@ -1478,7 +1478,8 @@ typedef struct addrinfo_lists {
+  * @note The shb_hdr and idb_inf arguments will be used until
+  *     wtap_dump_close() is called, but will not be free'd by the dumper. If
+  *     you created them, you must free them yourself after wtap_dump_close().
+- *     dsbs_initial will be freed by wtap_dump_close(),
++ *     dsbs_initial will be unreferenced by wtap_dump_close(), so to reuse
++ *     them for another dump file, call wtap_block_array_ref() before closing.
+  *     dsbs_growing typically refers to another wth->dsbs.
+  *     nrbs_growing typically refers to another wth->nrbs.
+  *
+diff --git a/wiretap/wtap_opttypes.c b/wiretap/wtap_opttypes.c
+index 7dfbf1a1885..98ffe4dd605 100644
+--- a/wiretap/wtap_opttypes.c
++++ b/wiretap/wtap_opttypes.c
+@@ -466,6 +466,32 @@ void wtap_block_array_free(GArray* block_array)
+     g_array_free(block_array, TRUE);
+ }
+ 
++void wtap_block_array_ref(GArray* block_array)
++{
++    unsigned block;
++
++    if (block_array == NULL)
++        return;
++
++    for (block = 0; block < block_array->len; block++) {
++        wtap_block_ref(g_array_index(block_array, wtap_block_t, block));
++    }
++    g_array_ref(block_array);
++}
++
++void wtap_block_array_unref(GArray* block_array)
++{
++    unsigned block;
++
++    if (block_array == NULL)
++        return;
++
++    for (block = 0; block < block_array->len; block++) {
++        wtap_block_unref(g_array_index(block_array, wtap_block_t, block));
++    }
++    g_array_unref(block_array);
++}
++
+ /*
+  * Make a copy of a block.
+  */
+diff --git a/wiretap/wtap_opttypes.h b/wiretap/wtap_opttypes.h
+index f3d9efbd846..91dafd6ca43 100644
+--- a/wiretap/wtap_opttypes.h
++++ b/wiretap/wtap_opttypes.h
+@@ -615,6 +615,29 @@ wtap_block_unref(wtap_block_t block);
+ WS_DLL_PUBLIC void
+ wtap_block_array_free(GArray* block_array);
+ 
++/** Decrement the reference count of an array of blocks
++ *
++ * Decrement the reference count of each block in the array
++ * and the GArray itself. Any element whose reference count
++ * drops to 0 will be freed. If the GArray and every block
++ * has a reference count of 1, this is the same as
++ * wtap_block_array_free().
++ *
++ * @param[in] block_array Array of blocks to be dereferenced
++ */
++WS_DLL_PUBLIC void
++wtap_block_array_unref(GArray* block_array);
++
++/** Increment the reference count of an array of blocks
++ *
++ * Increment the reference count of each block in the array
++ * and the GArray itself.
++ *
++ * @param[in] block_array Array of blocks to be referenced
++ */
++WS_DLL_PUBLIC void
++wtap_block_array_ref(GArray* block_array);
++
+ /** Provide type of a block
+  *
+  * @param[in] block Block from which to retrieve mandatory data
+-- 
+GitLab
+
diff --git a/wireshark.spec b/wireshark.spec
index 2434cf24d7b7e31424fd5010b36695306572ff66..c53f944a3078124f223bf32ea8e11bf011a8c8c6 100644
--- a/wireshark.spec
+++ b/wireshark.spec
@@ -5,7 +5,7 @@
 Summary:	Network traffic analyzer
 Name:		wireshark
 Version:	4.2.4
-Release:	1
+Release:	2
 Epoch:		1
 License:	GPL+
 Url:		http://www.wireshark.org/
@@ -15,13 +15,16 @@ Source1:        https://www.wireshark.org/download/src/all-versions/SIGNATURES-%
 Source2:	90-wireshark-usbmon.rules
 Source3:	wireshark.sysusers
 
-Patch2:		wireshark-0002-Customize-permission-denied-error.patch
-Patch3:		wireshark-0003-fix-string-overrun-in-plugins-profinet.patch
-Patch4:		wireshark-0004-Restore-Fedora-specific-groups.patch
-Patch5:		wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch
-Patch6:		wireshark-0006-Move-tmp-to-var-tmp.patch
-Patch7:		wireshark-0007-cmakelists.patch
-Patch8:		wireshark-0008-pkgconfig.patch
+Patch2:         wireshark-0002-Customize-permission-denied-error.patch
+Patch3:         wireshark-0003-fix-string-overrun-in-plugins-profinet.patch
+Patch4:         wireshark-0004-Restore-Fedora-specific-groups.patch
+Patch5:         wireshark-0005-Fix-paths-in-a-wireshark.desktop-file.patch
+Patch6:         wireshark-0006-Move-tmp-to-var-tmp.patch
+Patch7:         wireshark-0007-cmakelists.patch
+Patch8:         wireshark-0008-pkgconfig.patch
+Patch9:         CVE-2024-4853.patch
+Patch10:        CVE-2024-4854.patch
+Patch11:        CVE-2024-4855.patch
 
 Requires:	xdg-utils
 Requires:	hicolor-icon-theme
@@ -200,6 +203,9 @@ exit 0
 %{_mandir}/man?/*
 
 %changelog
+* Wed May 15 2024 yaoxin <yao_xin001@hoperun.com> - 1:4.2.4-2
+- Fix CVE-2024-4853,CVE-2024-4854 and CVE-2024-4855
+
 * Wed Apr 24 2024 yaoxin <yao_xin001@hoperun.com> - 1:4.2.4-1
 - Upgrade to 4.2.4