diff --git a/CVE-2024-5290-lib_engine_trusted_path.patch b/CVE-2024-5290-lib_engine_trusted_path.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a9c760e22d6abe133835426f798b05b923fe411c
--- /dev/null
+++ b/CVE-2024-5290-lib_engine_trusted_path.patch
@@ -0,0 +1,114 @@
+Description: only load libraries from trusted path
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613
+
+--- wpa-2.10.orig/src/crypto/tls_openssl.c
++++ wpa-2.10/src/crypto/tls_openssl.c
+@@ -862,6 +862,7 @@ static int tls_engine_load_dynamic_gener
+ 	return 0;
+ }
+ 
++#define TRUSTED_PATH "/usr/lib/"
+ 
+ /**
+  * tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc
+@@ -871,6 +872,8 @@ static int tls_engine_load_dynamic_gener
+ static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
+ 					  const char *pkcs11_module_path)
+ {
++	char real_pkcs11_so_path[PATH_MAX];
++	char real_pkcs11_module_path[PATH_MAX];
+ 	char *engine_id = "pkcs11";
+ 	const char *pre_cmd[] = {
+ 		"SO_PATH", NULL /* pkcs11_so_path */,
+@@ -888,15 +891,47 @@ static int tls_engine_load_dynamic_pkcs1
+ 	if (!pkcs11_so_path)
+ 		return 0;
+ 
+-	pre_cmd[1] = pkcs11_so_path;
++	if (realpath(pkcs11_so_path, real_pkcs11_so_path) == NULL) {
++		wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Engine from %s: realpath: %s",
++			   pkcs11_so_path,
++			   strerror(errno));
++		return -1;
++	}
++
++	if (strncmp(TRUSTED_PATH, real_pkcs11_so_path, strlen(TRUSTED_PATH)) != 0) {
++		wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Engine from %s: Not in trusted path %s",
++			   pkcs11_so_path,
++			   TRUSTED_PATH);
++		return -1;
++	}
++
++	pre_cmd[1] = real_pkcs11_so_path;
+ 	pre_cmd[3] = engine_id;
+-	if (pkcs11_module_path)
+-		post_cmd[1] = pkcs11_module_path;
+-	else
+-		post_cmd[0] = NULL;
+ 
+-	wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
+-		   pkcs11_so_path);
++	if (pkcs11_module_path) {
++		if (realpath(pkcs11_module_path, real_pkcs11_module_path) == NULL) {
++			wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Module from %s: realpath: %s",
++				pkcs11_module_path,
++				strerror(errno));
++			return -1;
++		}
++
++		if (strncmp(TRUSTED_PATH, real_pkcs11_module_path, strlen(TRUSTED_PATH)) != 0) {
++			wpa_printf(MSG_INFO, "ENGINE: Failed to load pkcs11 Module from %s: Not in trusted path %s",
++				pkcs11_module_path,
++				TRUSTED_PATH);
++			return -1;
++		}
++
++		wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s with module %s",
++			real_pkcs11_so_path, real_pkcs11_module_path);
++
++		post_cmd[1] = real_pkcs11_module_path;
++	} else {
++		wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
++			real_pkcs11_so_path);
++		post_cmd[0] = NULL;
++	}
+ 
+ 	return tls_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id);
+ }
+@@ -908,6 +943,7 @@ static int tls_engine_load_dynamic_pkcs1
+  */
+ static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
+ {
++	char real_opensc_so_path[PATH_MAX];
+ 	char *engine_id = "opensc";
+ 	const char *pre_cmd[] = {
+ 		"SO_PATH", NULL /* opensc_so_path */,
+@@ -920,11 +956,25 @@ static int tls_engine_load_dynamic_opens
+ 	if (!opensc_so_path)
+ 		return 0;
+ 
+-	pre_cmd[1] = opensc_so_path;
++	if (realpath(opensc_so_path, real_opensc_so_path) == NULL) {
++		wpa_printf(MSG_INFO, "ENGINE: Failed to load OpenSC Engine from %s: realpath: %s",
++			   opensc_so_path,
++			   strerror(errno));
++		return -1;
++	}
++
++	if (strncmp(TRUSTED_PATH, real_opensc_so_path, strlen(TRUSTED_PATH)) != 0) {
++		wpa_printf(MSG_INFO, "ENGINE: Failed to load OpenSC Engine from %s: Not in trusted path %s",
++			   opensc_so_path,
++			   TRUSTED_PATH);
++		return -1;
++	}
++
++	pre_cmd[1] = real_opensc_so_path;
+ 	pre_cmd[3] = engine_id;
+ 
+ 	wpa_printf(MSG_DEBUG, "ENGINE: Loading OpenSC Engine from %s",
+-		   opensc_so_path);
++		   real_opensc_so_path);
+ 
+ 	return tls_engine_load_dynamic_generic(pre_cmd, NULL, engine_id);
+ }
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index 4a080c70d8ff3aa3d9b3b093544799cdf2108880..fefc2534ced750184fc8b8898c10b354d9f0b9aa 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -1,7 +1,7 @@
 Name:          wpa_supplicant
 Epoch:         1
 Version:       2.11
-Release:       4
+Release:       5
 Summary:       A WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i / RSN)
 License:       BSD-3-Clause
 Url:           https://w1.fi/wpa_supplicant/
@@ -15,6 +15,7 @@ Patch6001:     Add-clang-support-for-qmake.patch
 %endif
 Patch6002:     backport-CVE-2024-5290.patch
 Patch1: wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch
+Patch2:        CVE-2024-5290-lib_engine_trusted_path.patch
 
 BuildRequires: cmake(Qt5Core)
 BuildRequires: cmake(Qt5Gui)
@@ -105,6 +106,10 @@ install -m644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
 %{_mandir}/man5/*
 
 %changelog
+* Fri Aug 29 2025 chenjianhu <chenjianhu@kylinos.cn> - 1:2.11-5
+- Backport patch to fix CVE-2024-5290
+
+
 * Wed Aug 13 2025 chenjianhu <chenjianhu@kylinos.cn> - 1:2.11-4
 - build with qt5