diff --git a/0002-fix-CVE-2024-1753.patch b/0002-fix-CVE-2024-1753.patch
new file mode 100644
index 0000000000000000000000000000000000000000..df9789a1776d35287245a65443701ba537f82632
--- /dev/null
+++ b/0002-fix-CVE-2024-1753.patch
@@ -0,0 +1,37 @@
+From 6417891690fc0bc85ca4335d7c6ecf8d19ead121 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Thu, 11 Apr 2024 13:53:33 +0800
+Subject: [PATCH] fix CVE-2024-1753
+
+---
+ internal/volumes/volumes.go | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index f7ac14a..c07c67e 100644
+--- a/internal/volumes/volumes.go
++++ b/internal/volumes/volumes.go
+@@ -11,6 +11,7 @@ import (
+ 
+ 	"errors"
+ 
++	"github.com/containers/buildah/copier"
+ 	"github.com/containers/buildah/define"
+ 	"github.com/containers/buildah/internal"
+ 	internalParse "github.com/containers/buildah/internal/parse"
+@@ -189,7 +190,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 	// buildkit parity: support absolute path for sources from current build context
+ 	if contextDir != "" {
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
++		evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
++		if err != nil {
++			return newMount, "", err
++		}
++		newMount.Source = evaluated
+ 	} else {
+ 		// looks like its coming from `build run --mount=type=bind` allow using absolute path
+ 		// error out if no source is set
+-- 
+2.20.1
+
diff --git a/buildah.spec b/buildah.spec
index 41403f630b68d2e928dcffe52e7ee3fe140045fb..d78b56b64a99fc983a39c2e22e4e8abaefab5636 100644
--- a/buildah.spec
+++ b/buildah.spec
@@ -22,7 +22,7 @@
 
 Name:           buildah
 Version:        1.34.1
-Release:        2
+Release:        3
 Summary:        A command line tool used for creating OCI Images
 License:        Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0
 URL:            https://%{name}.io
@@ -30,6 +30,7 @@ Source:         %{git0}/archive/refs/tags/v%{version}.tar.gz
 Source1:        https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.2.tar.gz
 
 Patch0001:      0001-fix-CVE-2024-24786.patch
+Patch0002:      0002-fix-CVE-2024-1753.patch
 
 BuildRequires:  device-mapper-devel
 BuildRequires:  git-core
@@ -77,7 +78,7 @@ Requires: git-daemon
 This package contains system tests for %{name}
 
 %prep
-%autosetup -Sgit -n %{name}-%{version}
+%autosetup -Sgit -n %{name}-%{version} -p1
 tar -xf %SOURCE1
 
 %build
@@ -145,6 +146,12 @@ rm %{buildroot}%{_datadir}/%{name}/test/system/tools/build/*
 %{_datadir}/%{name}/test
 
 %changelog
+* Thu Apr 11 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-1753
+
 * Wed Apr 10 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-2
 - Type:bugfix
 - CVE:NA