diff --git a/dcraw-CVE-2017-13735.patch b/dcraw-CVE-2017-13735.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d867c8d112f04bc32d02dc88d43053a7ed287b5c
--- /dev/null
+++ b/dcraw-CVE-2017-13735.patch
@@ -0,0 +1,14 @@
+diff -urNp old/dcraw.c new/dcraw.c
+--- old/dcraw.c	2018-07-11 10:33:06.280425391 +0200
++++ new/dcraw.c	2018-07-11 10:45:52.722922118 +0200
+@@ -2250,6 +2250,10 @@ void CLASS kodak_radc_load_raw()
+     ((short *)buf)[i] = 2048;
+   for (row=0; row < height; row+=4) {
+     FORC3 mul[c] = getbits(6);
++#ifdef LIBRAW_LIBRARY_BUILD
++    if(!mul[0] || !mul[1] || !mul[2])
++      throw LIBRAW_EXCEPTION_IO_CORRUPT;
++#endif
+     FORC3 {
+       val = ((0x1000000/last[c] + 0x7ff) >> 12) * mul[c];
+       s = val > 65564 ? 10:12;
diff --git a/dcraw-CVE-2017-14608.patch b/dcraw-CVE-2017-14608.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8f7de249388952918560f741d8070a96ea3d91fd
--- /dev/null
+++ b/dcraw-CVE-2017-14608.patch
@@ -0,0 +1,21 @@
+diff -urNp old/dcraw.c new/dcraw.c
+--- old/dcraw.c	2018-07-11 10:53:51.141803505 +0200
++++ new/dcraw.c	2018-07-11 11:30:08.850528389 +0200
+@@ -2627,8 +2627,15 @@ void CLASS kodak_65000_load_raw()
+       len = MIN (256, width-col);
+       ret = kodak_65000_decode (buf, len);
+       for (i=0; i < len; i++)
+-	if ((RAW(row,col+i) =	curve[ret ? buf[i] :
+-		(pred[i & 1] += buf[i])]) >> 12) derror();
++	{
++	int idx = ret ? buf[i] : (pred[i & 1] += buf[i]);
++	if(idx >=0 && idx <= 0xffff)
++	 {
++	   if ((RAW(row,col+i) = curve[idx]) >> 12) derror();
++         }
++	 else
++	   derror();
++      }	
+     }
+ }
+ 
diff --git a/dcraw-CVE-2018-19655.patch b/dcraw-CVE-2018-19655.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1d0b02403acfa01471c12fdee00c652dab5a2776
--- /dev/null
+++ b/dcraw-CVE-2018-19655.patch
@@ -0,0 +1,39 @@
+Author: Filip Hroch <hroch@physics.muni.cz>
+Description: stack-based buffer overflow bug
+--- a/dcraw.c
++++ b/dcraw.c
+@@ -8345,9 +8345,15 @@
+ {
+   UINT64 bitbuf=0;
+   int vbits, col, i, c;
+-  ushort img[2][2064];
++  ushort *img;
+   double sum[]={0,0};
+ 
++#define IMG2D(row,col) \
++  img[(row)*width+(col)]
++
++  img = (ushort *) malloc(2*width*sizeof(ushort));
++  merror (img, "find_green()");
++
+   FORC(2) {
+     fseek (ifp, c ? off1:off0, SEEK_SET);
+     for (vbits=col=0; col < width; col++) {
+@@ -8356,13 +8362,14 @@
+ 	for (i=0; i < bite; i+=8)
+ 	  bitbuf |= (unsigned) (fgetc(ifp) << i);
+       }
+-      img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps);
++      IMG2D(c,col) = bitbuf << (64-bps-vbits) >> (64-bps);
+     }
+   }
+   FORC(width-1) {
+-    sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
+-    sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
++    sum[ c & 1] += ABS(IMG2D(0,c)-IMG2D(1,c+1));
++    sum[~c & 1] += ABS(IMG2D(1,c)-IMG2D(0,c+1));
+   }
++  free(img);
+   return 100 * log(sum[0]/sum[1]);
+ }
+ 
diff --git a/dcraw.spec b/dcraw.spec
index d967c7b578127494c5a191c2519096096267e09a..116514cf027f837fa22e50d827e916b477baa73a 100644
--- a/dcraw.spec
+++ b/dcraw.spec
@@ -1,30 +1,32 @@
 Summary:             Tool for decoding raw image data from digital cameras
 Name:                dcraw
 Version:             9.28.0
-Release:             6
+Release:             7
 License:             GPLv2+
-URL:                 http://cybercom.net/~dcoffin/dcraw
+URL:                 https://www.dechifro.org/dcraw/
 Source0:             https://www.dechifro.org/dcraw/archive/dcraw-%{version}.tar.gz
-Patch0:              dcraw-CVE-2018-5801.patch
-Patch1:              dcraw-9.21-lcms2-error-reporting.patch
-BuildRequires:       gcc gettext libjpeg-devel lcms2-devel git
+Patch0:              dcraw-9.21-lcms2-error-reporting.patch
+Patch1:              dcraw-CVE-2018-5801.patch
+Patch2:              dcraw-CVE-2017-13735.patch
+Patch3:              dcraw-CVE-2017-14608.patch
+Patch4:              dcraw-CVE-2018-19655.patch
+BuildRequires:       gcc gettext libjpeg-devel lcms2-devel
 Provides:            bundled(dcraw)
 %description
 This package contains dcraw, a command line tool to decode raw image data
 downloaded from digital cameras.
 
 %prep
-%autosetup -n dcraw -p1 -S git
+%autosetup -n dcraw -p1
 
-%package             help
-Summary:             Documentation for user of dcraw
-Requires:            dcraw = %{version}-%{release}
-
-%description         help
+%package_help
 
 %build
-gcc %optflags $RPM_LD_FLAGS -lm -ljpeg -llcms2 -DNO_JASPER \
-    -DLOCALEDIR="\"%{_datadir}/locale\"" -o dcraw dcraw.c
+%{__cc} %{build_cflags} %{build_ldflags} -DNO_JASPER \
+    -o dcraw dcraw.c \
+    -ljpeg -llcms2 -lm \
+    -DLOCALEDIR="\"%{_datadir}/locale\""
+
 for catsrc in dcraw_*.po; do
     lang="${catsrc%.po}"
     lang="${lang#dcraw_}"
@@ -59,6 +61,10 @@ done
 %{_mandir}/man1/*
 
 %changelog
+* Sat Nov 02 2024 Funda Wang <fundawang@yeah.net> - 9.28.0-7
+- fix CVE-2017-13735, CVE-2017-14608, CVE-2018-19655
+  patches from fedora
+
 * Thu Nov 10 2022 caodongxia <caodongxia@h-partners.com> - 9.28.0-6
 - Modify invalid source0