diff --git a/Fix-CVE-2022-3560.patch b/Fix-CVE-2022-3560.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c99e3366a54123a1a891d4aa33b5d61fc462188c
--- /dev/null
+++ b/Fix-CVE-2022-3560.patch
@@ -0,0 +1,61 @@
+--- a/src/pesign-authorize	2023-02-14 16:34:30.937317398 +0800
++++ b/src/pesign-authorize	2023-02-14 16:36:55.343001392 +0800
+@@ -2,55 +2,11 @@
+ set -e
+ set -u
+ 
+-#
+-# With /run/pesign/socket on tmpfs, a simple way of restoring the
+-# acls for specific users is useful
+-#
+-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+-#
+-
+ # License: GPLv2
+-declare -a fileusers=()
+-declare -a dirusers=()
+-for user in $(cat /etc/pesign/users); do
+-	dirusers[${#dirusers[@]}]=-m
+-	dirusers[${#dirusers[@]}]="u:$user:rwx"
+-	fileusers[${#fileusers[@]}]=-m
+-	fileusers[${#fileusers[@]}]="u:$user:rw"
+-done
+-
+-declare -a filegroups=()
+-declare -a dirgroups=()
+-for group in $(cat /etc/pesign/groups); do
+-	dirgroups[${#dirgroups[@]}]=-m
+-	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+-	filegroups[${#filegroups[@]}]=-m
+-	filegroups[${#filegroups[@]}]="g:$group:rw"
+-done
+-
+-update_subdir() {
+-	subdir=$1 && shift
+ 
+-	setfacl -bk "${subdir}"
+-	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+-	for x in "${subdir}"* ; do
+-		if [ -d "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+-			update_subdir "${x}/"
+-		elif [ -e "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+-		else
+-			:;
+-		fi
+-	done
+-}
++# This script is deprecated and will be removed in a future release.
+ 
+ for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+-	if [ -d "${x}" ]; then
+-		update_subdir "${x}"
+-	else
+-		:;
+-	fi
++	chown -R pesign:pesign "${x}" || true
++	chmod -R ug+rwX "${x}" || true
+ done
diff --git a/pesign.spec b/pesign.spec
index 87e83dbe506afb6b12d7683ea80d473aa4ae9494..5941bcccdf95d1e1cc10dacb0da496754f4c4bb0 100644
--- a/pesign.spec
+++ b/pesign.spec
@@ -2,7 +2,7 @@
 Name:          pesign
 Summary:       Signing utility for UEFI binaries
 Version:       0.113
-Release:       4
+Release:       5
 License:       GPLv2
 URL:           https://github.com/vathpela/pesign
 Source0:       https://github.com/rhboot/pesign/archive/113.tar.gz
@@ -14,6 +14,7 @@ BuildRequires: nspr nss nss-util popt-devel nss-tools nspr-devel >= 4.9.2-1
 BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
 BuildRequires: python3-rpm-macros python3 systemd python3-devel
 Patch0001:     Fix-the-build-with-nss-3.44.patch
+Patch0002:     Fix-CVE-2022-3560.patch
 %description
 pesign is a command line tool for manipulating signatures and
 cryptographic digests of UEFI applications.
@@ -79,6 +80,9 @@ exit 0
 %{_mandir}/man*/*
 
 %changelog
+* Wed Feb 15 2023 luopihui <luopihui@ncti-gba.cn> - 0.113-5
+- Fix CVE-2022-3560 
+
 * Sat Oct 10 2020 baizhonggui <baizhonggui@huawei.com> - 0.113-4
 - Fix the build with nss 3.44