diff --git a/backport-CVE-2013-4235.patch b/backport-CVE-2013-4235.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9506bc125067b629e964579d904a53169c0ba673
--- /dev/null
+++ b/backport-CVE-2013-4235.patch
@@ -0,0 +1,34 @@
+From b4472167c2f5057d56686d3349a9b55fc508efe6 Mon Sep 17 00:00:00 2001
+From: ed neville <ed@s5h.net>
+Date: Fri, 31 Dec 2021 22:40:13 +0000
+Subject: [PATCH] Adding nofollow to opens
+
+Conflict: NA
+Reference: https://github.com/shadow-maint/shadow/commit/b4472167c2f5057d56686d3349a9b55fc508efe6
+
+---
+ libmisc/copydir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libmisc/copydir.c b/libmisc/copydir.c
+index f2130bcac..a296d925d 100644
+--- a/libmisc/copydir.c
++++ b/libmisc/copydir.c
+@@ -741,7 +741,7 @@ static int copy_file (const char *src, const char *dst,
+ 	char buf[1024];
+ 	ssize_t cnt;
+ 
+-	ifd = open (src, O_RDONLY);
++	ifd = open (src, O_RDONLY|O_NOFOLLOW);
+ 	if (ifd < 0) {
+ 		return -1;
+ 	}
+@@ -751,7 +751,7 @@ static int copy_file (const char *src, const char *dst,
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+-	ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC, statp->st_mode & 07777);
++	ofd = open (dst, O_WRONLY | O_CREAT | O_TRUNC | O_NOFOLLOW, statp->st_mode & 07777);
+ 	if (   (ofd < 0)
+ 	    || (fchown_if_needed (ofd, statp,
+ 	                          old_uid, new_uid, old_gid, new_gid) != 0)
diff --git a/shadow.spec b/shadow.spec
index cfc680b6a78a996770c0ad67d998fcda9b673e0b..553bf685145c2f0c418bf55c623576d6264d64c9 100644
--- a/shadow.spec
+++ b/shadow.spec
@@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.9
-Release: 11
+Release: 12
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@@ -72,6 +72,7 @@ Patch52: backport-Fix-yescrypt-support.patch
 Patch53: backport-newgrp-fix-potential-string-injection.patch
 Patch54: backport-script-to-kill-subjects-processes-from-userdel.patch
 Patch55: backport-shadow-userdel-add-the-adaptation-to-the-busybox-ps-.patch
+Patch56: backport-CVE-2013-4235.patch
 
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel
@@ -238,6 +239,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_mandir}/*/*
 
 %changelog
+* Mon Nov 20 2023 wangqingsan <wangqingsan@huawei.com> - 2:4.9-12
+- fix CVE-2013-4235 
+
 * Wed Sep 20 2023 wangyunjia <yunjia.wang@huawei.com> - 2:4.9-11
 - backport some patches