diff --git a/backport-CVE-2020-24370.patch b/backport-CVE-2020-24370.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b7ce072ea51518e6ac8ebed9846e9118bf3fe7c5
--- /dev/null
+++ b/backport-CVE-2020-24370.patch
@@ -0,0 +1,36 @@
+From b5bc89846721375fe30772eb8c5ab2786f362bf9 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Mon, 3 Aug 2020 16:25:28 -0300
+Subject: [PATCH] Fixed bug: Negation overflow in getlocal/setlocal
+
+---
+ com32/lua/src/ldebug.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/com32/lua/src/ldebug.c b/com32/lua/src/ldebug.c
+index e1389296e..bb0e1d4ac 100644
+--- a/com32/lua/src/ldebug.c
++++ b/com32/lua/src/ldebug.c
+@@ -133,10 +133,11 @@ static const char *upvalname (Proto *p, int uv) {
+ 
+ static const char *findvararg (CallInfo *ci, int n, StkId *pos) {
+   int nparams = clLvalue(ci->func)->p->numparams;
+-  if (n >= ci->u.l.base - ci->func - nparams)
++  int nvararg = ci->u.l.base - ci->func - nparams;
++  if (n <= -nvararg)
+     return NULL;  /* no such vararg */
+   else {
+-    *pos = ci->func + nparams + n;
++    *pos = ci->func + nparams - n;
+     return "(*vararg)";  /* generic name for any vararg */
+   }
+ }
+@@ -148,7 +149,7 @@ static const char *findlocal (lua_State *L, CallInfo *ci, int n,
+   StkId base;
+   if (isLua(ci)) {
+     if (n < 0)  /* access to vararg values? */
+-      return findvararg(ci, -n, pos);
++      return findvararg(ci, n, pos);
+     else {
+       base = ci->u.l.base;
+       name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci));
diff --git a/syslinux.spec b/syslinux.spec
index cc7b940110489b5e94262c8d0f8151118d00874e..c8b0a7a838e208c2f486aae66511e12b37a569a1 100644
--- a/syslinux.spec
+++ b/syslinux.spec
@@ -2,7 +2,7 @@
 
 Name:           syslinux
 Version:        6.04
-Release:        16
+Release:        17
 License:        GPLv2+
 Summary:        The Syslinux boot loader collection
 URL:            http://syslinux.zytor.com/wiki/index.php/The_Syslinux_Project
@@ -28,6 +28,7 @@ Patch0005:      backport-add-RPMOPTFLAGS-to-CFLAGS-for-some-stuff.patch
 Patch0006:      backport-tweak-for-gcc-10.patch
 Patch0007:      backport-zlib-update.patch
 Patch0008:      backport-libpng-update-to-1.6.36.patch
+Patch0009:      backport-CVE-2020-24370.patch
 
 %description
 The Syslinux Project covers lightweight bootloaders for MS-DOS FAT filesystems (SYSLINUX),
@@ -163,6 +164,9 @@ fi
 %{_datadir}/syslinux/efi64
 
 %changelog
+* Wed Mar 12 2025 lingsheng <lingsheng1@h-partners.com> - 6.04-17
+- fix CVE-2020-24370
+
 * Thu Aug 29 2024 lingsheng <lingsheng1@h-partners.com> - 6.04-16
 - update libpng 1.6.36 to fix CVE-2011-2501 CVE-2011-2690 CVE-2011-2691
 - CVE-2011-2692 CVE-2011-3045 CVE-2011-3048 CVE-2012-3425 CVE-2015-7981