diff --git a/backport-CVE-2024-29038.patch b/backport-CVE-2024-29038.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1b075dabd879743d63e2a533e0391e39786f14ab
--- /dev/null
+++ b/backport-CVE-2024-29038.patch
@@ -0,0 +1,30 @@
+From c9d57cae9316ab22d37db87a123e9255bfd21112 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 2 May 2024 09:53:57 +0800
+Subject: [PATCH]  init
+
+---
+ tools/misc/tpm2_checkquote.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index ca78238..6d1a9f6 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -115,6 +115,13 @@ static bool verify(void) {
+         goto err;
+     }
+ 
++    // check magic
++    if (ctx.attest.magic != TPM2_GENERATED_VALUE) {
++        LOG_ERR("Bad magic, got: 0x%x, expected: 0x%x",
++                ctx.attest.magic, TPM2_GENERATED_VALUE);
++        return false;
++    }
++
+     // Also ensure digest from quote matches PCR digest
+     if (ctx.flags.pcr) {
+         if (!tpm2_util_verify_digests(&ctx.attest.attested.quote.pcrDigest,
+-- 
+2.23.0
+
diff --git a/backport-CVE-2024-29039.patch b/backport-CVE-2024-29039.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5b33ef8f03bc59f3f762c71315bc09dd0015f8fe
--- /dev/null
+++ b/backport-CVE-2024-29039.patch
@@ -0,0 +1,78 @@
+From accff7c58b4d01aacdb4260b3e2a1e374a2be0df Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 2 May 2024 09:57:07 +0800
+Subject: [PATCH] backport CVE-2024-29039
+
+---
+ tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index 6d1a9f6..c4fdff6 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
+         .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
+ };
+ 
++static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
++    if (attest_sel->count != pcr_sel->count) {
++        LOG_ERR("Selection sizes do not match.");
++        return false;
++    }
++    for (uint32_t i = 0; i < attest_sel->count; i++) {
++        for (uint32_t j = 0; j < pcr_sel->count; j++) {
++            if (attest_sel->pcrSelections[i].hash ==
++                pcr_sel->pcrSelections[j].hash) {
++                if (attest_sel->pcrSelections[i].sizeofSelect !=
++                        pcr_sel->pcrSelections[j].sizeofSelect) {
++                    LOG_ERR("Bitmask size does not match");
++                    return false;
++                }
++                if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
++                           &pcr_sel->pcrSelections[j].pcrSelect[0],
++                           attest_sel->pcrSelections[i].sizeofSelect) != 0) {
++                    LOG_ERR("Selection bitmasks do not match");
++                    return false;
++                }
++                break;
++            }
++            if (j == pcr_sel->count - 1) {
++                LOG_ERR("Hash selections to not match.");
++                return false;
++            }
++        }
++    }
++    return true;
++}
++
+ static bool verify(void) {
+ 
+     bool result = false;
+@@ -381,7 +412,7 @@ static tool_rc init(void) {
+     }
+ 
+     TPM2B_ATTEST *msg = NULL;
+-    TPML_PCR_SELECTION pcr_select;
++    TPML_PCR_SELECTION pcr_select = { 0 };
+     tpm2_pcrs *pcrs;
+     tpm2_pcrs temp_pcrs;
+     tool_rc return_value = tool_rc_general_error;
+@@ -544,6 +575,14 @@ static tool_rc init(void) {
+         goto err;
+     }
+ 
++    if (ctx.flags.pcr) {
++        if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
++                                   &pcr_select)) {
++            LOG_ERR("PCR selection does not match PCR slection from attest!");
++            goto err;
++        }
++    }
++
+     // Figure out the digest for this message
+     res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
+             msg->size, &ctx.msg_hash);
+-- 
+2.23.0
+
diff --git a/tpm2-tools.spec b/tpm2-tools.spec
index 602e534d4f6aad99ca648ee2b67213e66aeeee40..3b158e09d6c7b05b508af22c8533f74f3685148d 100644
--- a/tpm2-tools.spec
+++ b/tpm2-tools.spec
@@ -1,6 +1,6 @@
 Name:          tpm2-tools
 Version:       5.0
-Release:       5
+Release:       6
 Summary:       A TPM2.0 testing tool based on TPM2.0-TSS
 License:       BSD
 URL:           https://github.com/tpm2-software/tpm2-tools
@@ -9,6 +9,8 @@ Source0:       https://github.com/tpm2-software/tpm2-tools/releases/download/%{v
 Patch0:        backport-Don-t-assume-end-of-argv-is-NULL.patch
 Patch1:        backport-CVE-2021-3565.patch
 Patch2:        backport-clarify-return-values-from-string.patch
+Patch3:        backport-CVE-2024-29038.patch
+Patch4:        backport-CVE-2024-29039.patch
 
 BuildRequires: gcc-c++ libtool autoconf-archive pkgconfig(cmocka) pkgconfig(libcurl) pkgconfig(openssl)
 BuildRequires: pkgconfig(tss2-mu) pkgconfig(tss2-sys) pkgconfig(tss2-esys) pkgconfig(uuid) git libgcrypt
@@ -60,6 +62,9 @@ make check
 %{_mandir}/*/*
 
 %changelog
+* Thu May 02 2024 cenhuilin <cenhuilin@kylinos.cn> - 5.0-6
+- fix CVE-2024-29038 CVE-2024-29039
+
 * Fri Dec 16 2022 jinlun <jinlun@huawei.com> - 5.0-5
 - fix build error