diff --git a/0001-Add-primitives-for-overflow-checked-arithmetic-opera.patch b/0001-Add-primitives-for-overflow-checked-arithmetic-opera.patch
new file mode 100644
index 0000000000000000000000000000000000000000..74fcc4561c4221434886f6b13f573dfed83701f9
--- /dev/null
+++ b/0001-Add-primitives-for-overflow-checked-arithmetic-opera.patch
@@ -0,0 +1,51 @@
+From f27182695d88350b48c8b9a6dce54bb513d7aa4e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 27 Jul 2023 15:13:08 -0400
+Subject: [PATCH] Add primitives for overflow-checked arithmetic operations.
+
+We need to do arithmetic on untrusted values sometimes, so this patch
+adds the following primitives as macros that wrap the compiler builtins.
+
+  bool checked_add(TYPE addend0, TYPE addend1, TYPE *sum)
+  bool checked_sub(TYPE minuend, TYPE subtrahend, TYPE *difference)
+  bool checked_mul(TYPE factor0, TYPE factor1, TYPE *product)
+
+And also the following primitive which returns True if divisor is 0 and
+False otherwise:
+
+  bool checked_div(TYPE dividend, TYPE divisor, TYPE *quotient)
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ include/compiler.h | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/include/compiler.h b/include/compiler.h
+index b0d595f..545a72e 100644
+--- a/include/compiler.h
++++ b/include/compiler.h
+@@ -198,5 +198,21 @@
+ #error shim has no cache_invalidate() implementation for this compiler
+ #endif /* __GNUC__ */
+ 
++#define checked_add(addend0, addend1, sum) \
++	__builtin_add_overflow(addend0, addend1, sum)
++#define checked_sub(minuend, subtrahend, difference) \
++	__builtin_sub_overflow(minuend, subtrahend, difference)
++#define checked_mul(factor0, factor1, product) \
++	__builtin_mul_overflow(factor0, factor1, product)
++#define checked_div(dividend, divisor, quotient)                \
++        ({                                                      \
++                bool _ret = True;                               \
++                if ((divisor) != 0) {                           \
++                        _ret = False;                           \
++                        (quotient) = (dividend) / (divisor);    \
++                }                                               \
++                _ret;                                           \
++        })
++
+ #endif /* !COMPILER_H_ */
+ // vim:fenc=utf-8:tw=75:et
+-- 
+2.39.3
+
diff --git a/fix-CVE-2023-40546.patch b/fix-CVE-2023-40546.patch
new file mode 100644
index 0000000000000000000000000000000000000000..929b24249a31129362a493ef8103ebf7b4800022
--- /dev/null
+++ b/fix-CVE-2023-40546.patch
@@ -0,0 +1,42 @@
+From 66e6579dbf921152f647a0c16da1d3b2f40861ca Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 7 Jun 2023 13:15:49 -0400
+Subject: [PATCH] CVE-2023-40546 mok: fix LogError() invocation
+
+On some ARM platform, jlinton noticed that when we fail to set a
+variable (because it isn't supported at all, presumably), our error
+message has an extra argument that doesn't match the format string.
+
+This patch removes the extra argument.
+
+Resolves: CVE-2023-40546
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ mok.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index be1eaa1..0ac3415 100644
+--- a/mok.c
++++ b/mok.c
+@@ -291,7 +291,7 @@ mirror_one_esl(CHAR16 *name, EFI_GUID *guid, UINT32 attrs,
+ 					 &var, &varsz);
+ 	if (EFI_ERROR(efi_status) || !var || !varsz) {
+ 		LogError(L"Couldn't allocate %lu bytes for mok variable \"%s\": %r\n",
+-			 varsz, var, efi_status);
++			 varsz, name, efi_status);
+ 		return efi_status;
+ 	}
+ 
+@@ -302,7 +302,7 @@ mirror_one_esl(CHAR16 *name, EFI_GUID *guid, UINT32 attrs,
+ 	FreePool(var);
+ 	if (EFI_ERROR(efi_status)) {
+ 		LogError(L"Couldn't create mok variable \"%s\": %r\n",
+-			 varsz, var, efi_status);
++			 name, efi_status);
+ 		return efi_status;
+ 	}
+ 
+-- 
+2.39.3
+
diff --git a/fix-CVE-2023-40549.patch b/fix-CVE-2023-40549.patch
new file mode 100644
index 0000000000000000000000000000000000000000..42bb8975740cc3e621462fa85d3c9508874f98bf
--- /dev/null
+++ b/fix-CVE-2023-40549.patch
@@ -0,0 +1,62 @@
+From afdc5039de0a4a3a40162a32daa070f94a883f09 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 27 Jul 2023 14:58:55 -0400
+Subject: [PATCH] CVE-2023-40549 Authenticode: verify that the signature header
+ is in bounds.
+
+In the validation logic in verify_buffer_authenticode(), there is yet
+another case where we need to guarantee an object is in the binary but
+we're only validating the pointer to it.  In this case, we're validating
+that the actual signature data is in the binary, but unfortunately we
+failed to validate that the header describing it is, so a malformed
+binary can cause us to take an out-of-bounds read (probably but not
+necessarily on the same page) past the end of the buffer.
+
+This patch adds a bounds check to verify that the signature is
+actually within the bounds.
+
+It seems unlikely this can be used for more than a denial of service,
+and if you can get shim to try to verify a malformed binary, you've
+effectively already accomplished a DoS.
+
+Resolves: CVE-2023-40549
+Reported-by: gkirkpatrick@google.com
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ shim.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/shim.c b/shim.c
+index 3a97067..3fd1e2a 100644
+--- a/shim.c
++++ b/shim.c
+@@ -627,11 +627,13 @@ verify_buffer_authenticode (char *data, int datasize,
+ 		return EFI_SECURITY_VIOLATION;
+ 	}
+ 
+-	if (context->SecDir->Size >= size) {
++	if (checked_add(context->SecDir->Size, context->SecDir->VirtualAddress, &offset) ||
++	    offset > size) {
+ 		perror(L"Certificate Database size is too large\n");
+ 		return EFI_INVALID_PARAMETER;
+ 	}
+ 
++	offset = 0;
+ 	ret_efi_status = EFI_NOT_FOUND;
+ 	do {
+ 		WIN_CERTIFICATE_EFI_PKCS *sig = NULL;
+@@ -642,6 +644,11 @@ verify_buffer_authenticode (char *data, int datasize,
+ 		if (!sig)
+ 			break;
+ 
++		if ((uint64_t)&sig[1] > (uint64_t)data + datasize) {
++			perror(L"Certificate size is too large for secruity database");
++			return EFI_INVALID_PARAMETER;
++		}
++
+ 		sz = offset + offsetof(WIN_CERTIFICATE_EFI_PKCS, Hdr.dwLength)
+ 		     + sizeof(sig->Hdr.dwLength);
+ 		if (sz > context->SecDir->Size) {
+-- 
+2.39.3
+
diff --git a/fix-CVE-2023-40550.patch b/fix-CVE-2023-40550.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9e0374f67910d3b948fc61e61cef178e00503083
--- /dev/null
+++ b/fix-CVE-2023-40550.patch
@@ -0,0 +1,47 @@
+From 93ce2552f3e9f71f888a672913bfc0eef255c56d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 27 Jul 2023 14:57:32 -0400
+Subject: [PATCH 1/2] CVE-2023-40550 pe: Fix an out-of-bound read in
+ verify_buffer_sbat()
+
+In verify_buffer_sbat(), we have a goal-seeking loop to find the .sbat
+section header.  Unfortunately, while the actual contents of the section
+are checked for being inside the binary, no such check exists for the
+contents of the section table entry.
+
+As a result, a carefully constructed binary will cause an out-of-bounds
+read checking if the section name is ".sbat\0\0\0" or not.
+
+This patch adds a check that each section table entry is within the
+bounds of the binary.
+
+It's not currently known if this is actually exploitable beyond creating
+a denial of service, and an attacker who is in a position to use it for
+a denial of service attack must already be able to do so.
+
+Resolves: CVE-2023-40550
+Reported-by: gkirkpatrick@google.com
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ shim.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/shim.c b/shim.c
+index 01e5e56..3a97067 100644
+--- a/shim.c
++++ b/shim.c
+@@ -709,6 +709,11 @@ verify_buffer_sbat (char *data, int datasize,
+ 
+ 	Section = context->FirstSection;
+ 	for (i = 0; i < context->NumberOfSections; i++, Section++) {
++		if ((uint64_t)&Section[1] > (uint64_t)data + datasize) {
++			perror(L"Section exceeds bounds of image\n");
++			return EFI_UNSUPPORTED;
++		}
++
+ 		if (CompareMem(Section->Name, ".sbat\0\0\0", 8) != 0)
+ 			continue;
+ 
+-- 
+2.39.3
+
diff --git a/shim.spec b/shim.spec
index 50ac22422c1ff6fc8ce62730003c2987cd86b3fe..136674db0799f821b63ab38c4c7e5ce1566a93bc 100644
--- a/shim.spec
+++ b/shim.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 
 %global grub_version 2.06
 %global fwupd_version 1.5.8
@@ -34,6 +34,10 @@ Source1:        shim.conf
 Source100:      shim-find-debuginfo.sh
 
 Patch0001:      0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch
+Patch0002:	0001-Add-primitives-for-overflow-checked-arithmetic-opera.patch
+Patch0003:	fix-CVE-2023-40546.patch
+Patch0004:	fix-CVE-2023-40549.patch
+Patch0005:	fix-CVE-2023-40550.patch
 
 BuildRequires:  efi-filesystem
 BuildRequires:  efi-srpm-macros >= 5
@@ -161,6 +165,9 @@ install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/dnf/protected.d/
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
+* Thu Dec 19 2024 Kaiqiang Wang <wangkaiqiang@ieisystem.com> - 15.7-3
+- fix CVE-2023-40546 CVE-2023-40549 CVE-2023-40550
+
 * Thu Apr 13 2023 Chunmei Xu <xuchunmei@linux.alibaba.com> - 15.7-2
 - optimise spec file
 - replace shim-unsigned-x64/aa64