diff --git a/1000-fix-CVE-2024-12133.patch b/1000-fix-CVE-2024-12133.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3461b8d624d82dc2b36105b85158df2f1b8d73a0
--- /dev/null
+++ b/1000-fix-CVE-2024-12133.patch
@@ -0,0 +1,247 @@
+From c368f0abdf6dead010941cb1be7e091a54aa4937 Mon Sep 17 00:00:00 2001
+From: mgb01105731 <mgb01105731@alibaba-inc.com>
+Date: Mon, 7 Jul 2025 21:56:21 -0400
+Subject: [PATCH 1/1] fix CVE-2024-12133
+
+---
+ lib/decoding.c   |  9 +++++++-
+ lib/element.c    | 56 ++++++++++++++++++++++++++++++++++++++++++------
+ lib/element.h    | 10 +++++++++
+ lib/int.h        |  8 +++++++
+ lib/parser_aux.c | 10 +++++++++
+ lib/structure.c  | 13 +++++++++++
+ 6 files changed, 98 insertions(+), 8 deletions(-)
+
+diff --git a/lib/decoding.c b/lib/decoding.c
+index b9245c4..6737714 100644
+--- a/lib/decoding.c
++++ b/lib/decoding.c
+@@ -1570,7 +1570,14 @@ asn1_der_decoding2 (asn1_node * element, const void *ider, int *max_ider_len,
+ 	    move = UP;
+ 	}
+       if (move == UP)
+-	p = _asn1_find_up (p);
++	{
++	  /* If we are parsing a sequence or set and p is a direct
++	     child of it, no need to traverse the list back to the leftmost node. */
++	  if (tcache.tail == p)
++	    p = tcache.head;
++	  else
++	    p = _asn1_find_up (p);
++	}
+     }
+ 
+   _asn1_delete_not_used (*element);
+diff --git a/lib/element.c b/lib/element.c
+index d4c558e..9a8dbd8 100644
+--- a/lib/element.c
++++ b/lib/element.c
+@@ -32,6 +32,8 @@
+ #include "structure.h"
+ #include "c-ctype.h"
+ #include "element.h"
++#include <limits.h>
++#include "intprops.h"
+ 
+ void
+ _asn1_hierarchical_name (asn1_node_const node, char *name, int name_size)
+@@ -128,6 +130,41 @@ _asn1_convert_integer (const unsigned char *value, unsigned char *value_out,
+   return ASN1_SUCCESS;
+ }
+ 
++int
++_asn1_node_array_set (struct asn1_node_array_st *array, size_t position,
++		      asn1_node node)
++{
++  if (position >= array->size)
++    {
++      size_t new_size = position, i;
++      asn1_node *new_nodes;
++
++      if (INT_MULTIPLY_OVERFLOW (new_size, 2))
++	return ASN1_GENERIC_ERROR;
++      new_size *= 2;
++
++      if (INT_ADD_OVERFLOW (new_size, 1))
++	return ASN1_GENERIC_ERROR;
++      new_size += 1;
++
++      if (INT_MULTIPLY_OVERFLOW (new_size, sizeof (*new_nodes)))
++	return ASN1_GENERIC_ERROR;
++
++      new_nodes = realloc (array->nodes, new_size * sizeof (*new_nodes));
++      if (!new_nodes)
++	return ASN1_MEM_ALLOC_ERROR;
++
++      for (i = array->size; i < new_size; i++)
++	new_nodes[i] = NULL;
++
++      array->nodes = new_nodes;
++      array->size = new_size;
++    }
++
++  array->nodes[position] = node;
++  return ASN1_SUCCESS;
++}
++
+ /* Appends a new element into the sequence (or set) defined by this
+  * node. The new element will have a name of '?number', where number
+  * is a monotonically increased serial number.
+@@ -144,6 +181,7 @@ _asn1_append_sequence_set (asn1_node node, struct node_tail_cache_st *pcache)
+   asn1_node p, p2;
+   char temp[LTOSTR_MAX_SIZE + 1];
+   long n;
++  int result;
+ 
+   if (!node || !(node->down))
+     return ASN1_GENERIC_ERROR;
+@@ -176,17 +214,21 @@ _asn1_append_sequence_set (asn1_node node, struct node_tail_cache_st *pcache)
+       pcache->tail = p2;
+     }
+ 
+-  if (p->name[0] == 0)
+-    _asn1_str_cpy (temp, sizeof (temp), "?1");
+-  else
++  n = 0;
++  if (p->name[0] != 0)
+     {
+-      n = strtol (p->name + 1, NULL, 0);
+-      n++;
+-      temp[0] = '?';
+-      _asn1_ltostr (n, temp + 1);
++      n = strtol (p->name + 1, NULL, 10);
++      if (n <= 0 || n >= LONG_MAX - 1)
++	return ASN1_GENERIC_ERROR;
+     }
++  temp[0] = '?';
++  _asn1_ltostr (n + 1, temp + 1);
+   _asn1_set_name (p2, temp);
+   /*  p2->type |= CONST_OPTION; */
++  result = _asn1_node_array_set (&node->numbered_children, n, p2);
++  if (result != ASN1_SUCCESS)
++    return result;
++  p2->parent = node;
+ 
+   return ASN1_SUCCESS;
+ }
+diff --git a/lib/element.h b/lib/element.h
+index 8dd0ceb..3018e0c 100644
+--- a/lib/element.h
++++ b/lib/element.h
+@@ -39,4 +39,14 @@ int _asn1_convert_integer (const unsigned char *value,
+ void _asn1_hierarchical_name (asn1_node_const node, char *name,
+ 			      int name_size);
+ 
++static inline asn1_node_const
++_asn1_node_array_get (const struct asn1_node_array_st *array, size_t position)
++{
++  return position < array->size ? array->nodes[position] : NULL;
++}
++
++int
++_asn1_node_array_set (struct asn1_node_array_st *array, size_t position,
++		      asn1_node node);
++
+ #endif
+diff --git a/lib/int.h b/lib/int.h
+index d94d51c..a5519c5 100644
+--- a/lib/int.h
++++ b/lib/int.h
+@@ -39,6 +39,12 @@
+ 
+ # define ASN1_SMALL_VALUE_SIZE 16
+ 
++struct asn1_node_array_st
++{
++  asn1_node *nodes;
++  size_t size;
++};
++
+ /* This structure is also in libtasn1.h, but then contains less
+    fields.  You cannot make any modifications to these first fields
+    without breaking ABI.  */
+@@ -55,6 +61,8 @@ struct asn1_node_st
+   asn1_node left;		/* Pointer to the next list element */
+   /* private fields: */
+   unsigned char small_value[ASN1_SMALL_VALUE_SIZE];	/* For small values */
++  asn1_node parent;		/* Pointer to the parent node */
++  struct asn1_node_array_st numbered_children; /* Array of unnamed child nodes for caching */
+ 
+   /* values used during decoding/coding */
+   int tmp_ival;
+diff --git a/lib/parser_aux.c b/lib/parser_aux.c
+index c05bd23..9ceaaa2 100644
+--- a/lib/parser_aux.c
++++ b/lib/parser_aux.c
+@@ -125,6 +125,7 @@ asn1_find_node (asn1_node_const pointer, const char *name)
+   const char *n_start;
+   unsigned int nsize;
+   unsigned int nhash;
++  const struct asn1_node_array_st *numbered_children;
+ 
+   if (pointer == NULL)
+     return NULL;
+@@ -208,6 +209,7 @@ asn1_find_node (asn1_node_const pointer, const char *name)
+       if (p->down == NULL)
+ 	return NULL;
+ 
++      numbered_children = &p->numbered_children;
+       p = p->down;
+       if (p == NULL)
+ 	return NULL;
+@@ -221,6 +223,12 @@ asn1_find_node (asn1_node_const pointer, const char *name)
+ 	}
+       else
+ 	{			/* no "?LAST" */
++	  if (n[0] == '?' && c_isdigit (n[1]))
++	    {
++	      long position = strtol (n + 1, NULL, 10);
++	      if (position > 0 && position < LONG_MAX)
++		p = _asn1_node_array_get (numbered_children, position - 1);
++	    }
+ 	  while (p)
+ 	    {
+ 	      if (p->name_hash == nhash && !strcmp (p->name, n))
+@@ -508,6 +516,8 @@ _asn1_remove_node (asn1_node node, unsigned int flags)
+       if (node->value != node->small_value)
+ 	free (node->value);
+     }
++
++  free (node->numbered_children.nodes);
+   free (node);
+ }
+ 
+diff --git a/lib/structure.c b/lib/structure.c
+index 512dd60..75c3951 100644
+--- a/lib/structure.c
++++ b/lib/structure.c
+@@ -31,6 +31,9 @@
+ #include <structure.h>
+ #include "parser_aux.h"
+ #include <gstr.h>
++#include "c-ctype.h"
++#include "element.h"
++#include <limits.h>
+ 
+ 
+ extern char _asn1_identifierMissing[];
+@@ -391,6 +394,16 @@ asn1_delete_element (asn1_node structure, const char *element_name)
+   if (source_node == NULL)
+     return ASN1_ELEMENT_NOT_FOUND;
+ 
++  if (source_node->parent
++      && source_node->name[0] == '?'
++      && c_isdigit (source_node->name[1]))
++    {
++      long position = strtol (source_node->name + 1, NULL, 10);
++      if (position > 0 && position < LONG_MAX)
++	_asn1_node_array_set (&source_node->parent->numbered_children,
++			      position - 1, NULL);
++    }
++
+   p2 = source_node->right;
+   p3 = _asn1_find_left (source_node);
+   if (!p3)
+-- 
+2.41.0
+
diff --git a/libtasn1.spec b/libtasn1.spec
index 25df9ce8657d37d346967134c3e368355a5b6c75..187a432df03cc0251ccddffb41e287aef9b43a15 100644
--- a/libtasn1.spec
+++ b/libtasn1.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 
 Summary:       The ASN.1 library used in GNUTLS
 Name:          libtasn1
@@ -10,6 +10,10 @@ Source0:       http://ftp.gnu.org/gnu/libtasn1/%name-%version.tar.gz
 Source1:       http://ftp.gnu.org/gnu/libtasn1/%name-%version.tar.gz.sig
 Source2:       gpgkey-B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE.gpg
 
+# https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a
+# https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d
+Patch0:        1000-fix-CVE-2024-12133.patch
+
 BuildRequires: gcc, make, gnupg2, bison, pkgconfig, help2man
 BuildRequires: autoconf, automake, libtool, gtk-doc, findutils
 BuildRequires: valgrind-devel
@@ -53,7 +57,7 @@ This package contains documentation files for %{name}.
 
 %prep
 gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
-%autosetup
+%autosetup -p1
 
 %build
 autoreconf -vfi
@@ -90,6 +94,9 @@ make check
 %doc AUTHORS NEWS README.md
 
 %changelog
+* Tue Jul 08 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 4.19.0-3
+- Add patch to fix CVE-2024-12133
+
 * Sat Apr 15 2023 DengXiewei <dengxiewei@linux.alibaba.com> - 4.19.0-2
 - optimise spec