diff --git a/backport-CVE-2024-29869.patch b/backport-CVE-2024-29869.patch
new file mode 100644
index 0000000000000000000000000000000000000000..aa2c3e505da06f4de814b1473f6b668816e13f24
--- /dev/null
+++ b/backport-CVE-2024-29869.patch
@@ -0,0 +1,40 @@
+From 20106e254527f7d71b2e34455c4322e14950c620 Mon Sep 17 00:00:00 2001
+From: Ayush Saxena <ayushsaxena@apache.org>
+Date: Thu, 21 Mar 2024 10:56:21 +0530
+Subject: [PATCH] HIVE-28134: Improve SecureCmdDoAs. (#5140). (Ayush Saxena,
+ reviewed by Sourabh Badhya)
+
+---
+ .../org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java  | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java
+index e9ede6abf68a..a2e9dab885d7 100644
+--- a/ql/src/java/org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java
++++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/SecureCmdDoAs.java
+@@ -23,8 +23,10 @@
+ import java.net.URISyntaxException;
+ import java.util.Map;
+ 
++import org.apache.hadoop.fs.FSDataOutputStream;
+ import org.apache.hadoop.fs.FileSystem;
+ import org.apache.hadoop.fs.Path;
++import org.apache.hadoop.fs.permission.FsPermission;
+ import org.apache.hadoop.hive.conf.HiveConf;
+ import org.apache.hadoop.hive.ql.metadata.HiveException;
+ import org.apache.hadoop.hive.shims.ShimLoader;
+@@ -68,7 +70,13 @@ public SecureCmdDoAs(HiveConf conf) throws HiveException, IOException{
+     tokenPath = new Path(tokenFile.toURI());
+ 
+     //write credential with token to file
+-    cred.writeTokenStorageFile(tokenPath, conf);
++    FsPermission umask = FsPermission.getUMask(conf);
++    FsPermission targetPerm = FsPermission.createImmutable((short) 0700);
++
++    try (FSDataOutputStream os = tokenPath.getFileSystem(conf).createFile(tokenPath)
++        .permission(targetPerm.applyUMask(umask)).build()) {
++      cred.writeTokenStorageToStream(os, Credentials.SerializedFormat.WRITABLE);
++    }
+   }
+ 
+   public void addEnv(Map<String, String> env){
diff --git a/hive.spec b/hive.spec
index a15c4dcf6843c47d4ccd993c403e7321f3df5749..914b584f1a0ccb3ebf4265274f404ab7042e5e27 100644
--- a/hive.spec
+++ b/hive.spec
@@ -2,7 +2,7 @@
 
 Name:          hive
 Version:       3.1.3
-Release:       2
+Release:       3
 Summary:       The Apache Hadoop data warehouse
 
 License:       Apache-2.0 and Python-2.0 and MPL-2.0 and BSD and ICU
@@ -21,6 +21,8 @@ Requires: hadoop-3.1-mapreduce hadoop-3.1-maven-plugin hadoop-3.1-yarn hadoop-3.
 Requires: mysql-server
 BuildArch:     noarch
 
+Patch1000: backport-CVE-2024-29869.patch
+
 %description
 The Apache Hive data warehouse software facilitates querying and 
 managing large datasets residing in distributed storage. Apache Hive 
@@ -29,6 +31,7 @@ the data using a SQL-like language called HiveQL.
 
 %prep
 %setup -q -n %{name}-rel-release-%{version}
+%patch1000 -p1
 mvn install:install-file -DgroupId=com.google.protobuf -DartifactId=protoc -Dversion=2.5.0 -Dclassifier=linux-aarch_64 -Dpackaging=exe -Dfile=/usr/bin/protoc
 mvn install:install-file -DgroupId=org.pentaho -DartifactId=pentaho-aggdesigner-algorithm -Dversion=5.1.5-jhyde -Dpackaging=jar -Dfile=%{SOURCE2}
 cp %{SOURCE1} ./.xmvn-reactor
@@ -127,6 +130,9 @@ ln -s %{_javadir}/%{name}/%{name}-shims.jar %{buildroot}%{_datadir}/hadoop/mapre
 
 
 %changelog
+* Thu Sep 18 2025 wang kun <wang_kun1@hoperun.com> 3.1.3-3
+- fix CVE-2024-29869
+
 * Tue Sep 13 2022 Jie Dong <dongjie34@h-partners.com> 3.1.3-2
 - Add requires mysql-server