diff --git a/CVE-2023-28879.patch b/CVE-2023-28879.patch
new file mode 100644
index 0000000..1ab465d
--- /dev/null
+++ b/CVE-2023-28879.patch
@@ -0,0 +1,17 @@
+--- base/sbcp.c.orig	2020-03-19 09:21:42.000000000 +0100
++++ base/sbcp.c	2023-04-03 12:36:26.024927229 +0200
+@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, strea
+         byte ch = *++p;
+ 
+         if (ch <= 31 && escaped[ch]) {
++            /* Make sure we have space to store two characters in the write buffer,
++             * if we don't then exit without consuming the input character, we'll process
++             * that on the next time round.
++             */
++            if (pw->limit - q < 2) {
++                p--;
++                break;
++            }
+             if (p == rlimit) {
+                 p--;
+                 break;
diff --git a/ghostscript.changes b/ghostscript.changes
index a7211b5..8244e06 100644
--- a/ghostscript.changes
+++ b/ghostscript.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Apr 11 09:09:56 UTC 2023 - Johannes Meixner <jsmeix@suse.com>
+
+- CVE-2023-28879.patch fixes CVE-2023-28879
+  Buffer Overflow in s_xBCPE_process
+  cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
+  (bsc#1210062)
+
 -------------------------------------------------------------------
 Mon Jul 18 07:28:54 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
diff --git a/ghostscript.spec b/ghostscript.spec
index 9291ead..24f5f35 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -47,6 +47,12 @@ Patch100:       remove-zlib-h-dependency.patch
 # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
 # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
 Patch101:       ijs_exec_server_dont_use_sh.patch
+# Patch102 CVE-2023-28879.patch is
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
+# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
+# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
+# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
+Patch102:       CVE-2023-28879.patch
 BuildRequires:  freetype2-devel
 BuildRequires:  libjpeg-devel
 BuildRequires:  liblcms2-devel
@@ -240,6 +246,12 @@ This package contains the development files for Ghostscript.
 # Patch101 ijs_exec_server_dont_use_sh.patch fixes IJS printing problem
 # additionally allow exec'ing hpijs in apparmor profile was needed (bsc#1128467):
 %patch101 -p1
+# Patch102 CVE-2023-28879.patch is
+# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=37ed5022cecd
+# that fixes CVE-2023-28879 Buffer Overflow in s_xBCPE_process
+# cf. https://bugs.ghostscript.com/show_bug.cgi?id=706494
+# and https://bugzilla.suse.com/show_bug.cgi?id=1210062
+%patch102
 # Remove patch backup files to avoid packaging
 # cf. https://build.opensuse.org/request/show/581052
 rm -f Resource/Init/*.ps.orig