diff --git a/pkgconf-CVE-2023-24056.patch b/pkgconf-CVE-2023-24056.patch
new file mode 100644
index 0000000..cb13c4f
--- /dev/null
+++ b/pkgconf-CVE-2023-24056.patch
@@ -0,0 +1,53 @@
+diff -Nura pkgconf-1.8.0/libpkgconf/tuple.c pkgconf-1.8.0_new/libpkgconf/tuple.c
+--- pkgconf-1.8.0/libpkgconf/tuple.c	2021-03-18 20:15:16.000000000 +0800
++++ pkgconf-1.8.0_new/libpkgconf/tuple.c	2023-01-30 16:07:40.750297141 +0800
+@@ -293,12 +293,23 @@
+ 				}
+ 			}
+ 
++                        PKGCONF_TRACE(client, "lookup tuple %s", varname);
++
++                        size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
+ 			ptr += (pptr - ptr);
+ 			kv = pkgconf_tuple_find_global(client, varname);
+ 			if (kv != NULL)
+ 			{
+-				strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
+-				bptr += strlen(kv);
++                       	        size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
++				if (nlen > remain)
++				{
++					pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
++
++					bptr = buf + (PKGCONF_BUFSIZE - 1);
++					break;
++				}
++
++				bptr += nlen;
+ 			}
+ 			else
+ 			{
+@@ -306,12 +317,20 @@
+ 
+ 				if (kv != NULL)
+ 				{
++                                        size_t nlen;
++
+ 					parsekv = pkgconf_tuple_parse(client, vars, kv);
++                                        nlen = pkgconf_strlcpy(bptr, parsekv, remain);
++					free(parsekv);
+ 
+-					strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
+-					bptr += strlen(parsekv);
++                                        if (nlen > remain)
++                                        {
++                                                pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
++                                                bptr = buf + (PKGCONF_BUFSIZE - 1);
++                                                break;
++                                        }
+ 
+-					free(parsekv);
++                                        bptr += nlen;
+ 				}
+ 			}
+ 		}
diff --git a/pkgconf.changes b/pkgconf.changes
index f93cdff..71120ec 100644
--- a/pkgconf.changes
+++ b/pkgconf.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sun Jan 29 09:26:47 UTC 2023 - Cliff Zhao <qzhao@suse.com>
+
+- Add pkgconf-CVE-2023-24056.patch: Backport commit 628b2b2baf from
+  upstream, test for, and stop string processing, on truncation
+  (bsc#1207394 CVE-2023-24056). 
+
 -------------------------------------------------------------------
 Mon Aug 23 09:18:29 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
 
diff --git a/pkgconf.spec b/pkgconf.spec
index a1cde0a..f7b9b31 100644
--- a/pkgconf.spec
+++ b/pkgconf.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package pkgconf
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 # Copyright (c) 2020 Neal Gompa <ngompa13@gmail.com>.
 #
 # All modifications and additions to the file contributed by third parties
@@ -54,6 +54,8 @@ URL:            http://pkgconf.org/
 Source0:        https://distfiles.dereferenced.org/%{name}/%{name}-%{version}.tar.xz
 # Simple wrapper script to offer platform versions of pkgconfig from Fedora
 Source1:        platform-pkg-config.in
+# PATCH-FIX-UPSTREAM pkgconf-CVE-2023-24056.patch bsc#1207394 CVE-2023-24056 qzhao@suse.com -- Backport commit 628b2b2baf from upstream, test for, and stop string processing, on truncation.
+Patch0:         pkgconf-CVE-2023-24056.patch
 # For regenerating autotools scripts
 BuildRequires:  autoconf
 BuildRequires:  automake