diff --git a/CVE-2023-46047.patch b/CVE-2023-46047.patch
new file mode 100644
index 0000000..19c07e0
--- /dev/null
+++ b/CVE-2023-46047.patch
@@ -0,0 +1,30 @@
+From a617461c630da22f4bcc22c687f5a299b5630e2d Mon Sep 17 00:00:00 2001
+From: Ralph Little <skelband@gmail.com>
+Date: Mon, 2 Oct 2023 16:40:27 -0700
+Subject: [PATCH] sanei_config: malformed line can return NULL for token. We
+ should check.
+
+---
+ sanei/sanei_config.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sanei/sanei_config.c b/sanei/sanei_config.c
+index 07c85c964..45f380337 100644
+--- a/sanei/sanei_config.c
++++ b/sanei/sanei_config.c
+@@ -295,6 +295,12 @@ sanei_configure_attach (const char *config_file, SANEI_Config * config,
+        * So we parse the line 2 time to find an option */
+       /* check if it is an option */
+       lp = sanei_config_get_string (lp, &token);
++      if (NULL == token)
++        {
++          // Invalid format?
++          continue;
++        }
++
+       if (strncmp (token, "option", 6) == 0)
+ 	{
+ 	  /* skip the "option" token */
+-- 
+GitLab
+
diff --git a/CVE-2023-46052.patch b/CVE-2023-46052.patch
new file mode 100644
index 0000000..ade978d
--- /dev/null
+++ b/CVE-2023-46052.patch
@@ -0,0 +1,126 @@
+From 6fc47c4c1472ea244561b18d5d6e3e8eefb1cde7 Mon Sep 17 00:00:00 2001
+From: Ralph Little <skelband@gmail.com>
+Date: Mon, 2 Oct 2023 16:23:07 -0700
+Subject: [PATCH] test: added validation checks for config string option
+ saelections.
+
+This will avoid a reported buffer overflow issue related to invalid (long) options being specified.
+---
+ backend/test.c | 63 ++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 51 insertions(+), 12 deletions(-)
+
+diff --git a/backend/test.c b/backend/test.c
+index ea7329073..4663a16e4 100644
+--- a/backend/test.c
++++ b/backend/test.c
+@@ -1432,6 +1432,43 @@ read_option (SANE_String line, SANE_String option_string,
+   return SANE_STATUS_GOOD;
+ }
+ 
++
++static SANE_Status
++read_option_str_list (SANE_String line, SANE_String option_string,
++                      parameter_type p_type, void *value,
++                      SANE_String_Const *string_list)
++{
++  SANE_String new_value = NULL;
++
++  SANE_Status ret = read_option (line, option_string, p_type, &new_value);
++  if (ret != SANE_STATUS_GOOD)
++    {
++      if (new_value)
++        {
++          free(new_value);
++        }
++      return ret;
++    }
++
++  for (SANE_String_Const *option = string_list; *option; option++)
++    {
++      if (strcmp (*option, new_value) == 0)
++        {
++
++          if (*(SANE_String*) value)
++            {
++              free (*(SANE_String*) value);
++            }
++          *(SANE_String*) value = new_value;
++
++          return SANE_STATUS_GOOD;
++        }
++    }
++
++  return SANE_STATUS_INVAL;
++}
++
++
+ static SANE_Status
+ reader_process (Test_Device * test_device, SANE_Int fd)
+ {
+@@ -1636,7 +1673,6 @@ print_options (Test_Device * test_device)
+ 
+ /***************************** SANE API ****************************/
+ 
+-
+ SANE_Status
+ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_unused__ authorize)
+ {
+@@ -1736,20 +1772,23 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 
+ 	  DBG (5, "sane_init: config file line %3d: `%s'\n",
+ 	       linenumber, line);
++
+ 	  if (read_option (line, "number_of_devices", param_int,
+ 			   &init_number_of_devices) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "mode", param_string,
+-			   &init_mode) == SANE_STATUS_GOOD)
+-	    continue;
++
++          if (read_option_str_list (line, "mode", param_string,
++                                    &init_mode, mode_list) == SANE_STATUS_GOOD)
++              continue;
++
+ 	  if (read_option (line, "hand-scanner", param_bool,
+ 			   &init_hand_scanner) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "three-pass", param_bool,
+ 			   &init_three_pass) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "three-pass-order", param_string,
+-			   &init_three_pass_order) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "three-pass-order", param_string,
++	                            &init_three_pass_order, order_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "resolution_min", param_fixed,
+ 			   &resolution_range.min) == SANE_STATUS_GOOD)
+@@ -1766,11 +1805,11 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 	  if (read_option (line, "depth", param_int,
+ 			   &init_depth) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "scan-source", param_string,
+-			   &init_scan_source) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "scan-source", param_string,
++	                            &init_scan_source, source_list) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "test-picture", param_string,
+-			   &init_test_picture) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "test-picture", param_string,
++	                               &init_test_picture, test_picture_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "invert-endianess", param_bool,
+ 			   &init_invert_endianess) == SANE_STATUS_GOOD)
+@@ -1787,8 +1826,8 @@ sane_init (SANE_Int * __sane_unused__ version_code, SANE_Auth_Callback __sane_un
+ 	  if (read_option (line, "read-delay-duration", param_int,
+ 			   &init_read_delay_duration) == SANE_STATUS_GOOD)
+ 	    continue;
+-	  if (read_option (line, "read-status-code", param_string,
+-			   &init_read_status_code) == SANE_STATUS_GOOD)
++	  if (read_option_str_list (line, "read-status-code", param_string,
++	                            &init_read_status_code, read_status_code_list) == SANE_STATUS_GOOD)
+ 	    continue;
+ 	  if (read_option (line, "ppl-loss", param_int,
+ 			   &init_ppl_loss) == SANE_STATUS_GOOD)
+-- 
+GitLab
+
diff --git a/sane-backends.spec b/sane-backends.spec
index 7315b01..158bc92 100644
--- a/sane-backends.spec
+++ b/sane-backends.spec
@@ -3,7 +3,7 @@
 
 Name:              sane-backends
 Version:           1.2.1
-Release:           1
+Release:           2
 Summary:           Scanner access software
 License:           GPLv2+ and GPLv2+ and Public Domain and IJG and LGPLv2+ and MIT
 URL:               http://www.sane-project.org
@@ -20,6 +20,10 @@ Requires:          sane-backends-libs = %{version}-%{release}
 
 Patch0000:         CVE-2020-12861-CVE-2020-12866-CVE-2020-12864.patch
 Patch0001:         Add-check-for-ports-to-avoid-Segmentation-fault.patch
+# https://gitlab.com/sane-project/backends/-/commit/fd7b83c8f7b4da4a9e1fb715d070aa2fd96832ff
+Patch0002:         CVE-2023-46047.patch
+# https://gitlab.com/sane-project/backends/-/commit/a92ffb3d978329c29513b0acb98ae7987ec1bed7
+Patch0003:         CVE-2023-46052.patch
 
 %description
 SANE (Scanner Access Now Easy) is a sane and simple interface to both local and networked scanners
@@ -202,6 +206,9 @@ exit 0
 %{_unitdir}/*
 
 %changelog
+* Fri May 10 2024 yaoxin <yao_xin001@hoperun.com> - 1.2.1-2
+- Fix CVE-2023-46047 and CVE-2023-46052
+
 * Sat Oct 07 2023 wulei <wu_lei@hoperun.com> - 1.2.1-1
 - Update to 1.2.1