diff --git a/SOURCES/CVE-2024-5569_EPEL8.patch b/SOURCES/CVE-2024-5569_EPEL8.patch
new file mode 100644
index 0000000..d5e7cf8
--- /dev/null
+++ b/SOURCES/CVE-2024-5569_EPEL8.patch
@@ -0,0 +1,104 @@
+diff -ur zipp-0.5.1.orig/test_zipp.py zipp-0.5.1/test_zipp.py
+--- zipp-0.5.1.orig/test_zipp.py	2019-05-17 01:34:53.000000000 +1000
++++ zipp-0.5.1/test_zipp.py	2024-09-22 18:45:15.000000000 +1000
+@@ -170,3 +170,20 @@
+             root = zipp.Path(zipfile_abcde)
+             assert (root / 'a').parent.at == ''
+             assert (root / 'a' / 'b').parent.at == 'a/'
++
++    def test_malformed_paths(self):
++        """
++        Path should handle malformed paths.
++        """
++        data = io.BytesIO()
++        zf = zipfile.ZipFile(data, "w")
++        zf.writestr("/one-slash.txt", b"content")
++        zf.writestr("//two-slash.txt", b"content")
++        zf.writestr("../parent.txt", b"content")
++        zf.filename = ''
++        root = zipp.Path(zf)
++        assert list(map(str, root.iterdir())) == [
++            'one-slash.txt',
++            'two-slash.txt',
++            'parent.txt',
++        ]
+diff -ur zipp-0.5.1.orig/zipp.py zipp-0.5.1/zipp.py
+--- zipp-0.5.1.orig/zipp.py	2019-05-17 01:34:53.000000000 +1000
++++ zipp-0.5.1/zipp.py	2024-09-22 16:33:44.000000000 +1000
+@@ -7,10 +7,67 @@
+ import posixpath
+ import zipfile
+ import functools
++import re
+ 
+ __metaclass__ = type
+ 
++class SanitizedNames:
++    """
++    ZipFile mix-in to ensure names are sanitized.
++    """
++
++    def namelist(self):
++        return list(map(self._sanitize, super().namelist()))
++
++    @staticmethod
++    def _sanitize(name):
++        r"""
++        Ensure a relative path with posix separators and no dot names.
++        Modeled after
++        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
++        but provides consistent cross-platform behavior.
++        >>> san = SanitizedNames._sanitize
++        >>> san('/foo/bar')
++        'foo/bar'
++        >>> san('//foo.txt')
++        'foo.txt'
++        >>> san('foo/.././bar.txt')
++        'foo/bar.txt'
++        >>> san('foo../.bar.txt')
++        'foo../.bar.txt'
++        >>> san('\\foo\\bar.txt')
++        'foo/bar.txt'
++        >>> san('D:\\foo.txt')
++        'D/foo.txt'
++        >>> san('\\\\server\\share\\file.txt')
++        'server/share/file.txt'
++        >>> san('\\\\?\\GLOBALROOT\\Volume3')
++        '?/GLOBALROOT/Volume3'
++        >>> san('\\\\.\\PhysicalDrive1\\root')
++        'PhysicalDrive1/root'
++        Retain any trailing slash.
++        >>> san('abc/')
++        'abc/'
++        Raises a ValueError if the result is empty.
++        >>> san('../..')
++        Traceback (most recent call last):
++        ...
++        ValueError: Empty filename
++        """
++
++        def allowed(part):
++            return part and part not in {'..', '.'}
+ 
++        # Remove the drive letter.
++        # Don't use ntpath.splitdrive, because that also strips UNC paths
++        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
++        clean = bare.replace('\\', '/')
++        parts = clean.split('/')
++        joined = '/'.join(filter(allowed, parts))
++        if not joined:
++            raise ValueError("Empty filename")
++        return joined + '/' * name.endswith('/')
++    
+ class Path:
+     """
+     A pathlib-compatible interface for zip files.
+@@ -165,7 +222,7 @@
+         return self._next(parent_at)
+ 
+     def _names(self):
+-        return self._add_implied_dirs(self.root.namelist())
++        return self._add_implied_dirs(list(map(SanitizedNames._sanitize, self.root.namelist())))
+ 
+     if sys.version_info < (3,):
+         __div__ = __truediv__
diff --git a/SPECS/python-zipp.spec b/SPECS/python-zipp.spec
index f320a73..90d8bfe 100644
--- a/SPECS/python-zipp.spec
+++ b/SPECS/python-zipp.spec
@@ -2,12 +2,14 @@
 
 Name:           python-%{pypi_name}
 Version:        0.5.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Backport of pathlib-compatible object wrapper for zip files
 
 License:        MIT
 URL:            https://github.com/jaraco/zipp
 Source0:        %{pypi_source}
+# Backported from https://github.com/jaraco/zipp/pull/120
+Patch:          CVE-2024-5569_EPEL8.patch
 BuildArch:      noarch
 
 BuildRequires:  python3-devel
@@ -27,7 +29,7 @@ A pathlib-compatible Zipfile object wrapper. A backport of the Path object.
 
 
 %prep
-%autosetup -n %{pypi_name}-%{version}
+%autosetup -p1 -n %{pypi_name}-%{version}
 
 %build
 %py3_build
@@ -46,6 +48,9 @@ A pathlib-compatible Zipfile object wrapper. A backport of the Path object.
 %{python3_sitelib}/%{pypi_name}-%{version}-py?.?.egg-info/
 
 %changelog
+* Sun Sep 22 2024 Frank Crawford <frank@crawford.emu.id.au> - 0.5.1-4
+- Security fix for CVE-2024-5569 (rhbz#2297119)
+
 * Wed Jan 24 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 0.5.1-3
 - Rebuilt for MSVSphere 8.9