diff --git a/CVE-2024-8088.patch b/CVE-2024-8088.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0bda85b07e60da15895b2cf8cd488e32fc142211
--- /dev/null
+++ b/CVE-2024-8088.patch
@@ -0,0 +1,98 @@
+diff -uprN Python-3.12.2/Lib/test/test_zipfile/_path/test_path.py Python-3.12.2.patched/Lib/test/test_zipfile/_path/test_path.py
+--- Python-3.12.2/Lib/test/test_zipfile/_path/test_path.py	2024-02-06 20:19:44.000000000 +0000
++++ Python-3.12.2.patched/Lib/test/test_zipfile/_path/test_path.py	2024-09-18 07:36:07.007069355 +0000
+@@ -589,3 +589,20 @@ class TestPath(unittest.TestCase):
+         zf.writestr('./a.txt', 'aaa')
+         tmpdir = pathlib.Path(self.fixtures.enter_context(temp_dir()))
+         zf.extractall(tmpdir)
++
++    def test_malformed_paths(self):
++        """
++        Path should handle malformed paths.
++        """
++        data = io.BytesIO()
++        zf = zipfile.ZipFile(data, "w")
++        zf.writestr("/one-slash.txt", b"content")
++        zf.writestr("//two-slash.txt", b"content")
++        zf.writestr("../parent.txt", b"content")
++        zf.filename = ''
++        root = zipfile.Path(zf)
++        assert list(map(str, root.iterdir())) == [
++            'one-slash.txt',
++            'two-slash.txt',
++            'parent.txt',
++        ]
+diff -uprN Python-3.12.2/Lib/zipfile/_path/__init__.py Python-3.12.2.patched/Lib/zipfile/_path/__init__.py
+--- Python-3.12.2/Lib/zipfile/_path/__init__.py	2024-02-06 20:19:44.000000000 +0000
++++ Python-3.12.2.patched/Lib/zipfile/_path/__init__.py	2024-09-18 07:36:07.020069432 +0000
+@@ -83,7 +83,69 @@ class InitializedState:
+         super().__init__(*args, **kwargs)
+ 
+ 
+-class CompleteDirs(InitializedState, zipfile.ZipFile):
++class SanitizedNames:
++    """
++    ZipFile mix-in to ensure names are sanitized.
++    """
++
++    def namelist(self):
++        return list(map(self._sanitize, super().namelist()))
++
++    @staticmethod
++    def _sanitize(name):
++        r"""
++        Ensure a relative path with posix separators and no dot names.
++
++        Modeled after
++        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
++        but provides consistent cross-platform behavior.
++
++        >>> san = SanitizedNames._sanitize
++        >>> san('/foo/bar')
++        'foo/bar'
++        >>> san('//foo.txt')
++        'foo.txt'
++        >>> san('foo/.././bar.txt')
++        'foo/bar.txt'
++        >>> san('foo../.bar.txt')
++        'foo../.bar.txt'
++        >>> san('\\foo\\bar.txt')
++        'foo/bar.txt'
++        >>> san('D:\\foo.txt')
++        'D/foo.txt'
++        >>> san('\\\\server\\share\\file.txt')
++        'server/share/file.txt'
++        >>> san('\\\\?\\GLOBALROOT\\Volume3')
++        '?/GLOBALROOT/Volume3'
++        >>> san('\\\\.\\PhysicalDrive1\\root')
++        'PhysicalDrive1/root'
++
++        Retain any trailing slash.
++        >>> san('abc/')
++        'abc/'
++
++        Raises a ValueError if the result is empty.
++        >>> san('../..')
++        Traceback (most recent call last):
++        ...
++        ValueError: Empty filename
++        """
++
++        def allowed(part):
++            return part and part not in {'..', '.'}
++
++        # Remove the drive letter.
++        # Don't use ntpath.splitdrive, because that also strips UNC paths
++        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
++        clean = bare.replace('\\', '/')
++        parts = clean.split('/')
++        joined = '/'.join(filter(allowed, parts))
++        if not joined:
++            raise ValueError("Empty filename")
++        return joined + '/' * name.endswith('/')
++
++
++class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile):
+     """
+     A ZipFile subclass that ensures that implied directories
+     are always included in the namelist.
diff --git a/python3.12.spec b/python3.12.spec
index 8d57b9a7e52d0b40735ce573fa9bdf1dbb0dcb71..348d9397b0bcec0d29e292a9f3099628a7ec5553 100644
--- a/python3.12.spec
+++ b/python3.12.spec
@@ -65,7 +65,7 @@
 Summary: Version %{pybasever} of the Python interpreter
 Name: python%{pybasever}
 Version: %{src_version}
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: Python-2.0.1
 URL: https://www.python.org/
 
@@ -80,6 +80,7 @@ Source2: pathfix.py
 Patch0001: CVE-2024-0397-3.12-gh-114572-Fix-locking-in-cert_store_stats-and-g.patch
 Patch0002: CVE-2024-4032-3.12-gh-113171-gh-65056-Fix-private-non-global-IP-ad.patch
 Patch0003: CVE-2024-6232-3.12-gh-121285-Remove-backtracking-when-parsing-tarf.patch
+Patch0004: CVE-2024-8088.patch
 Patch3000: 00251-change-user-install-location.patch
 Patch3001: 00371-revert-bpo-1596321-fix-threading-_shutdown-for-the-main-thread-gh-28549-gh-28589.patch
 Patch3002: 00415-cve-2023-27043-gh-102988-reject-malformed-addresses-in-email-parseaddr-111116.patch
@@ -1069,6 +1070,9 @@ LD_LIBRARY_PATH=$(pwd)/normal $(pwd)/normal/python -m test.regrtest \
 %endif
 
 %changelog
+* Wed Sep 18 2024 cunshunxia <cunshunxia@tencent.com> - 3.12.2-7
+- fix CVE-2024-8088.
+
 * Fri Sep 6 2024 Shuo Wang <abushwang@tencent.com> - 3.12.2-6
 - fix CVE-2024-6232
 - Remove backtracking when parsing tarfile headers (GH-121286) (#123639)