diff --git a/CVE-2020-29651.patch b/CVE-2020-29651.patch
new file mode 100644
index 0000000..a720d52
--- /dev/null
+++ b/CVE-2020-29651.patch
@@ -0,0 +1,31 @@
+From 4a9017dc6199d2a564b6e4b0aa39d6d8870e4144 Mon Sep 17 00:00:00 2001
+From: Ran Benita <ran@unusedvar.com>
+Date: Fri, 4 Sep 2020 13:57:26 +0300
+Subject: [PATCH] svnwc: fix regular expression vulnerable to DoS in blame
+ functionality
+
+The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject
+to catastrophic backtracing given a string like `"1" * 5000`.
+
+SVN blame output seems to always have at least one space between the
+revision number and the user name, so the ambiguity can be fixed by
+changing the `*` to `+`.
+
+Fixes #256.
+---
+ py/_path/svnwc.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/py-1.5.4/py/_path/svnwc.py b/py-1.5.4/py/_path/svnwc.py
+index 3138dd85..b5b9d8d5 100644
+--- a/py-1.5.4/py/_path/svnwc.py
++++ b/py-1.5.4/py/_path/svnwc.py
+@@ -396,7 +396,7 @@ def makecmdoptions(self):
+     def __str__(self):
+         return "<SvnAuth username=%s ...>" %(self.username,)
+ 
+-rex_blame = re.compile(r'\s*(\d+)\s*(\S+) (.*)')
++rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)')
+ 
+ class SvnWCCommandPath(common.PathBase):
+     """ path implementation offering access/modification to svn working copies.
diff --git a/python-py.spec b/python-py.spec
index 161c210..3f3bfdd 100644
--- a/python-py.spec
+++ b/python-py.spec
@@ -8,11 +8,12 @@
 
 Name:           python-%{modname}
 Version:        1.5.4
-Release:        4
+Release:        5
 Summary:        Library with cross-python path, ini-parsing, io, code, log facilities
 License:        MIT and Public Domain
 URL:            http://pylib.readthedocs.io/en/stable/
 Source:         https://files.pythonhosted.org/packages/source/p/%{modname}/%{modnameversion}.tar.gz
+Patch0:		CVE-2020-29651.patch
 BuildArch:      noarch
 
 %if %{with tests}
@@ -70,7 +71,7 @@ Obsoletes:      platform-python-%{modname} < %{version}-%{release}
 %endif
 
 %prep
-%autosetup -c -n %{modnameversion}
+%autosetup -c -n %{modnameversion} -p1
 
 find %{modnameversion} \
    -type f -a \( -name '*.py' -o -name 'py.*' \) \
@@ -133,5 +134,8 @@ popd
 %endif
 
 %changelog
+* Wed Feb 23 2020 houyingchao <houyingchao@huawei.com> - 1.5.4-5
+- Fix CVE-2020-29651
+
 * Tue Dec 10 2019 mengxian <mengxian@huawei.com> - 1.5.4-4
 - Package init