diff --git a/buffer_overflow.patch b/buffer_overflow.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2ee3fff0db543ff3d53a5e98dad5817030dbe59e
--- /dev/null
+++ b/buffer_overflow.patch
@@ -0,0 +1,12 @@
+diff -urp zip30/fileio.c zip30/fileio.c
+--- zip30/fileio.c	2008-05-29 03:13:24.000000000 +0300
++++ zip30/fileio.c	2023-05-02 12:19:50.488314853 +0300
+@@ -3502,7 +3502,7 @@ zwchar *local_to_wide_string(local_strin
+   if ((wc_string = (wchar_t *)malloc((wsize + 1) * sizeof(wchar_t))) == NULL) {
+     ZIPERR(ZE_MEM, "local_to_wide_string");
+   }
+-  wsize = mbstowcs(wc_string, local_string, strlen(local_string) + 1);
++  wsize = mbstowcs(wc_string, local_string, wsize + 1);
+   wc_string[wsize] = (wchar_t) 0;
+ 
+   /* in case wchar_t is not zwchar */
diff --git a/sast.patch b/sast.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1afd7b7203714c5a2aeda1d8f8f0df8468274548
--- /dev/null
+++ b/sast.patch
@@ -0,0 +1,11 @@
+--- ./util.c.old	2025-01-28 14:32:33.064491685 +0100
++++ ./util.c	2025-01-28 14:34:51.331444527 +0100
+@@ -862,7 +862,7 @@
+ 
+             /* remove escape characters */
+             while ((argstart = MBSCHR(argstart, '\\')) != NULL) {
+-                strcpy(argstart, argstart + 1);
++                memmove(argstart, argstart +1, strlen(argstart)+1);
+                 if (*argstart)
+                     ++argstart;
+             }
diff --git a/zip-3.0-currdir.patch b/zip-3.0-currdir.patch
new file mode 100644
index 0000000000000000000000000000000000000000..40da32e7afc8566776b34f7c096e67dcba472d30
--- /dev/null
+++ b/zip-3.0-currdir.patch
@@ -0,0 +1,12 @@
+diff -up zip30/util.c.currdir zip30/util.c
+--- zip30/util.c.currdir	2009-11-16 12:42:17.783961701 +0100
++++ zip30/util.c	2009-11-16 12:42:58.185960707 +0100
+@@ -493,6 +493,8 @@ int cs;                 /* force case-se
+ /* Compare the sh pattern p with the string s and return true if they match,
+    false if they don't or if there is a syntax error in the pattern. */
+ {
++  while (s[0] == '.' && s[1] == '/') 
++    s += 2;                /* strip redundant leading "./" sections */
+   return recmatch(p, s, cs) == 1;
+ }
+ 
diff --git a/zip-3.0-format-security.patch b/zip-3.0-format-security.patch
new file mode 100644
index 0000000000000000000000000000000000000000..54ce2e66281f3f8137e0b827e9e6e757a3813555
--- /dev/null
+++ b/zip-3.0-format-security.patch
@@ -0,0 +1,20 @@
+--- a/zip.c	
++++ a/zip.c	
+@@ -1028,7 +1028,7 @@ local void help_extended()
+ 
+   for (i = 0; i < sizeof(text)/sizeof(char *); i++)
+   {
+-    printf(text[i]);
++    printf("%s", text[i]);
+     putchar('\n');
+   }
+ #ifdef DOS
+@@ -1225,7 +1225,7 @@ local void version_info()
+             CR_MAJORVER, CR_MINORVER, CR_BETA_VER, CR_VERSION_DATE);
+   for (i = 0; i < sizeof(cryptnote)/sizeof(char *); i++)
+   {
+-    printf(cryptnote[i]);
++    printf("%s", cryptnote[i]);
+     putchar('\n');
+   }
+   ++i;  /* crypt support means there IS at least one compilation option */
diff --git a/zip-3.0-man-strip-extra.patch b/zip-3.0-man-strip-extra.patch
new file mode 100644
index 0000000000000000000000000000000000000000..abb9f7cbaf12784207e46382f1d95e8e15b4b0a7
--- /dev/null
+++ b/zip-3.0-man-strip-extra.patch
@@ -0,0 +1,11 @@
+--- ./man/zip.1.old	2024-12-11 10:51:22.837845520 +0100
++++ ./man/zip.1	2024-12-11 10:51:34.458142392 +0100
+@@ -2297,7 +2297,7 @@
+ .B \-X
+ .TP
+ .PD
+-.B \-\-no\-extra
++.B \-\-strip\-extra
+ Do not save extra file attributes (Extended Attributes on OS/2, uid/gid
+ and file times on Unix).  The zip format uses extra fields to include
+ additional information for each entry.  Some extra fields are specific
diff --git a/zip-gnu89-build.patch b/zip-gnu89-build.patch
new file mode 100644
index 0000000000000000000000000000000000000000..65ee7a76c0738f80167e3735e27e468608e4369b
--- /dev/null
+++ b/zip-gnu89-build.patch
@@ -0,0 +1,15 @@
+zip uses C89-only features, so it needs to be built in C89 mode.
+
+diff --git a/unix/Makefile b/unix/Makefile
+index 86cf54bf0f56cea9..244390893eab5fc6 100644
+--- a/unix/Makefile
++++ b/unix/Makefile
+@@ -202,7 +202,7 @@ generic: flags
+ 	eval $(MAKE) $(MAKEF) zips `cat flags`
+ 
+ generic_gcc:
+-	$(MAKE) $(MAKEF) generic CC=gcc CPP="gcc -E"
++	$(MAKE) $(MAKEF) generic CC="gcc -std=gnu89" CPP="gcc -E"
+ 
+ # AT&T 6300 PLUS (don't know yet how to allocate 64K bytes):
+ att6300nodir:
diff --git a/zip.spec b/zip.spec
index 1f4a056630f179396a4042183cfb58ba25bc9a14..d0f034dd8acd4db1d79a3fdebf41d441f4b9634d 100644
--- a/zip.spec
+++ b/zip.spec
@@ -1,13 +1,20 @@
-%define   anolis_release 24
+%define anolis_release		25
 Name:     zip
-Version:  3.0
+Version:	3.0
 Release:  %{anolis_release}%{?dist}
 License:  BSD
 URL:      http://www.info-zip.org/Zip.html
-Source:   http://downloads.sourceforge.net/infozip/%{name}30.tar.gz#/%{name}-%{version}.tar.gz
+Source0:	http://downloads.sourceforge.net/infozip/zip30.tar.gz
 Summary:  A file compression and packaging utility compatible with PKZIP
 
 Patch1:   0001-zip-3.0-format-security.patch
+Patch2:	zip-3.0-currdir.patch
+Patch3:	buffer_overflow.patch
+Patch4:	zipnote.patch
+Patch5:	zip-gnu89-build.patch
+Patch6:	zip-3.0-man-strip-extra.patch
+Patch7:	zip-3.0-format-security.patch
+Patch8:	sast.patch
 
 BuildRequires:  make
 BuildRequires:  bzip2-devel, gcc
@@ -67,6 +74,13 @@ mkdir -p $RPM_BULD_ROOT%{_mandir}/man1
 %doc README CHANGES TODO WHATSNEW WHERE README.CR
 
 %changelog
+* Mon Sep 29 2025 wenyuzifang <lzx02244079@alibaba-inc.com> - 3.0-46
+- Ensure consistent pattern matching by normalizing paths with redundant './' prefixes.
+- Fix buffer overflow risk by ensuring correct wide character conversion size.
+- Fix resource leak by closing the correct input file pointer to ensure proper file handling and prevent file descriptor leaks.
+- Ensure consistent builds by enforcing C89 mode with GCC to prevent modern compiler defaults from causing issues.
+- Fix unsafe printf usage to prevent format string vulnerabilities and improve code security.
+- Fix undefined behavior by safely handling overlapping memory during string manipulation.
 * Thu Dec 22 2022 Funda Wang <fundawang@yeah.net> - 3.0-24
 - Bump release for upgrading from anolis 8
 
diff --git a/zip30.tar.gz b/zip30.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..57f60be499bef90ccf84fe47d522d32504609e9b
Binary files /dev/null and b/zip30.tar.gz differ
diff --git a/zipnote.patch b/zipnote.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4177a7df81fe418863f650627f53cce0c87c142e
--- /dev/null
+++ b/zipnote.patch
@@ -0,0 +1,13 @@
+diff --git a/zipnote.c b/zipnote.c
+index 5e02cb6..996f012 100644
+--- a/zipnote.c
++++ b/zipnote.c
+@@ -661,7 +661,7 @@ char **argv;            /* command line tokens */
+     if ((r = zipcopy(z)) != ZE_OK)
+       ziperr(r, "was copying an entry");
+   }
+-  fclose(x);
++  fclose(in_file);
+ 
+   /* Write central directory and end of central directory with new comments */
+   if ((c = zftello(y)) == (zoff_t)-1)    /* get start of central */