diff --git a/0004-repo-source-traversal-bugfix.patch b/0004-repo-source-traversal-bugfix.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d03e3f1c647f935b94775c47992ce6bec30b1cb5
--- /dev/null
+++ b/0004-repo-source-traversal-bugfix.patch
@@ -0,0 +1,44 @@
+From 56d39a89eeeb54f20b413e4466d17fbc6b7337e4 Mon Sep 17 00:00:00 2001
+From: xyn-coder <xiangyuning@huawei.com>
+Date: Mon, 21 Aug 2023 19:45:49 +0800
+Subject: [PATCH] repo source traversal bugfix
+
+---
+ isomaker/img_repo.sh | 2 +-
+ isomaker/init.sh     | 3 +--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/isomaker/img_repo.sh b/isomaker/img_repo.sh
+index cb46708..530f3c7 100644
+--- a/isomaker/img_repo.sh
++++ b/isomaker/img_repo.sh
+@@ -19,7 +19,7 @@ set -e
+ function create_install_img()
+ {
+     tmprep=''
+-    repos=($(echo "$YUMREPO" | sed 's/-s//g'))
++    repos=($(echo "$YUMREPO"))
+     for rep in  ${repos[@]}
+     do
+         if [[ "${rep}" =~ "Epol" ]];then
+diff --git a/isomaker/init.sh b/isomaker/init.sh
+index c6a868e..26478ff 100644
+--- a/isomaker/init.sh
++++ b/isomaker/init.sh
+@@ -140,12 +140,11 @@ function global_var_init()
+         YUMREPO="$CONFIG_YUM_REPOS"
+         CONFIG="$CONFIG_PACKAGES_LIST_FILE"
+     else
+-        YUMREPO="-s $YUM_REPO"
++        YUMREPO="$YUM_REPO"
+         CONFIG=""
+     fi
+     REPOS=$(echo "$REPOS1")
+     if [ "X$REPOS" != "X" ];then
+-        REPOS=$(echo " ""${REPOS}" | sed 's/ / -s /g')
+         YUMREPO="${REPOS}"
+     fi
+     set -e
+-- 
+2.33.0
+
diff --git a/oemaker.spec b/oemaker.spec
index 283c1c0fc90f2f7cbcc525564974d71b528903ea..0ce0804b97d3bb378fb36310159c6c3207c319bc 100644
--- a/oemaker.spec
+++ b/oemaker.spec
@@ -11,7 +11,7 @@ Summary:        a building tool for DVD ISO making and ISO cutting
 License:        Mulan PSL v2
 Group:          System/Management
 Version:        3.0.2
-Release:        4
+Release:        5
 BuildRoot:      %{_tmppath}/%{name}
 
 Source:         https://gitee.com/openeuler/oemaker/repository/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
@@ -29,6 +29,7 @@ Requires:       lorax >= 19.6.78-1
 
 Patch0001:    0001-change-rescue-parameter-with-new-anaconda.patch
 Patch0002:    0002-enable-eject-in-install.img.patch
+Patch0004:    0004-repo-source-traversal-bugfix.patch
 
 %description
 a building tool for DVD ISO making and ISO cutting
@@ -163,6 +164,12 @@ rm -rf %{buildroot}
 rm -rf $RPM_BUILD_DIR/%{name}
 
 %changelog
+* Wed Aug 23 2023 xiangyuning <xiangyuning@huawei.com> - 3.0.2-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: fix repo source traversal
+
 * Thu Aug 07 2023 sunhai <sunhai10@huawei.com> - 3.0.2-4
 - ID:NA
 - SUG:NA