diff --git a/CVE-2023-1672.patch b/CVE-2023-1672.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1bd6c9fe62c231081eb7bd810905d935bc374fcc
--- /dev/null
+++ b/CVE-2023-1672.patch
@@ -0,0 +1,51 @@
+From 8dbbed10870378f1b2c3cf3df2ea7edca7617096 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Wed, 14 Jun 2023 10:53:20 -0300
+Subject: [PATCH] Fix race condition when creating/rotating keys (#123)
+
+When we create/rotate keys using either the tangd-keygen and
+tangd-rotate-keys helpers, there is a small window between the
+keys being created and then the proper ownership permissions being
+set. This also happens when there are no keys and tang creates a
+pair of keys itself.
+
+In certain situations, such as the keys directory having wide open
+permissions, a user with local access could exploit this race
+condition and read the keys before they are set to more restrictive
+permissions.
+
+To prevent this issue, we now set the default umask to 0337 before
+creating the files, so that they are already created with restrictive
+permissions; afterwards, we set the proper ownership as usual.
+
+Issue reported by Brian McDermott of CENSUS labs.
+
+Fixes CVE-2023-1672
+
+Refer: 
+   https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
+   https://ubuntu.com/security/CVE-2023-1672
+
+Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ src/tangd-keygen | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/tangd-keygen b/src/tangd-keygen
+index 20d498e..d894ece 100755
+--- a/src/tangd-keygen
++++ b/src/tangd-keygen
+@@ -27,6 +27,9 @@ fi
+ 
+ [ $# -eq 3 ] && sig=$2 && exc=$3
+ 
++# Set default umask for file creation.
++umask 0337
++
+ jwe=`jose jwk gen -i '{"alg":"ES512"}'`
+ [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
+ echo "$jwe" > $1/$sig.jwk
+-- 
+2.33.0
+
diff --git a/tang.spec b/tang.spec
index c9a418b13e5f34a190adc60d3cae6221ab32efd7..352442037a37b2b19f467dab4e54d3e0edf33dac 100644
--- a/tang.spec
+++ b/tang.spec
@@ -1,10 +1,11 @@
 Name:           tang
 Version:        7
-Release:        3
+Release:        4
 Summary:        Server for binding data to network presence
 License:        GPLv3+
 URL:            https://github.com/latchset/%{name}
 Source0:        https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
+Patch0:         CVE-2023-1672.patch
 
 BuildRequires:  gcc jose libjose-devel libjose-zlib-devel libjose-openssl-devel
 BuildRequires:  http-parser-devel systemd-devel pkgconfig systemd curl
@@ -31,7 +32,7 @@ the encryption key. This process is the recovery step.
 %package_help
 
 %prep
-%autosetup -n %{name}-%{version}
+%autosetup -n %{name}-%{version} -p1
 
 %build
 %configure
@@ -97,6 +98,9 @@ exit 0
 %{_mandir}/man1/tang-show-keys.1*
 
 %changelog
+* Fri Jun 30 2023 wangkai <13474090681@163.com> - 7-4
+- Fix CVE-2023-1672
+
 * Mon May 18 2020 zhouyihang <zhouyihang3@huawei.com> - 7-3
 - Rebuild for tang