diff --git a/CVE-2015-8863.patch b/CVE-2015-8863.patch
new file mode 100644
index 0000000..f4046cd
--- /dev/null
+++ b/CVE-2015-8863.patch
@@ -0,0 +1,37 @@
+From 8eb1367ca44e772963e704a700ef72ae2e12babd Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@cryptonector.com>
+Date: Sat, 24 Oct 2015 17:24:57 -0500
+Subject: [PATCH] Heap buffer overflow in tokenadd() (fix #105)
+
+This was an off-by one: the NUL terminator byte was not allocated on
+resize.  This was triggered by JSON-encoded numbers longer than 256
+bytes.
+---
+ src/jv_parse.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/jv_parse.c b/src/jv_parse.c
+index 3102ed4..84245b8 100644
+--- a/src/jv_parse.c
++++ b/src/jv_parse.c
+@@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) {
+ 
+ static void tokenadd(struct jv_parser* p, char c) {
+   assert(p->tokenpos <= p->tokenlen);
+-  if (p->tokenpos == p->tokenlen) {
++  if (p->tokenpos >= (p->tokenlen - 1)) {
+     p->tokenlen = p->tokenlen*2 + 256;
+     p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen);
+   }
+@@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) {
+     TRY(value(p, v));
+   } else {
+     // FIXME: better parser
+-    p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid
++    p->tokenbuf[p->tokenpos] = 0;
+     char* end = 0;
+     double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end);
+     if (end == 0 || *end != 0)
+-- 
+2.14.3
+
diff --git a/jq-1.5.tar.gz b/jq-1.5.tar.gz
new file mode 100644
index 0000000..d034ef9
Binary files /dev/null and b/jq-1.5.tar.gz differ
diff --git a/jq.spec b/jq.spec
new file mode 100644
index 0000000..c76da6d
--- /dev/null
+++ b/jq.spec
@@ -0,0 +1,72 @@
+Name:           jq
+Version:        1.5
+Release:        14
+Summary:        A lightweight and flexible command-line JSON processor
+License:        MIT and ASL 2.0 and CC-BY and GPLv3
+URL:            http://stedolan.github.io/jq/
+Source0:        https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz
+Patch0:         CVE-2015-8863.patch
+BuildRequires:  flex bison oniguruma-devel valgrind
+
+%description
+jq is a lightweight and flexible command-line JSON processor.
+you can use it to slice and filter and map and transform structured data.
+It is written in portable C, and it has zero runtime dependencies.
+it can mangle the data format that you have into the one that you want.
+
+%package        devel
+Summary:        Development files for jq
+Requires:       jq = %{version}-%{release}
+
+%description devel
+Development files for jq.
+
+%package        help
+Summary:        Documentation for jq package
+BuildArch:      noarch
+
+%description    help
+Documentation for jq package.
+
+%prep
+%autosetup -n jq-%{version}
+
+%build
+%configure --disable-static
+%make_build
+
+%install
+%make_install
+%delete_la
+
+%check
+%ifarch x86_64
+make check
+%endif
+
+%post
+/sbin/ldconfig
+
+%postun
+/sbin/ldconfig
+
+
+%files
+%{_bindir}/jq
+%{_libdir}/libjq.so.*
+%{_datadir}/doc/jq/COPYING
+%{_datadir}/doc/jq/AUTHORS
+
+%files devel
+%{_includedir}/*.h
+%{_libdir}/libjq.so
+
+%files help
+%{_datadir}/man/man1/jq.1.gz
+%{_datadir}/doc/jq/README
+%{_datadir}/doc/jq/README.md
+
+
+%changelog
+* Tue Dec 31 2019 zhujunhao <zhujunhao5@huawei.com> 1.5-14
+- Package init