diff --git a/CVE-2017-9228.patch b/CVE-2017-9228.patch
new file mode 100644
index 0000000..d2b8c1d
--- /dev/null
+++ b/CVE-2017-9228.patch
@@ -0,0 +1,28 @@
+From 5c8ed2a12935501759ebf1792ee4949b429c195b Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Wed, 24 May 2017 13:43:25 +0900
+Subject: [PATCH] fix #60 : invalid state(CCS_VALUE) in parse_char_class()
+
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/regparse.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/regparse.c b/src/regparse.c
+index fcc05cf..3689519 100644
+--- a/src/regparse.c
++++ b/src/regparse.c
+@@ -6071,7 +6071,9 @@ next_state_class(CClassNode* cc, OnigCodePoint* vs, enum CCVALTYPE* type,
+     }
+   }
+ 
+-  *state = CCS_VALUE;
++  if (*state != CCS_START)
++    *state = CCS_VALUE;
++
+   *type  = CCV_CLASS;
+   return 0;
+ }
+-- 
+2.0.1
+
diff --git a/CVE-2019-13224.patch b/CVE-2019-13224.patch
new file mode 100644
index 0000000..04af20e
--- /dev/null
+++ b/CVE-2019-13224.patch
@@ -0,0 +1,45 @@
+From ad793dcb677988667b2d23e3fd4480b44113fdd1 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 27 Jun 2019 17:25:26 +0900
+Subject: [PATCH] Fix CVE-2019-13224: don't allow different encodings for
+ onig_new_deluxe()
+
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/regext.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/regext.c b/src/regext.c
+index 996d043..de122c7 100644
+--- a/src/regext.c
++++ b/src/regext.c
+@@ -29,6 +29,7 @@
+ 
+ #include "regint.h"
+ 
++#if 0
+ static void
+ conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
+ {
+@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
+ 
+   return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
++#endif
+ 
+ extern int
+ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+   if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
+ 
+   if (ci->pattern_enc != ci->target_enc) {
+-    r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
+-                      &cpat, &cpat_end);
+-    if (r != 0) return r;
++    return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+   }
+   else {
+     cpat     = (UChar* )pattern;
+-- 
+2.0.1
+
diff --git a/CVE-2019-13225.patch b/CVE-2019-13225.patch
new file mode 100644
index 0000000..e958d8f
--- /dev/null
+++ b/CVE-2019-13225.patch
@@ -0,0 +1,71 @@
+From 5ed8bad6a362c8a77cbd40196cd8867681029bcd Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 27 Jun 2019 14:11:55 +0900
+Subject: [PATCH] Fix CVE-2019-13225: problem in converting if-then-else
+ pattern to bytecode.
+
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/regcomp.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/src/regcomp.c b/src/regcomp.c
+index 83b9252..6c9da7e 100644
+--- a/src/regcomp.c
++++ b/src/regcomp.c
+@@ -1100,8 +1100,9 @@ compile_length_enclosure_node(EnclosureNode* node, regex_t* reg)
+         len += tlen;
+       }
+ 
++      len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END;
++
+       if (IS_NOT_NULL(Else)) {
+-        len += SIZE_OP_JUMP;
+         tlen = compile_length_tree(Else, reg);
+         if (tlen < 0) return tlen;
+         len += tlen;
+@@ -1243,7 +1244,7 @@ compile_enclosure_node(EnclosureNode* node, regex_t* reg, ScanEnv* env)
+ 
+   case ENCLOSURE_IF_ELSE:
+     {
+-      int cond_len, then_len, jump_len;
++      int cond_len, then_len, else_len, jump_len;
+       Node* cond = NODE_ENCLOSURE_BODY(node);
+       Node* Then = node->te.Then;
+       Node* Else = node->te.Else;
+@@ -1260,8 +1261,7 @@ compile_enclosure_node(EnclosureNode* node, regex_t* reg, ScanEnv* env)
+       else
+         then_len = 0;
+ 
+-      jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END;
+-      if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP;
++      jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP;
+ 
+       r = add_opcode_rel_addr(reg, OP_PUSH, jump_len);
+       if (r != 0) return r;
+@@ -1276,9 +1276,19 @@ compile_enclosure_node(EnclosureNode* node, regex_t* reg, ScanEnv* env)
+       }
+ 
+       if (IS_NOT_NULL(Else)) {
+-        int else_len = compile_length_tree(Else, reg);
+-        r = add_opcode_rel_addr(reg, OP_JUMP, else_len);
+-        if (r != 0) return r;
++        else_len = compile_length_tree(Else, reg);
++        if (else_len < 0) return else_len;
++      }
++      else
++        else_len = 0;
++
++      r = add_opcode_rel_addr(reg, OP_JUMP, else_len + SIZE_OP_ATOMIC_END);
++      if (r != 0) return r;
++
++      r = add_opcode(reg, OP_ATOMIC_END);
++      if (r != 0) return r;
++
++      if (IS_NOT_NULL(Else)) {
+         r = compile_tree(Else, reg, env);
+       }
+     }
+-- 
+2.0.1
+
diff --git a/onig-6.9.0.tar.gz b/onig-6.9.0.tar.gz
new file mode 100644
index 0000000..25461c2
Binary files /dev/null and b/onig-6.9.0.tar.gz differ
diff --git a/oniguruma.spec b/oniguruma.spec
new file mode 100644
index 0000000..6a32527
--- /dev/null
+++ b/oniguruma.spec
@@ -0,0 +1,70 @@
+Name:		    oniguruma
+Version:	    6.9.0
+Release:	    1
+Summary:	    Regular expressions library
+License:	    BSD
+URL:		    https://github.com/kkos/oniguruma/
+Source0:	    https://github.com/kkos/oniguruma/releases/download/v%{version}/onig-%{version}.tar.gz
+
+BuildRequires:	gcc
+
+Patch0001:      CVE-2017-9228.patch
+Patch0002:      CVE-2019-13224.patch
+Patch0003:      CVE-2019-13225.patch
+
+%description
+Oniguruma is a regular expressions library.
+The characteristics of this library is that different character encoding
+for every regular expression object can be specified.
+(supported APIs: GNU regex, POSIX and Oniguruma native)
+
+%package	    devel
+Summary:	    Development files for %{name}
+Requires:	    %{name} = %{version}-%{release}
+
+%description    devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+%package_help
+
+%prep
+%autosetup -n onig-%{version} -p1
+%{__sed} -i.multilib -e 's|-L@libdir@||' onig-config.in
+
+%build
+%configure --disable-silent-rules --with-rubydir=%{_bindir}
+%make_build
+
+%install
+%make_install
+%delete_la
+
+%check
+make check
+
+%ldconfig_scriptlets
+
+%files
+%defattr(-,root,root,-)
+%doc	AUTHORS
+%license	COPYING
+%lang(ja)	%doc	README_japanese index_ja.html
+%{_libdir}/libonig.so.5*
+
+%files          devel
+%defattr(-,root,root,-)
+%lang(ja)	%doc	doc/*.ja
+%{_bindir}/onig-config
+%{_includedir}/onig*.h
+%{_libdir}/*.a
+%{_libdir}/libonig.so
+%{_libdir}/pkgconfig/%{name}.pc	
+
+%files          help
+%defattr(-,root,root)
+%doc HISTORY README.md index.html doc/API doc/CALLOUTS.API doc/CALLOUTS.BUILTIN doc/FAQ doc/RE
+
+%changelog
+* Wed Feb 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.9.0-1
+- Package init