diff --git a/lua-5.3.5-CVE-2020-24370.patch b/lua-5.3.5-CVE-2020-24370.patch
new file mode 100644
index 0000000..5f3668b
--- /dev/null
+++ b/lua-5.3.5-CVE-2020-24370.patch
@@ -0,0 +1,26 @@
+diff -up lua-5.3.5/src/ldebug.c.CVE-2020-24370 lua-5.3.5/src/ldebug.c
+--- lua-5.3.5/src/ldebug.c.CVE-2020-24370	2020-08-19 13:37:17.075859557 -0400
++++ lua-5.3.5/src/ldebug.c	2020-08-19 13:38:53.117779244 -0400
+@@ -133,10 +133,11 @@ static const char *upvalname (Proto *p,
+ 
+ static const char *findvararg (CallInfo *ci, int n, StkId *pos) {
+   int nparams = clLvalue(ci->func)->p->numparams;
+-  if (n >= cast_int(ci->u.l.base - ci->func) - nparams)
++  int nvararg = cast_int(ci->u.l.base - ci->func) - nparams;
++  if (n <= -nvararg)
+     return NULL;  /* no such vararg */
+   else {
+-    *pos = ci->func + nparams + n;
++    *pos = ci->func + nparams - n;
+     return "(*vararg)";  /* generic name for any vararg */
+   }
+ }
+@@ -148,7 +149,7 @@ static const char *findlocal (lua_State
+   StkId base;
+   if (isLua(ci)) {
+     if (n < 0)  /* access to vararg values? */
+-      return findvararg(ci, -n, pos);
++      return findvararg(ci, n, pos);
+     else {
+       base = ci->u.l.base;
+       name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci));
diff --git a/lua.spec b/lua.spec
index 203cc68..5084de5 100644
--- a/lua.spec
+++ b/lua.spec
@@ -15,7 +15,7 @@
 
 Name:           lua
 Version:        %{major_version}.5
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Powerful light-weight programming language
 License:        MIT
 URL:            http://www.lua.org/
@@ -42,6 +42,7 @@ Patch7:         %{name}-5.2.2-luac-shared-link-fix.patch
 Patch8:         %{name}-5.2.2-configure-compat-module.patch
 %endif
 Patch9:         CVE-2019-6706-use-after-free-lua_upvaluejoin.patch
+Patch10:        %{name}-5.3.5-CVE-2020-24370.patch
 
 BuildRequires:  automake autoconf libtool readline-devel ncurses-devel
 Requires:       lua-libs = %{version}-%{release}
@@ -93,6 +94,7 @@ mv src/luaconf.h src/luaconf.h.template.in
 %patch3 -p1 -z .configure-linux
 %patch4 -p1 -z .configure-compat-all
 %patch9 -p1 -b .CVE-2019-6706
+%patch10 -p1 -b .CVE-2020-24370
 # Put proper version in configure.ac, patch0 hardcodes 5.3.0
 sed -i 's|5.3.0|%{version}|g' configure.ac
 autoreconf -ifv
@@ -214,6 +216,9 @@ install -Dpm 0644 %{SOURCE1000} $RPM_BUILD_ROOT/%{macrosdir}/macros.lua
 
 
 %changelog
+* Wed Aug 19 2020 Tom Callaway <spot@fedoraproject.org> - 5.3.5-8
+- fix CVE-2020-24370
+
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.5-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild