diff --git a/SOURCES/less-590-fix_sast1.patch b/SOURCES/less-590-fix_sast1.patch
new file mode 100644
index 0000000..1d2fad5
--- /dev/null
+++ b/SOURCES/less-590-fix_sast1.patch
@@ -0,0 +1,26 @@
+diff -up less-590/command.c.fix_sast1 less-590/command.c
+--- less-590/command.c.fix_sast1	2021-06-03 19:45:48.000000000 +0200
++++ less-590/command.c	2024-08-06 23:28:58.042048590 +0200
+@@ -927,8 +927,8 @@ getcc_repl(orig, repl, gr_getc, gr_unget
+ 	LWCHAR (*gr_getc)(VOID_PARAM);
+ 	void (*gr_ungetc)(LWCHAR);
+ {
+-	LWCHAR c;
+-	LWCHAR keys[16];
++	char c;
++	char keys[16];
+ 	int ki = 0;
+ 
+ 	c = (*gr_getc)();
+diff -up less-590/decode.c.fix_sast1 less-590/decode.c
+--- less-590/decode.c.fix_sast1	2024-08-06 23:28:58.041048580 +0200
++++ less-590/decode.c	2024-08-06 23:29:55.715615701 +0200
+@@ -934,7 +934,7 @@ add_hometable(call_lesskey, envname, def
+ 	char *def_filename;
+ 	int sysvar;
+ {
+-	char *filename;
++	char *filename = NULL;
+ 	int r;
+ 
+ 	if (envname != NULL && (filename = lgetenv(envname)) != NULL)
diff --git a/SOURCES/less-590-fix_sast2.patch b/SOURCES/less-590-fix_sast2.patch
new file mode 100644
index 0000000..f634de2
--- /dev/null
+++ b/SOURCES/less-590-fix_sast2.patch
@@ -0,0 +1,53 @@
+diff -up less-590/lesskey_parse.c.fix_sast2 less-590/lesskey_parse.c
+--- less-590/lesskey_parse.c.fix_sast2	2024-08-06 23:42:33.839079731 +0200
++++ less-590/lesskey_parse.c	2024-08-06 23:47:17.433874330 +0200
+@@ -548,9 +548,9 @@ parse_lesskey(infile, tables)
+ 	FILE *desc;
+ 	char line[1024];
+ 
+-	if (infile == NULL)
+-		infile = homefile(DEF_LESSKEYINFILE);
+-	lesskey_file = infile;
++	lesskey_file = (infile != NULL) ? strdup(infile) : homefile(DEF_LESSKEYINFILE);
++	if (lesskey_file == NULL)
++		return (-1);
+ 
+ 	init_tables(tables);
+ 	errors = 0;
+@@ -559,22 +559,29 @@ parse_lesskey(infile, tables)
+ 	/*
+ 	 * Open the input file.
+ 	 */
+-	if (strcmp(infile, "-") == 0)
++	if (strcmp(lesskey_file, "-") == 0)
+ 		desc = stdin;
+-	else if ((desc = fopen(infile, "r")) == NULL)
++	else if ((desc = fopen(lesskey_file, "r")) == NULL)
+ 	{
+-		/* parse_error("cannot open lesskey file ", infile); */
+-		return (-1);
++		/* parse_error("cannot open lesskey file %s", lesskey_file); */
++		errors = -1;
+ 	}
+ 
+ 	/*
+ 	 * Read and parse the input file, one line at a time.
+ 	 */
+-	while (fgets(line, sizeof(line), desc) != NULL)
++	if (desc != NULL)
+ 	{
+-		++linenum;
+-		parse_line(line, tables);
++		while (fgets(line, sizeof(line), desc) != NULL)
++		{
++			++linenum;
++			parse_line(line, tables);
++		}
++		if (desc != stdin)
++			fclose(desc);
+ 	}
++	free(lesskey_file);
++	lesskey_file = NULL;
+ 
+ 	return (errors);
+ }
diff --git a/SPECS/less.spec b/SPECS/less.spec
index c5b3880..c21fb11 100644
--- a/SPECS/less.spec
+++ b/SPECS/less.spec
@@ -1,7 +1,7 @@
 Summary: A text file browser similar to more, but better
 Name: less
 Version: 590
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv3+ or BSD
 Source0: https://www.greenwoodsoftware.com/less/%{name}-%{version}.tar.gz
 Source1: lesspipe.sh
@@ -17,7 +17,16 @@ Patch10: less-458-lesskey-usage.patch
 Patch11: less-458-old-bot-in-help.patch
 Patch12: less-590-CVE-2022-46663.patch
 Patch13: less-590-CVE-2022-48624.patch
+# from upstream, for less < 661 , RHEL-32739
 Patch14: less-590-CVE-2024-32487.patch
+
+# from upstream, for less < 661, RHEL-51178
+# based on https://github.com/gwsw/less/commit/2a79e5cd341f9c8437a71096c23c8fe8e94b7d0a
+# based on https://github.com/gwsw/less/commit/987ebdc424c4865bf883eb0b11aea2b261b353f2
+Patch15: less-590-fix_sast1.patch
+
+# from upstream, for less < 661, based on commit#1649cc355a9eb824837feb4359828f5627e2eb69, RHEL-51178
+Patch16: less-590-fix_sast2.patch
 URL: https://www.greenwoodsoftware.com/less/
 BuildRequires: ncurses-devel
 BuildRequires: autoconf automake libtool
@@ -35,17 +44,19 @@ files, and you'll use it frequently.
 
 %prep
 %setup -q
-%patch4 -p1 -b .time
-%patch5 -p1 -b .fsync
-%patch6 -p1 -b .manpage-add-old-bot-option
-%patch7 -p1 -b .help
-%patch8 -p1 -b .lessecho-usage
-%patch9 -p1 -b .less-filters-man
-%patch10 -p1 -b .lesskey-usage
-%patch11 -p1 -b .old-bot
-%patch12 -p1 -b .CVE-2022-46663
-%patch13 -p1 -b .CVE-2022-48624
-%patch14 -p1 -b .CVE-2024-32487
+%patch -P 4 -p1 -b .time
+%patch -P 5 -p1 -b .fsync
+%patch -P 6 -p1 -b .manpage-add-old-bot-option
+%patch -P 7 -p1 -b .help
+%patch -P 8 -p1 -b .lessecho-usage
+%patch -P 9 -p1 -b .less-filters-man
+%patch -P 10 -p1 -b .lesskey-usage
+%patch -P 11 -p1 -b .old-bot
+%patch -P 12 -p1 -b .CVE-2022-46663
+%patch -P 13 -p1 -b .CVE-2022-48624
+%patch -P 14 -p1 -b .CVE-2024-32487
+%patch -P 15 -p1 -b .fix_sast1
+%patch -P 16 -p1 -b .fix_sast2
 
 
 %build
@@ -69,9 +80,11 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/etc/profile.d
 %{_mandir}/man1/*
 
 %changelog
-* Tue Apr 23 2024 Matej Mužila <mmuzila@redhat.com> - 590-4
-- Fix CVE-2024-32487
-- Resolves: RHEL-33773
+* Tue Aug 06 2024 Michal Hlavinka <mhlavink@redhat.com> - 590-5
+- fix static analysis findings (RHEL-51178)
+
+* Tue Aug 06 2024 Michal Hlavinka <mhlavink@redhat.com> - 590-4
+- fix less with LESSOPEN allowing command injection (CVE-2024-32487) (RHEL-32739)
 
 * Wed Feb 21 2024 Matej Mužila <mmuzila@redhat.com> 590-3
 - Fix CVE-2022-48624