diff --git a/SOURCES/lua-5.4-CVE-2022-28805.patch b/SOURCES/lua-5.4-CVE-2022-28805.patch
new file mode 100644
index 0000000..c9e36c9
--- /dev/null
+++ b/SOURCES/lua-5.4-CVE-2022-28805.patch
@@ -0,0 +1,22 @@
+From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Tue, 15 Feb 2022 12:28:46 -0300
+Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const>
+
+---
+ lparser.c         |  1 +
+ testes/attrib.lua | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/lparser.c b/lparser.c
+index 3abe3d751..a5cd55257 100644
+--- a/src/lparser.c
++++ b/src/lparser.c
+@@ -468,6 +468,7 @@ static void singlevar (LexState *ls, expdesc *var) {
+     expdesc key;
+     singlevaraux(fs, ls->envn, var, 1);  /* get environment variable */
+     lua_assert(var->k != VVOID);  /* this one must exist */
++    luaK_exp2anyregup(fs, var);  /* but could be a constant */
+     codestring(&key, varname);  /* key is variable name */
+     luaK_indexed(fs, var, &key);  /* env[varname] */
+   }
diff --git a/SPECS/lua.spec b/SPECS/lua.spec
index f7eaff7..33a23e6 100644
--- a/SPECS/lua.spec
+++ b/SPECS/lua.spec
@@ -14,7 +14,7 @@
 
 Name:           lua
 Version:        %{major_version}.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Powerful light-weight programming language
 License:        MIT
 URL:            http://www.lua.org/
@@ -39,6 +39,7 @@ Patch6:		%{name}-5.3.5-luac-shared-link-fix.patch
 # https://www.lua.org/bugs.html
 Patch18:	%{name}-5.3.5-CVE-2020-24370.patch
 Patch19:	%{name}-5.4.2-CVE-2022-33099.patch
+Patch20:	%{name}-5.4-CVE-2022-28805.patch
 
 BuildRequires:  automake autoconf libtool readline-devel ncurses-devel
 BuildRequires: make
@@ -94,6 +95,7 @@ mv src/luaconf.h src/luaconf.h.template.in
 %patch3 -p1 -z .configure-linux
 %patch4 -p1 -z .configure-compat-all
 %patch19 -p1 -b .CVE-2022-33099
+%patch20 -p1 -b .CVE-2022-28805
 # Put proper version in configure.ac, patch0 hardcodes 5.3.0
 sed -i 's|5.3.0|%{version}|g' configure.ac
 autoreconf -ifv
@@ -211,6 +213,9 @@ popd
 %{_libdir}/*.a
 
 %changelog
+* Fri Feb 03 2023 Florian Festi <ffesti@redhat.com> - 5.4.4-3
+- Apply upstream patch for CVE-2022-28805
+
 * Fri Feb 03 2023 Florian Festi <ffesti@redhat.com> - 5.4.4-2
 - Resolves CVE-2021-43519