diff -pruN 0.651-2/debian/changelog 0.651-2ubuntu1/debian/changelog
--- 0.651-2/debian/changelog	2022-04-12 16:37:01.000000000 +0000
+++ 0.651-2ubuntu1/debian/changelog	2023-02-01 15:22:42.000000000 +0000
@@ -1,3 +1,12 @@
+lrzip (0.651-2ubuntu1) lunar; urgency=medium
+
+  * SECURITY UPDATE: Memory Corruption
+    - debian/patches/CVE-2022-28044.patch: fixed a heap memory corruption
+      discovered in initialize_control function.
+    - CVE-2022-28044
+
+ -- Amir Naseredini <amir.naseredini@canonical.com>  Wed, 01 Feb 2023 15:22:42 +0000
+
 lrzip (0.651-2) unstable; urgency=high
 
   * Fix CVE-2018-5786: infinite loop in get_fileinfo() (closes: #888506).
diff -pruN 0.651-2/debian/control 0.651-2ubuntu1/debian/control
--- 0.651-2/debian/control	2021-02-19 16:38:21.000000000 +0000
+++ 0.651-2ubuntu1/debian/control	2023-02-01 15:22:42.000000000 +0000
@@ -1,7 +1,8 @@
 Source: lrzip
 Section: utils
 Priority: optional
-Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
 Build-Depends: debhelper-compat (= 12), automake, autoconf, libtool,
  zlib1g-dev, libbz2-dev, liblzo2-dev, liblz4-dev
 Standards-Version: 4.5.0
diff -pruN 0.651-2/debian/patches/CVE-2022-28044.patch 0.651-2ubuntu1/debian/patches/CVE-2022-28044.patch
--- 0.651-2/debian/patches/CVE-2022-28044.patch	1970-01-01 00:00:00.000000000 +0000
+++ 0.651-2ubuntu1/debian/patches/CVE-2022-28044.patch	2023-02-01 15:22:42.000000000 +0000
@@ -0,0 +1,44 @@
+From 5faf80cd53ecfd16b636d653483144cd12004f46 Mon Sep 17 00:00:00 2001
+From: Con Kolivas <kernel@kolivas.org>
+Date: Fri, 25 Feb 2022 22:35:20 +1100
+Subject: [PATCH] Fix control->suffix being deallocated as heap memory as
+ reported by Pietro Borrello.
+
+---
+ lrzip.c | 2 +-
+ main.c  | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- lrzip-0.651.orig/lrzip.c
++++ lrzip-0.651/lrzip.c
+@@ -1397,7 +1397,7 @@ bool initialise_control(rzip_control *co
+ 	control->msgerr = stderr;
+ 	register_outputfile(control, control->msgout);
+ 	control->flags = FLAG_SHOW_PROGRESS | FLAG_KEEP_FILES | FLAG_THRESHOLD;
+-	control->suffix = ".lrz";
++	control->suffix = strdup(".lrz");
+ 	control->compression_level = 7;
+ 	control->ramsize = get_ram(control);
+ 	if (unlikely(control->ramsize == -1))
+--- lrzip-0.651.orig/main.c
++++ lrzip-0.651/main.c
+@@ -462,7 +462,8 @@ int main(int argc, char *argv[])
+ 			if (unlikely(STDOUT))
+ 				failure("Cannot specify an output filename when outputting to stdout\n");
+ 			control->outname = optarg;
+-			control->suffix = "";
++			dealloc(control->suffix);
++			control->suffix = strdup("");
+ 			break;
+ 		case 'O':
+ 			if (control->outname)	/* can't mix -o and -O */
+@@ -501,7 +502,8 @@ int main(int argc, char *argv[])
+ 				failure("Specified output filename already, can't specify an extension.\n");
+ 			if (unlikely(STDOUT))
+ 				failure("Cannot specify a filename suffix when outputting to stdout\n");
+-			control->suffix = optarg;
++			dealloc(control->suffix);
++			control->suffix = strdup(optarg);
+ 			break;
+ 		case 't':
+ 			if (control->outname)
diff -pruN 0.651-2/debian/patches/series 0.651-2ubuntu1/debian/patches/series
--- 0.651-2/debian/patches/series	2022-04-12 16:37:01.000000000 +0000
+++ 0.651-2ubuntu1/debian/patches/series	2023-02-01 15:22:42.000000000 +0000
@@ -1 +1,2 @@
 CVE-2018-5786.patch
+CVE-2022-28044.patch