diff --git a/SOURCES/Fix-integer-overflows-in-PAC-parsing.patch b/SOURCES/Fix-integer-overflows-in-PAC-parsing.patch
new file mode 100644
index 0000000..3138b3a
--- /dev/null
+++ b/SOURCES/Fix-integer-overflows-in-PAC-parsing.patch
@@ -0,0 +1,106 @@
+From 5741c46c084513d4d6b04e1e6abf810dbd996591 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 17 Oct 2022 20:25:11 -0400
+Subject: [PATCH] Fix integer overflows in PAC parsing
+
+In krb5_parse_pac(), check for buffer counts large enough to threaten
+integer overflow in the header length and memory length calculations.
+Avoid potential integer overflows when checking the length of each
+buffer.
+
+CVE-2022-42898:
+
+In MIT krb5 releases 1.8 and later, an authenticated attacker may be
+able to cause a KDC or kadmind process to crash by reading beyond the
+bounds of allocated memory, creating a denial of service.  A
+privileged attacker may similarly be able to cause a Kerberos or GSS
+application service to crash.  On 32-bit platforms, an attacker can
+also cause insufficient memory to be allocated for the result,
+potentially leading to remote code execution in a KDC, kadmind, or GSS
+or Kerberos application server process.  An attacker with the
+privileges of a cross-realm KDC may be able to extract secrets from
+the KDC process's memory by having them copied into the PAC of a new
+ticket.
+
+ticket: 9074 (new)
+tags: pullup
+target_version: 1.20-next
+target_version: 1.19-next
+---
+ src/lib/krb5/krb/pac.c   |  9 +++++++--
+ src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
+ 2 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
+index c70585a9eb..b0baa01930 100644
+--- a/src/lib/krb5/krb/pac.c
++++ b/src/lib/krb5/krb/pac.c
+@@ -27,6 +27,8 @@
+ #include "k5-int.h"
+ #include "authdata.h"
+ 
++#define MAX_BUFFERS 4096
++
+ /* draft-brezak-win2k-krb-authz-00 */
+ 
+ /*
+@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,
+     if (version != 0)
+         return EINVAL;
+ 
++    if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
++        return ERANGE;
++
+     header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
+     if (len < header_len)
+         return ERANGE;
+@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,
+             krb5_pac_free(context, pac);
+             return EINVAL;
+         }
+-        if (buffer->Offset < header_len ||
+-            buffer->Offset + buffer->cbBufferSize > len) {
++        if (buffer->Offset < header_len || buffer->Offset > len ||
++            buffer->cbBufferSize > len - buffer->Offset) {
+             krb5_pac_free(context, pac);
+             return ERANGE;
+         }
+diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
+index 61fb51a98a..d7342bff9c 100644
+--- a/src/lib/krb5/krb/t_pac.c
++++ b/src/lib/krb5/krb/t_pac.c
+@@ -96,6 +96,16 @@ static const krb5_keyblock member_keyblock = {
+ static time_t authtime = 1120440609;
+ static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL";
+ 
++static const unsigned char fuzz1[] = {
++    0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
++    0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
++};
++
++static const unsigned char fuzz2[] = {
++    0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
++    0x20, 0x20
++};
++
+ #if !defined(__cplusplus) && (__GNUC__ > 2)
+ static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...)
+     __attribute__((__format__(__printf__, 3, 0)));
+@@ -227,6 +237,14 @@ main(int argc, char **argv)
+ 
+     krb5_pac_free(context, pac);
+ 
++    /* Check problematic PACs found by fuzzing. */
++    ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
++    if (!ret)
++        err(context, ret, "krb5_pac_parse should have failed");
++    ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
++    if (!ret)
++        err(context, ret, "krb5_pac_parse should have failed");
++
+     /*
+      * Test empty free
+      */
+-- 
+2.37.3
+
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index b94d8da..f1517eb 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -12,7 +12,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.15.1
-Release: 54%{?dist}
+Release: 55%{?dist}
 
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
@@ -143,6 +143,7 @@ Patch230: Fix-LDAP-policy-enforcement-of-pw_expiration.patch
 Patch231: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
 Patch232: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
 Patch233: Try-harder-to-avoid-password-change-replay-errors.patch
+Patch234: Fix-integer-overflows-in-PAC-parsing.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -419,6 +420,7 @@ ONLY by kerberos itself. Do not depend on this package.
 %patch231 -p1 -b .Fix-KDC-null-deref-on-TGS-inner-body-null-server
 %patch232 -p1 -b .Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest
 %patch233 -p1 -b .Try-harder-to-avoid-password-change-replay-errors
+%patch234 -p1 -b .Fix-integer-overflows-in-PAC-parsing
 
 ln NOTICE LICENSE
 
@@ -926,6 +928,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Nov 08 2022 Julien Rische <jrische@redhat.com> - 1.15.1-55
+- Fix integer overflows in PAC parsing (CVE-2022-42898)
+- Resolves: rhbz#2140961
+
 * Wed Apr 27 2022 Julien Rische <jrische@redhat.com> - 1.15.1-54
 - Try harder to avoid password change replay errors
 - Resolves: #2063163