diff --git a/heimdal-CVE-2022-45142.patch b/heimdal-CVE-2022-45142.patch
new file mode 100644
index 0000000..699dad5
--- /dev/null
+++ b/heimdal-CVE-2022-45142.patch
@@ -0,0 +1,46 @@
+From: Helmut Grohne <helmut@...divi.de>
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne <helmut@...divi.de>
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
++++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++    cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+     if (cmp) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+
+-    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+     if (cmp) {
+ 	_gsskrb5_release_buffer(minor_status, output_message_buffer);
+ 	*minor_status = 0;
+--
+2.38.1
diff --git a/libheimdal.changes b/libheimdal.changes
index 80cc8c8..20d9e47 100644
--- a/libheimdal.changes
+++ b/libheimdal.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Apr  6 13:26:58 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Add heimdal-CVE-2022-45142.patch: Fix logic inversion introduced
+  when fixing/backporting CVE-2022-3437 (CVE-2022-45142,
+  boo#1208992).
+
 -------------------------------------------------------------------
 Tue Jan 10 19:30:57 UTC 2023 - Marcus Meissner <meissner@suse.com>
 
diff --git a/libheimdal.spec b/libheimdal.spec
index 628179f..cb01cc0 100644
--- a/libheimdal.spec
+++ b/libheimdal.spec
@@ -30,6 +30,8 @@ Source2:        heimdal-patch-source.sh
 Patch0:         heimdal-patched.diff
 # PATCH-FIX-UPSTREAM bmwiedemann -- make build reproducible (boo#1047218)
 Patch1:         reproducible.patch
+# PATCH-FIX-UPSTREAM https://www.openwall.com/lists/oss-security/2023/02/08/1
+Patch2:         heimdal-CVE-2022-45142.patch
 BuildRequires:  automake >= 1.11
 BuildRequires:  bison
 BuildRequires:  db-devel >= 4.8