diff -Nru nautilus-42.2/debian/changelog nautilus-42.2/debian/changelog
--- nautilus-42.2/debian/changelog	2022-12-12 14:08:24.000000000 +0000
+++ nautilus-42.2/debian/changelog	2023-01-03 17:29:48.000000000 +0000
@@ -1,3 +1,13 @@
+nautilus (1:42.2-0ubuntu2.1) jammy-security; urgency=medium
+
+  * SECURITY UPDATE: crash via invalid zip file
+    - debian/patches/CVE-2022-37290.patch: fix crash when copying an
+      invalid file in src/nautilus-dbus-manager.c,
+      src/nautilus-file-operations.c.
+    - CVE-2022-37290
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 03 Jan 2023 12:29:48 -0500
+
 nautilus (1:42.2-0ubuntu2) jammy; urgency=medium
 
   * d/p/ubuntu/unity_launcher_support.patch: Only set window time under x11
diff -Nru nautilus-42.2/debian/patches/CVE-2022-37290.patch nautilus-42.2/debian/patches/CVE-2022-37290.patch
--- nautilus-42.2/debian/patches/CVE-2022-37290.patch	1970-01-01 00:00:00.000000000 +0000
+++ nautilus-42.2/debian/patches/CVE-2022-37290.patch	2023-01-03 17:29:45.000000000 +0000
@@ -0,0 +1,46 @@
+From cd081619d1597d07ce77fec4474e44dae9132f52 Mon Sep 17 00:00:00 2001
+From: Aleksandar Dezelin <dezelin@gmail.com>
+Date: Fri, 23 Dec 2022 15:58:26 +0000
+Subject: [PATCH] Fix crash when copying an invalid file
+
+---
+ src/nautilus-dbus-manager.c    | 5 +++++
+ src/nautilus-file-operations.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/src/nautilus-dbus-manager.c
++++ b/src/nautilus-dbus-manager.c
+@@ -187,6 +187,11 @@ handle_create_folder (NautilusDBusFileOp
+     file = g_file_new_for_uri (uri);
+     basename = g_file_get_basename (file);
+     parent_file = g_file_get_parent (file);
++    if (parent_file == NULL || basename == NULL)
++    {
++        g_dbus_method_invocation_return_error (invocation, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, "Invalid uri: %s", uri);
++        return TRUE;
++    }
+     parent_file_uri = g_file_get_uri (parent_file);
+ 
+     handle_create_folder_internal (parent_file_uri, basename, NULL);
+--- a/src/nautilus-file-operations.c
++++ b/src/nautilus-file-operations.c
+@@ -1021,6 +1021,11 @@ get_basename (GFile *file)
+     if (name == NULL)
+     {
+         basename = g_file_get_basename (file);
++        if (basename == NULL)
++        {
++            return g_strdup (_("unknown"));
++        }
++
+         if (g_utf8_validate (basename, -1, NULL))
+         {
+             name = basename;
+@@ -4383,6 +4388,7 @@ get_unique_target_file (GFile      *src,
+     if (dest == NULL)
+     {
+         basename = g_file_get_basename (src);
++        g_assert (basename == NULL);
+ 
+         if (g_utf8_validate (basename, -1, NULL))
+         {
diff -Nru nautilus-42.2/debian/patches/series nautilus-42.2/debian/patches/series
--- nautilus-42.2/debian/patches/series	2022-12-12 14:08:24.000000000 +0000
+++ nautilus-42.2/debian/patches/series	2023-01-03 17:29:41.000000000 +0000
@@ -8,3 +8,4 @@
 appstream-compulsory.patch
 nautilusgtkplacesview-show-error-if-volume-is-not-mo.patch
 ubuntu/shell-search-provider-implement-XUbuntuCancel-to-request-.patch
+CVE-2022-37290.patch