diff -Nru libxmlb-0.3.6/debian/changelog libxmlb-0.3.6/debian/changelog
--- libxmlb-0.3.6/debian/changelog	2022-09-06 18:47:07.000000000 +0200
+++ libxmlb-0.3.6/debian/changelog	2024-01-24 17:24:43.000000000 +0100
@@ -1,3 +1,9 @@
+libxmlb (0.3.6-2ubuntu0.2) jammy; urgency=medium
+
+  * Do not assert() when decompressing invalid LZMA (LP: #2051141)
+
+ -- Marco Trevisan (Treviño) <marco@ubuntu.com>  Wed, 24 Jan 2024 17:24:43 +0100
+
 libxmlb (0.3.6-2ubuntu0.1) jammy; urgency=high
 
   * Fix double-free bug.  LP: #1988440.
diff -Nru libxmlb-0.3.6/debian/patches/do-not-assert-when-decompressing-invalid-lzma.patch libxmlb-0.3.6/debian/patches/do-not-assert-when-decompressing-invalid-lzma.patch
--- libxmlb-0.3.6/debian/patches/do-not-assert-when-decompressing-invalid-lzma.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxmlb-0.3.6/debian/patches/do-not-assert-when-decompressing-invalid-lzma.patch	2024-01-24 17:21:45.000000000 +0100
@@ -0,0 +1,66 @@
+From f5921320454898138af90c6a154000e7bf49b621 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Sun, 19 Feb 2023 17:47:40 +0000
+Subject: [PATCH] Do not assert() when decompressing invalid LZMA
+
+Fixes https://github.com/fwupd/fwupd/issues/5554
+
+Origin: https://github.com/hughsie/libxmlb/commit/f592132045489813
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libxmlb/+bug/2051141
+---
+ src/xb-lzma-decompressor.c | 39 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+--- a/src/xb-lzma-decompressor.c
++++ b/src/xb-lzma-decompressor.c
+@@ -114,11 +114,50 @@
+ 				     "Invalid compressed data");
+ 		return G_CONVERTER_ERROR;
+ 	}
++	if (res == LZMA_UNSUPPORTED_CHECK) {
++		g_set_error_literal(error,
++				    G_IO_ERROR,
++				    G_IO_ERROR_NOT_SUPPORTED,
++				    "Cannot calculate the integrity check");
++		return G_CONVERTER_ERROR;
++	}
+ 	if (res == LZMA_MEM_ERROR) {
+ 		g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+ 				     "Not enough memory");
+ 		return G_CONVERTER_ERROR;
+ 	}
++		if (res == LZMA_FORMAT_ERROR) {
++		g_set_error_literal(error,
++				    G_IO_ERROR,
++				    G_IO_ERROR_NOT_SUPPORTED,
++				    "File format not recognized");
++		return G_CONVERTER_ERROR;
++	}
++	if (res == LZMA_OPTIONS_ERROR) {
++		g_set_error_literal(error,
++				    G_IO_ERROR,
++				    G_IO_ERROR_NOT_SUPPORTED,
++				    "Invalid or unsupported options");
++		return G_CONVERTER_ERROR;
++	}
++	if (res == LZMA_DATA_ERROR) {
++		g_set_error_literal(error, G_IO_ERROR, G_IO_ERROR_INVALID_DATA, "Data is corrupt");
++		return G_CONVERTER_ERROR;
++	}
++	if (res == LZMA_BUF_ERROR) {
++		g_set_error_literal(error,
++				    G_IO_ERROR,
++				    G_IO_ERROR_INVALID_DATA,
++				    "No progress is possible");
++		return G_CONVERTER_ERROR;
++	}
++	if (res == LZMA_PROG_ERROR) {
++		g_set_error_literal(error,
++				    G_IO_ERROR,
++				    G_IO_ERROR_INVALID_ARGUMENT,
++				    "Programming error");
++		return G_CONVERTER_ERROR;
++	}
+ 	if (res == LZMA_OK || res == LZMA_STREAM_END) {
+ 		*bytes_read = inbuf_size - self->lzmastream.avail_in;
+ 		*bytes_written = outbuf_size - self->lzmastream.avail_out;
diff -Nru libxmlb-0.3.6/debian/patches/series libxmlb-0.3.6/debian/patches/series
--- libxmlb-0.3.6/debian/patches/series	2022-09-06 18:47:07.000000000 +0200
+++ libxmlb-0.3.6/debian/patches/series	2024-01-24 17:15:21.000000000 +0100
@@ -1 +1,2 @@
 Fix-double-free-bug
+do-not-assert-when-decompressing-invalid-lzma.patch