diff --git a/pam-1.4.0-libpam-start-leak.patch b/pam-1.4.0-libpam-start-leak.patch
new file mode 100644
index 0000000..2733b56
--- /dev/null
+++ b/pam-1.4.0-libpam-start-leak.patch
@@ -0,0 +1,84 @@
+From 50ab1eda259ff039922b2774895f09bf0a57e078 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 4 Nov 2020 17:21:47 +0100
+Subject: [PATCH 1/2] libpam: Fix memory leak with pam_start_confdir()
+
+Found with AddressSanitzer in pam_wrapper tests.
+
+==985738== 44 bytes in 4 blocks are definitely lost in loss record 18 of 18
+==985738==    at 0x4839809: malloc (vg_replace_malloc.c:307)
+==985738==    by 0x48957E1: _pam_strdup (pam_misc.c:129)
+==985738==    by 0x489851B: _pam_start_internal (pam_start.c:85)
+==985738==    by 0x4849C8C: libpam_pam_start_confdir (pam_wrapper.c:418)
+==985738==    by 0x484AF94: pwrap_pam_start (pam_wrapper.c:1461)
+==985738==    by 0x484AFEE: pam_start (pam_wrapper.c:1483)
+==985738==    by 0x401723: setup_noconv (test_pam_wrapper.c:189)
+==985738==    by 0x4889E82: ??? (in /usr/lib64/libcmocka.so.0.7.0)
+==985738==    by 0x488A444: _cmocka_run_group_tests (in /usr/lib64/libcmocka.so.0.7.0)
+==985738==    by 0x403EE5: main (test_pam_wrapper.c:1059)
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ libpam/pam_end.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libpam/pam_end.c b/libpam/pam_end.c
+index 942253d8..406b1478 100644
+--- a/libpam/pam_end.c
++++ b/libpam/pam_end.c
+@@ -56,6 +56,9 @@ int pam_end(pam_handle_t *pamh, int pam_status)
+     _pam_overwrite(pamh->user);
+     _pam_drop(pamh->user);
+ 
++    _pam_overwrite(pamh->confdir);
++    _pam_drop(pamh->confdir);
++
+     _pam_overwrite(pamh->prompt);
+     _pam_drop(pamh->prompt);                  /* prompt for pam_get_user() */
+ 
+-- 
+2.26.2
+
+
+From 51318fd423a8ab4456a278ef0aff6ad449aab916 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 4 Nov 2020 17:23:09 +0100
+Subject: [PATCH 2/2] libpam: Fix memory leak on error path in
+ _pam_start_internal()
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+---
+ libpam/pam_start.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libpam/pam_start.c b/libpam/pam_start.c
+index 59d06224..99dd0389 100644
+--- a/libpam/pam_start.c
++++ b/libpam/pam_start.c
+@@ -115,6 +115,7 @@ static int _pam_start_internal (
+ 	pam_syslog(*pamh, LOG_CRIT, "pam_start: malloc failed for pam_conv");
+ 	_pam_drop((*pamh)->service_name);
+ 	_pam_drop((*pamh)->user);
++	_pam_drop((*pamh)->confdir);
+ 	_pam_drop(*pamh);
+ 	return (PAM_BUF_ERR);
+     } else {
+@@ -128,6 +129,7 @@ static int _pam_start_internal (
+ 	_pam_drop((*pamh)->pam_conversation);
+ 	_pam_drop((*pamh)->service_name);
+ 	_pam_drop((*pamh)->user);
++	_pam_drop((*pamh)->confdir);
+ 	_pam_drop(*pamh);
+ 	return PAM_ABORT;
+     }
+@@ -145,6 +147,7 @@ static int _pam_start_internal (
+ 	_pam_drop((*pamh)->pam_conversation);
+ 	_pam_drop((*pamh)->service_name);
+ 	_pam_drop((*pamh)->user);
++	_pam_drop((*pamh)->confdir);
+ 	_pam_drop(*pamh);
+ 	return PAM_ABORT;
+     }
+-- 
+2.26.2
+
diff --git a/pam.spec b/pam.spec
index 103d90d..a1f7a0c 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.4.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -52,6 +52,9 @@ Patch59: pam-1.4.0-motd-filter-files.patch
 Patch60: pam-1.4.0-unix-init-daysleft.patch
 # https://github.com/linux-pam/linux-pam/commit/9f24bbeeb4fe04bc396898cd9825478ad52c5ac7
 Patch61: pam-1.4.0-motd-privilege-message.patch
+# https://github.com/linux-pam/linux-pam/commit/50ab1eda259ff039922b2774895f09bf0a57e078
+# https://github.com/linux-pam/linux-pam/commit/51318fd423a8ab4456a278ef0aff6ad449aab916
+Patch62: pam-1.4.0-libpam-start-leak.patch
 
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@@ -145,6 +148,7 @@ cp %{SOURCE18} .
 %patch59 -p1 -b .motd-filter-files
 %patch60 -p1 -b .unix-init-daysleft
 %patch61 -p1 -b .motd-privilege-message
+%patch62 -p1 -b .libpam-start-leak
 
 autoreconf -i
 
@@ -404,6 +408,9 @@ done
 %doc doc/sag/*.txt doc/sag/html
 
 %changelog
+* Fri Nov  6 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-7
+- libpam: fix memory leak in pam_start (#1894630)
+
 * Mon Oct 19 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-6
 - pam_unix: fix missing initialization of daysleft  (#1887077)
 - pam_motd: change privilege message prompt to default (#1861640)