diff --git a/shadow-4.0.18.1-overflow.patch b/shadow-4.0.18.1-overflow.patch
new file mode 100644
index 0000000..1fb7a42
--- /dev/null
+++ b/shadow-4.0.18.1-overflow.patch
@@ -0,0 +1,36 @@
+--- shadow-4.0.17/src/chpasswd.c.overflow	2006-11-08 11:09:32.000000000 +0100
++++ shadow-4.0.17/src/chpasswd.c	2006-11-08 13:13:15.000000000 +0100
+@@ -239,9 +239,13 @@
+ 		newpwd = cp;
+ 		if (!eflg) {
+ 			if (md5flg) {
+-				char salt[12] = "$1$";
++				char tmp[12];
++				char salt[15] = "\0";
+ 
+-				strcat (salt, crypt_make_salt ());
++				strcpy( tmp, crypt_make_salt ());
++				if( !strncmp( tmp, "$1$", 3) )
++					strcat( salt, "$1$");
++				strcat( salt, tmp);
+ 				cp = pw_encrypt (newpwd, salt);
+ 			} else
+ 				cp = pw_encrypt (newpwd, crypt_make_salt ());
+--- shadow-4.0.17/src/chgpasswd.c.overflow	2006-11-08 13:13:40.000000000 +0100
++++ shadow-4.0.17/src/chgpasswd.c	2006-11-08 13:17:24.000000000 +0100
+@@ -243,9 +243,13 @@
+ 		newpwd = cp;
+ 		if (!eflg) {
+ 			if (md5flg) {
+-				char salt[12] = "$1$";
++				char tmp[12];
++				char salt[15] = "\0";
+ 
+-				strcat (salt, crypt_make_salt ());
++				strcpy( tmp, crypt_make_salt ());
++				if( !strncmp( tmp, "$1$", 3) )
++					strcat( salt, "$1$");
++				strcat( salt, tmp);
+ 				cp = pw_encrypt (newpwd, salt);
+ 			} else
+ 				cp = pw_encrypt (newpwd, crypt_make_salt ());
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 3bc9c7a..80230d9 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -5,7 +5,7 @@
 Summary: Utilities for managing accounts and shadow password files.
 Name: shadow-utils
 Version: 4.0.18.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 URL: http://shadow.pld.org.pl/
 Source0: ftp://ftp.pld.org.pl/software/shadow/shadow-%{version}.tar.bz2
@@ -22,6 +22,7 @@ Patch6: shadow-4.0.17-notInheritFd.patch
 Patch7: shadow-4.0.17-exitValues.patch
 Patch8: shadow-4.0.17-auditLogging.patch
 Patch9: shadow-4.0.18.1-gid.patch
+Patch10: shadow-4.0.18.1-overflow.patch
 
 License: BSD
 Group: System Environment/Base
@@ -61,6 +62,7 @@ cp %{SOURCE3} lib/nscd.c
 %patch7 -p1 -b .exitValues
 %patch8 -p1 -b .auditLogging
 %patch9 -p1 -b .gid
+%patch10 -p1 -b .overflow
 
 rm po/*.gmo
 rm po/stamp-po
@@ -215,6 +217,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/man8/faillog.8*
 
 %changelog
+* Tue Nov 14 2006 Peter Vrabec <pvrabec@redhat.com> 2:4.0.18.1-4
+- fix chpasswd and chgpasswd stack overflow (#213052)
+
 * Sat Nov 04 2006 Peter Vrabec <pvrabec@redhat.com> 2:4.0.18.1-3
 - fix "-g" and "-G" option.