diff --git a/sudo-1.6.8p12-getgrouplist.patch b/sudo-1.6.8p12-getgrouplist.patch
new file mode 100644
index 0000000..998bf15
--- /dev/null
+++ b/sudo-1.6.8p12-getgrouplist.patch
@@ -0,0 +1,61 @@
+--- sudo-1.6.8p12/configure.in.getgrouplist	2007-04-12 10:16:12.000000000 +0200
++++ sudo-1.6.8p12/configure.in	2007-04-12 10:18:16.000000000 +0200
+@@ -1694,7 +1694,7 @@
+ dnl Function checks
+ dnl
+ AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
+-	       strftime setrlimit initgroups fstat gettimeofday)
++	       strftime setrlimit initgroups getgrouplist fstat gettimeofday)
+ AC_CHECK_FUNCS(seteuid, , [AC_DEFINE(NO_SAVED_IDS)])
+ if test -z "$SKIP_SETRESUID"; then
+     AC_CHECK_FUNCS(setresuid, [SKIP_SETREUID=yes])
+--- sudo-1.6.8p12/configure.getgrouplist	2005-10-28 02:48:25.000000000 +0200
++++ sudo-1.6.8p12/configure	2007-04-12 10:18:16.000000000 +0200
+@@ -24677,7 +24677,7 @@
+ 
+ 
+ for ac_func in strchr strrchr memchr memcpy memset sysconf tzset \
+-	       strftime setrlimit initgroups fstat gettimeofday
++	       strftime setrlimit initgroups getgrouplist fstat gettimeofday
+ do
+ as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ echo "$as_me:$LINENO: checking for $ac_func" >&5
+--- sudo-1.6.8p12/check.c.getgrouplist	2005-03-25 02:55:31.000000000 +0100
++++ sudo-1.6.8p12/check.c	2007-04-12 10:18:16.000000000 +0200
+@@ -299,6 +299,24 @@
+ 	    return(TRUE);
+     }
+ 
++#ifdef HAVE_GETGROUPLIST
++    {
++	gid_t *grouplist, grouptmp;
++	int n_groups, i;
++	n_groups = 1;
++	if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
++	    grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
++	    if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
++		for (i = 0; i < n_groups; i++)
++		    if (grouplist[i] == grp->gr_gid) {
++			free(grouplist);
++			return(TRUE);
++		    }
++	    free(grouplist);
++	}
++    }
++#endif
++
+     return(FALSE);
+ }
+ 
+--- sudo-1.6.8p12/config.h.in.getgrouplist	2007-04-12 10:16:12.000000000 +0200
++++ sudo-1.6.8p12/config.h.in	2007-04-12 10:18:16.000000000 +0200
+@@ -122,6 +122,9 @@
+ /* Define to 1 if you have the `getdomainname' function. */
+ #undef HAVE_GETDOMAINNAME
+ 
++/* Define to 1 if you have the `getgrouplist' function. */
++#undef HAVE_GETGROUPLIST
++
+ /* Define to 1 if you have the `getifaddrs' function. */
+ #undef HAVE_GETIFADDRS
+ 
diff --git a/sudo.spec b/sudo.spec
index 919f161..93a01be 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.6.8p12
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: BSD
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@@ -28,6 +28,7 @@ Patch5: sudo-1.6.8p12-requiretty.patch
 Patch6: sudo-1.6.8p12-pam-login.patch
 # IPv6 support
 Patch7: sudo-1.6.8p12-ipv6.patch
+Patch8: sudo-1.6.8p12-getgrouplist.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -48,6 +49,7 @@ on many different machines.
 %patch5 -p1 -b .tty
 %patch6 -p1 -b .login
 %patch7 -p1 -b .ipv6
+%patch8 -p1 -b .getgrouplist
 
 %build
 %ifarch s390 s390x
@@ -127,6 +129,9 @@ rm -rf $RPM_BUILD_ROOT
 /bin/chmod 0440 /etc/sudoers || :
 
 %changelog
+* Thu Apr 12 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-14
+- also use getgrouplist() to determine group membership (#235915)
+
 * Mon Feb 26 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-13
 - fix some spec file issues