diff --git a/ChangeLog b/ChangeLog
index 50193bdc..7e70f78d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,12 @@
 2007-11-10  Nicolas François  <nicolas.francois@centraliens.net>
 
-	* NEWS, src/useradd.c: allow non numerical group identifier to be
+	* NEWS, src/chgpasswd.c, src/chpasswd.c: Fix chpasswd and
+	chgpasswd stack overflow. Based on Fedora's
+	shadow-4.0.18.1-overflow.patch.
+
+2007-11-10  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/useradd.c: Allow non numerical group identifier to be
 	specified with useradd's -g option. Applied Debian patch
 	397_non_numerical_identifier. Thanks also to Greg Schafer
 	<gschafer@zip.com.au>.
diff --git a/NEWS b/NEWS
index 69f16c5a..3b2449c0 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2					UNRELEASED
 - useradd: Allow non numerical group identifier to be specified with
   useradd's -g option. Applied Debian patch 397_non_numerical_identifier.
   Thanks also to Greg Schafer <gschafer@zip.com.au>.
+- chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow. Based on
+  Fedora's shadow-4.0.18.1-overflow.patch.
 
 shadow-4.0.18.1 -> shadow-4.0.18.2					28-10-2007
 
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index a9ea4a0e..a3326bf9 100644
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -243,9 +243,13 @@ int main (int argc, char **argv)
 		newpwd = cp;
 		if (!eflg) {
 			if (md5flg) {
-				char salt[12] = "$1$";
+				char tmp[12];
+				char salt[15] = "";
 
-				strcat (salt, crypt_make_salt ());
+				strcat (tmp, crypt_make_salt ());
+				if (!strncmp (tmp, "$1$", 3))
+					strcat (salt, "$1$");
+				strcat (salt, tmp);
 				cp = pw_encrypt (newpwd, salt);
 			} else
 				cp = pw_encrypt (newpwd, crypt_make_salt ());
diff --git a/src/chpasswd.c b/src/chpasswd.c
index 5e159c3f..2836ef73 100644
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -239,9 +239,13 @@ int main (int argc, char **argv)
 		newpwd = cp;
 		if (!eflg) {
 			if (md5flg) {
-				char salt[12] = "$1$";
+				char tmp[12];
+				char salt[15] = "";
 
-				strcat (salt, crypt_make_salt ());
+				strcat (tmp, crypt_make_salt ());
+				if (!strncmp (tmp, "$1$", 3))
+					strcat (salt, "$1$");
+				strcat (salt, tmp);
 				cp = pw_encrypt (newpwd, salt);
 			} else
 				cp = pw_encrypt (newpwd, crypt_make_salt ());