diff --git a/ChangeLog b/ChangeLog
index d1a4e6bd..2534c488 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2007-11-10  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* libmisc/salt.c: Make sure the salt string is terminated at the
+	right place (either 8th, or 11th position).
+	* NEWS, src/chgpasswd.c, src/chpasswd.c: The protocol + salt does
+	not need 15 chars. No need for a temporary buffer.
+	This change the fix committed on 2007-11-10. The salt provided to
+	pw_encrypt could have been too long.
+
 2007-11-16  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* man/fr/fr.po: Fix typo: missing / in <placeholder-1/>. This
diff --git a/NEWS b/NEWS
index 38f35c18..5d0fa96b 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@ shadow-4.0.18.1 -> shadow-4.0.18.2					UNRELEASED
   useradd's -g option. Applied Debian patch 397_non_numerical_identifier.
   Thanks also to Greg Schafer <gschafer@zip.com.au>.
 - chgpasswd, chpasswd: Fix chpasswd and chgpasswd stack overflow. Based on
-  Fedora's shadow-4.0.18.1-overflow.patch.
+  the Fedora's shadow-4.0.18.1-overflow.patch and Debian's
+  495_salt_stack_smash patches.
 - newgrp: Don't ask for a password if there are no group passwords. Just
   directly give up.
 - The permissions of the suid binaries is now configurable in
diff --git a/libmisc/salt.c b/libmisc/salt.c
index 3ea8ae64..4ccf36cc 100644
--- a/libmisc/salt.c
+++ b/libmisc/salt.c
@@ -62,11 +62,13 @@ char *crypt_make_salt (void)
 {
 	struct timeval tv;
 	static char result[40];
+	int max_salt_len = 8;
 
 	result[0] = '\0';
 #ifndef USE_PAM
 	if (getdef_bool ("MD5_CRYPT_ENAB")) {
 		strcpy (result, "$1$");	/* magic for the new MD5 crypt() */
+		max_salt_len += 3;
 	}
 #endif
 
@@ -77,8 +79,8 @@ char *crypt_make_salt (void)
 	strcat (result, l64a (tv.tv_usec));
 	strcat (result, l64a (tv.tv_sec + getpid () + clock ()));
 
-	if (strlen (result) > 3 + 8)	/* magic+salt */
-		result[11] = '\0';
+	if (strlen (result) > max_salt_len)	/* magic+salt */
+		result[max_salt_len] = '\0';
 
 	return result;
 }
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index 1318badc..e9c24f56 100644
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -243,14 +243,15 @@ int main (int argc, char **argv)
 		newpwd = cp;
 		if (!eflg) {
 			if (md5flg) {
-				char tmp[12];
-				char salt[15] = "";
+				char md5salt[12] = "$1$";
+				char *salt = crypt_make_salt ();
 
-				strcat (tmp, crypt_make_salt ());
-				if (!strncmp (tmp, "$1$", 3))
-					strcat (salt, "$1$");
-				strcat (salt, tmp);
-				cp = pw_encrypt (newpwd, salt);
+				if (strncmp (salt, "$1$", 3) == 0) {
+					strncpy (md5salt, salt, 11);
+				} else {
+					strncat (md5salt, salt, 8);
+				}
+				cp = pw_encrypt (newpwd, md5salt);
 			} else
 				cp = pw_encrypt (newpwd, crypt_make_salt ());
 		}
diff --git a/src/chpasswd.c b/src/chpasswd.c
index d1889e1f..c6bea656 100644
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -239,13 +239,14 @@ int main (int argc, char **argv)
 		newpwd = cp;
 		if (!eflg) {
 			if (md5flg) {
-				char tmp[12];
-				char salt[15] = "";
+				char md5salt[12] = "$1$";
+				char *salt = crypt_make_salt ();
 
-				strcat (tmp, crypt_make_salt ());
-				if (!strncmp (tmp, "$1$", 3))
-					strcat (salt, "$1$");
-				strcat (salt, tmp);
+				if (strncmp (salt, "$1$", 3) == 0) {
+					strncpy (md5salt, salt, 11);
+				} else {
+					strncat (md5salt, salt, 8);
+				}
 				cp = pw_encrypt (newpwd, salt);
 			} else
 				cp = pw_encrypt (newpwd, crypt_make_salt ());