diff --git a/backport-port-fix-OVERRUN-CWE-119.patch b/backport-port-fix-OVERRUN-CWE-119.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c3f1886a5568e96fe39eb70fa18584fb72eb2c71
--- /dev/null
+++ b/backport-port-fix-OVERRUN-CWE-119.patch
@@ -0,0 +1,44 @@
+From 4c16416ebc5f0958d58a1ea1e7890eafd9f8bb75 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Wed, 15 May 2024 12:25:51 +0200
+Subject: [PATCH] port: fix OVERRUN (CWE-119)
+
+```
+shadow-4.15.0/lib/port.c:154:2: alias: Assigning: "port.pt_names" = "ttys". "port.pt_names" now points to element 0 of "ttys" (which consists of 65 8-byte elements).
+shadow-4.15.0/lib/port.c:155:2: cond_const: Checking "j < 64" implies that "j" is 64 on the false branch.
+shadow-4.15.0/lib/port.c:175:2: overrun-local: Overrunning array of 65 8-byte elements at element index 65 (byte offset 527) by dereferencing pointer "port.pt_names + (j + 1)".
+173|           *cp = '\0';
+174|           cp++;
+175|->         port.pt_names[j + 1] = NULL;
+176|
+177|           /*
+```
+
+Resolves: https://issues.redhat.com/browse/RHEL-35383
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+
+Conflict: N/A
+Reference: https://github.com/shadow-maint/shadow/commit/4c16416ebc5f0958d58a1ea1e7890eafd9f8bb75
+
+---
+ lib/port.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/port.c b/lib/port.c
+index 05b95651..60ff8989 100644
+--- a/lib/port.c
++++ b/lib/port.c
+@@ -168,7 +168,7 @@ again:
+ 	}
+ 	*cp = '\0';
+ 	cp++;
+-	port.pt_names[j + 1] = NULL;
++	port.pt_names[j] = NULL;
+ 
+ 	/*
+ 	 * Get the list of user names.  It is the second colon
+-- 
+2.33.0
+
diff --git a/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch b/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch
new file mode 100644
index 0000000000000000000000000000000000000000..47193109a711f7f00838780305ebceb77059eec7
--- /dev/null
+++ b/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch
@@ -0,0 +1,61 @@
+From 10429edc14673fbb8c78b25f1872c34e88e5f07f Mon Sep 17 00:00:00 2001
+From: lixinyun <li.xinyun@h3c.com>
+Date: Wed, 29 May 2024 06:53:02 +0800
+Subject: [PATCH] src/groupmod.c: delete gr_free_members(&grp) to avoid double
+ free
+
+Groupmod -U may cause crashes because of double free. If without -a, the first free of (*ogrp).gr_mem is in gr_free_members(&grp), and then in gr_update without -n or gr_remove with -n.
+Considering the minimal impact of modifications on existing code, delete gr_free_members(&grp) to avoid double free.Although this may seem reckless, the second free in two different positions will definitely be triggered, and the following two test cases can be used to illustrate the situation :
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -n g2 -U u1,u2 g1
+Segmentation fault
+
+This case would free (*ogrp).gr_mem in gr_free_members(&grp) due to assignment statements grp = *ogrp, then in if (nflg && (gr_remove (group_name) == 0)), which finally calls gr_free_members(grent) to free (*ogrp).gr_mem again.
+
+[root@localhost src]# ./useradd u1
+[root@localhost src]# ./useradd u2
+[root@localhost src]# ./useradd u3
+[root@localhost src]# ./groupadd -U u1,u2,u3 g1
+[root@localhost src]# ./groupmod -U u1,u2 g1
+Segmentation fault
+
+The other case would free (*ogrp).gr_mem in gr_free_members(&grp) too, then in if (gr_update (&grp) == 0), which finally calls gr_free_members(grent) too to free (*ogrp).gr_mem again.
+
+So the first free is unnecessary, maybe we can drop it.
+
+Fixes: 342c934a3590 ("add -U option to groupadd and groupmod")
+Closes: <https://github.com/shadow-maint/shadow/issues/1013>
+Link: <https://github.com/shadow-maint/shadow/pull/1007>
+Link: <https://github.com/shadow-maint/shadow/pull/271>
+Link: <https://github.com/shadow-maint/shadow/issues/265>
+Cc: "Serge E. Hallyn" <serge@hallyn.com>
+Reviewed-by: Alejandro Colomar <alx@kernel.org>
+Signed-off-by: lixinyun <li.xinyun@h3c.com>
+
+Conflict: N/A
+Reference: https://github.com/shadow-maint/shadow/commit/10429edc14673fbb8c78b25f1872c34e88e5f07f
+
+---
+ src/groupmod.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/groupmod.c b/src/groupmod.c
+index a29cf73f..989d7ea3 100644
+--- a/src/groupmod.c
++++ b/src/groupmod.c
+@@ -250,8 +250,6 @@ static void grp_update (void)
+ 
+ 		if (!aflg) {
+ 			// requested to replace the existing groups
+-			if (NULL != grp.gr_mem[0])
+-				gr_free_members(&grp);
+ 			grp.gr_mem = XMALLOC(1, char *);
+ 			grp.gr_mem[0] = NULL;
+ 		} else {
+-- 
+2.33.0
+
diff --git a/backport-src-usermod.c-update_group_file-Fix-RESOURCE_LEAK-CW.patch b/backport-src-usermod.c-update_group_file-Fix-RESOURCE_LEAK-CW.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7673f7c2955563ad3f137c7739745e613429ae7a
--- /dev/null
+++ b/backport-src-usermod.c-update_group_file-Fix-RESOURCE_LEAK-CW.patch
@@ -0,0 +1,54 @@
+From 61964aa06b9e6e0643a6519f64290f18ac04867f Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Thu, 16 May 2024 13:54:06 +0200
+Subject: [PATCH] src/usermod.c: update_group_file(): Fix RESOURCE_LEAK
+ (CWE-772)
+
+Report:
+> shadow-4.15.0/src/usermod.c:734:3: alloc_fn: Storage is returned from allocation function "__gr_dup".
+> shadow-4.15.0/src/usermod.c:734:3: var_assign: Assigning: "ngrp" = storage returned from "__gr_dup(grp)".
+> shadow-4.15.0/src/usermod.c:815:1: leaked_storage: Variable "ngrp" going out of scope leaks the storage it points to.
+> 813|                   gr_free(ngrp);
+> 814|           }
+> 815|-> }
+> 816|
+> 817|   #ifdef SHADOWGRP
+
+Link: https://issues.redhat.com/browse/RHEL-35383
+Reported-by: Iker Pedrosa <ipedrosa@redhat.com>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+
+Conflict: N/A
+Reference: https://github.com/shadow-maint/shadow/commit/61964aa06b9e6e0643a6519f64290f18ac04867f
+
+---
+ src/usermod.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/usermod.c b/src/usermod.c
+index 3048f801..e0cfdd83 100644
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -780,9 +780,8 @@ update_group_file(void)
+ 			SYSLOG ((LOG_INFO, "add '%s' to group '%s'",
+ 			         user_newname, ngrp->gr_name));
+ 		}
+-		if (!changed) {
+-			continue;
+-		}
++		if (!changed)
++			goto free_ngrp;
+ 
+ 		changed = false;
+ 		if (gr_update (ngrp) == 0) {
+@@ -793,6 +792,7 @@ update_group_file(void)
+ 			fail_exit (E_GRP_UPDATE);
+ 		}
+ 
++free_ngrp:
+ 		gr_free(ngrp);
+ 	}
+ }
+-- 
+2.33.0
+
diff --git a/backport-src-usermod.c-update_gshadow_file-Fix-RESOURCE_LEAK-.patch b/backport-src-usermod.c-update_gshadow_file-Fix-RESOURCE_LEAK-.patch
new file mode 100644
index 0000000000000000000000000000000000000000..dfa9d1342c9f14ecf3a30ab066f2eb0cb16d4cbb
--- /dev/null
+++ b/backport-src-usermod.c-update_gshadow_file-Fix-RESOURCE_LEAK-.patch
@@ -0,0 +1,54 @@
+From 71a3238b7996285fc3c8dec841244ba95d663fa5 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar <alx@kernel.org>
+Date: Fri, 17 May 2024 02:15:15 +0200
+Subject: [PATCH] src/usermod.c: update_gshadow_file(): Fix RESOURCE_LEAK
+ (CWE-772)
+
+Report:
+> shadow-4.15.0/src/usermod.c:864:3: alloc_fn: Storage is returned from allocation function "__sgr_dup".
+> shadow-4.15.0/src/usermod.c:864:3: var_assign: Assigning: "nsgrp" = storage returned from "__sgr_dup(sgrp)".
+> shadow-4.15.0/src/usermod.c:964:1: leaked_storage: Variable "nsgrp" going out of scope leaks the storage it points to.
+> 962|                   free (nsgrp);
+> 963|           }
+> 964|-> }
+> 965|   #endif                                /* SHADOWGRP */
+> 966|
+
+Link: https://issues.redhat.com/browse/RHEL-35383
+Reported-by: Iker Pedrosa <ipedrosa@redhat.com>
+Signed-off-by: Alejandro Colomar <alx@kernel.org>
+
+Conflict: N/A
+Reference: https://github.com/shadow-maint/shadow/commit/71a3238b7996285fc3c8dec841244ba95d663fa5
+
+---
+ src/usermod.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/usermod.c b/src/usermod.c
+index e0cfdd83..bb5d3535 100644
+--- a/src/usermod.c
++++ b/src/usermod.c
+@@ -921,9 +921,8 @@ update_gshadow_file(void)
+ 			SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'",
+ 			         user_newname, nsgrp->sg_name));
+ 		}
+-		if (!changed) {
+-			continue;
+-		}
++		if (!changed)
++			goto free_nsgrp;
+ 
+ 		changed = false;
+ 
+@@ -939,6 +938,7 @@ update_gshadow_file(void)
+ 			fail_exit (E_GRP_UPDATE);
+ 		}
+ 
++free_nsgrp:
+ 		free (nsgrp);
+ 	}
+ }
+-- 
+2.33.0
+
diff --git a/shadow.spec b/shadow.spec
index 65529422443de650035f8e0c8ccadf2af0064733..daee21aed7af30cda6b0f59982dc948ef0197c52 100644
--- a/shadow.spec
+++ b/shadow.spec
@@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.14.3
-Release: 1
+Release: 2
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@@ -19,6 +19,10 @@ Source7: newusers
 Patch0: usermod-unlock.patch
 Patch1: shadow-add-sm3-crypt-support.patch
 Patch2: shadow-Remove-encrypted-passwd-for-useradd-gr.patch
+Patch3: backport-port-fix-OVERRUN-CWE-119.patch
+Patch4: backport-src-usermod.c-update_group_file-Fix-RESOURCE_LEAK-CW.patch
+Patch5: backport-src-usermod.c-update_gshadow_file-Fix-RESOURCE_LEAK-.patch
+Patch6: backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch
 
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel
@@ -188,6 +192,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a}
 %{_mandir}/*/*
 
 %changelog
+* Mon Jul 15 2024 wangziliang <wangziliang@kylinos.cn> - 2:4.14.3-2
+- backport patches from upstream
+
 * Thu Feb 1 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2:4.14.3-1
 - update version to 4.14.3
   -Avoid null pointer dereference