diff -up shadow-4.1.5.1/src/usermod.c.passwd shadow-4.1.5.1/src/usermod.c

--- shadow-4.1.5.1/src/usermod.c.passwd	2015-12-17 14:05:47.959743073 +0100

+++ shadow-4.1.5.1/src/usermod.c	2015-12-18 12:42:28.290405529 +0100

@@ -360,14 +360,17 @@ static char *new_pw_passwd (char *pw_pas

 		strcat (buf, pw_pass);

 		pw_pass = buf;

 	} else if (Uflg && pw_pass[0] == '!') {

-		char *s;

+		char *s = pw_pass;

-		if (pw_pass[1] == '\0') {

+		while ('!' == *s)

+			++s;

+

+		if (*s == '\0') {

 			fprintf (stderr,

 			         _("%s: unlocking the user's password would result in a passwordless account.\n"

 			           "You should set a password with usermod -p to unlock this user's password.\n"),

 			         Prog);

-			return pw_pass;

+			return NULL;

 		}

 #ifdef WITH_AUDIT

@@ -376,12 +379,15 @@ static char *new_pw_passwd (char *pw_pas

 		              user_newname, (unsigned int) user_newid, 1);

 #endif

 		SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));

-		s = pw_pass;

-		while ('\0' != *s) {

-			*s = *(s + 1);

-			s++;

-		}

+		memmove (pw_pass, s, strlen (s) + 1);

 	} else if (pflg) {

+		if (strchr (user_pass, ':') != NULL) {

+			fprintf (stderr,

+			         _("%s: The password field cannot contain a colon character.\n"),

+			         Prog);

+			return NULL;

+

+		}

 #ifdef WITH_AUDIT

 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,

 		              "updating-password",

@@ -430,6 +436,8 @@ static void new_pwent (struct passwd *pw

 	if (   (!is_shadow_pwd)

 	    || (strcmp (pwent->pw_passwd, SHADOW_PASSWD_STRING) != 0)) {

 		pwent->pw_passwd = new_pw_passwd (pwent->pw_passwd);

+		if (pwent->pw_passwd == NULL)

+			fail_exit (E_PW_UPDATE);

 	}

 	if (uflg) {

@@ -544,6 +552,8 @@ static void new_spent (struct spwd *spen

 	 *  + aging has been requested

 	 */

 	spent->sp_pwdp = new_pw_passwd (spent->sp_pwdp);

+	if (spent->sp_pwdp == NULL)

+		fail_exit(E_PW_UPDATE);

 	if (pflg) {

 		spent->sp_lstchg = (long) time ((time_t *) 0) / SCALE;