diff --git a/backport-Revert-libpam-pam_modutil_sanitize.c-optimize-the-wa.patch b/backport-Revert-libpam-pam_modutil_sanitize.c-optimize-the-wa.patch
new file mode 100644
index 0000000..8e25756
--- /dev/null
+++ b/backport-Revert-libpam-pam_modutil_sanitize.c-optimize-the-wa.patch
@@ -0,0 +1,134 @@
+From a7b9ffd2eee74ac57b19a8cdf6710e43cd345ded Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Mon, 12 Oct 2020 09:42:52 +0200
+Subject: [PATCH] Revert "libpam/pam_modutil_sanitize.c: optimize the way to
+ close fds"
+
+This reverts commit 1b087edc7f05237bf5eccc405704cd82b848e761.
+
+Conflict:NA
+Reference:https://github.com/linux-pam/linux-pam/commit/a7b9ffd2eee74ac57b19a8cdf6710e43cd345ded
+
+---
+ configure.ac                  |  2 +-
+ libpam/pam_modutil_sanitize.c | 73 +++++++----------------------------
+ 2 files changed, 15 insertions(+), 60 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 0f2b7de7..59327a75 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -530,7 +530,7 @@ dnl Checks for header files.
+ AC_HEADER_DIRENT
+ AC_HEADER_STDC
+ AC_HEADER_SYS_WAIT
+-AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h sys/vfs.h linux/magic.h)
++AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termio.h unistd.h sys/fsuid.h inittypes.h)
+ 
+ dnl For module/pam_lastlog
+ AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h)
+diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c
+index 58b9537c..7579c5bd 100644
+--- a/libpam/pam_modutil_sanitize.c
++++ b/libpam/pam_modutil_sanitize.c
+@@ -10,13 +10,6 @@
+ #include <fcntl.h>
+ #include <syslog.h>
+ #include <sys/resource.h>
+-#include <dirent.h>
+-#ifdef HAVE_SYS_VFS_H
+-#include <sys/vfs.h>
+-#endif
+-#ifdef HAVE_LINUX_MAGIC_H
+-#include <linux/magic.h>
+-#endif
+ 
+ /*
+  * Creates a pipe, closes its write end, redirects fd to its read end.
+@@ -91,69 +84,31 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode,
+ 	return fd;
+ }
+ 
+-/* Check if path is in a procfs. */
+-static int
+-is_in_procfs(int fd)
+-{
+-#if defined HAVE_SYS_VFS_H && defined PROC_SUPER_MAGIC
+-	struct statfs stfs;
+-
+-	if (fstatfs(fd, &stfs) == 0) {
+-		if (stfs.f_type == PROC_SUPER_MAGIC)
+-			return 1;
+-	} else {
+-		return 0;
+-	}
+-#endif /* HAVE_SYS_VFS_H && PROC_SUPER_MAGIC */
+-
+-	return -1;
+-}
+-
+ /* Closes all descriptors after stderr. */
+ static void
+ close_fds(void)
+ {
+-	DIR *dir = NULL;
+-	struct dirent *dent;
+-	int dfd = -1;
+-	int fd;
+-	struct rlimit rlim;
+-
+ 	/*
+ 	 * An arbitrary upper limit for the maximum file descriptor number
+ 	 * returned by RLIMIT_NOFILE.
+ 	 */
+-	const unsigned int MAX_FD_NO = 65535;
++	const int MAX_FD_NO = 65535;
+ 
+ 	/* The lower limit is the same as for _POSIX_OPEN_MAX. */
+-	const unsigned int MIN_FD_NO = 20;
+-
+-	/* If /proc is mounted, we can optimize which fd can be closed. */
+-	if ((dir = opendir("/proc/self/fd")) != NULL) {
+-		if ((dfd = dirfd(dir)) >= 0 && is_in_procfs(dfd) > 0) {
+-			while ((dent = readdir(dir)) != NULL) {
+-				fd = atoi(dent->d_name);
+-				if (fd > STDERR_FILENO && fd != dfd)
+-					close(fd);
+-			}
+-		} else {
+-			dfd = -1;
+-		}
+-		closedir(dir);
+-	}
++	const int MIN_FD_NO = 20;
+ 
+-	/* If /proc isn't available, fallback to the previous behavior. */
+-	if (dfd < 0) {
+-		if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
+-			fd = MAX_FD_NO;
+-		else if (rlim.rlim_max < MIN_FD_NO)
+-			fd = MIN_FD_NO;
+-		else
+-			fd = rlim.rlim_max - 1;
+-
+-		for (; fd > STDERR_FILENO; --fd)
+-			close(fd);
+-	}
++	int fd;
++	struct rlimit rlim;
++
++	if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
++		fd = MAX_FD_NO;
++	else if (rlim.rlim_max < MIN_FD_NO)
++		fd = MIN_FD_NO;
++	else
++		fd = rlim.rlim_max - 1;
++
++	for (; fd > STDERR_FILENO; --fd)
++		close(fd);
+ }
+ 
+ int
+-- 
+2.33.0
+
diff --git a/backport-libpam-use-close_range-to-close-file-descriptors.patch b/backport-libpam-use-close_range-to-close-file-descriptors.patch
new file mode 100644
index 0000000..e385cb6
--- /dev/null
+++ b/backport-libpam-use-close_range-to-close-file-descriptors.patch
@@ -0,0 +1,82 @@
+From d6103b30050554d7b6ca6d55cb5b4ed3c9516663 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Wed, 25 Oct 2023 09:46:15 +0200
+Subject: [PATCH] libpam: use close_range() to close file descriptors
+
+* configure.ac: check whether close_range() is available in the system.
+* libpam/pam_modutil_sanitize.c: use close_range() to close all file
+  descriptors. If the interface isn't available use the previous
+  approach.
+
+Link: https://github.com/linux-pam/linux-pam/pull/276
+Resolves: https://issues.redhat.com/browse/RHEL-5099
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+
+Conflict:Context adaptation in configure.ac
+Reference:https://github.com/linux-pam/linux-pam/commit/d6103b30050554d7b6ca6d55cb5b4ed3c9516663
+
+---
+ configure.ac                  |  1 +
+ libpam/pam_modutil_sanitize.c | 19 +++++++++++++++++--
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 39124d87..b6a8d6fb 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -638,5 +638,6 @@ AC_CHECK_FUNCS(quotactl)
+ AC_CHECK_FUNCS(unshare)
+ AC_CHECK_FUNCS([ruserok_af ruserok], [break])
++AC_CHECK_FUNCS(close_range)
+ BACKUP_LIBS=$LIBS
+ LIBS="$LIBS -lutil"
+ AC_CHECK_FUNCS([logwtmp])
+diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c
+index f26e8ec0..1b8af743 100644
+--- a/libpam/pam_modutil_sanitize.c
++++ b/libpam/pam_modutil_sanitize.c
+@@ -11,6 +11,10 @@
+ #include <syslog.h>
+ #include <sys/resource.h>
+ 
++#ifndef CLOSE_RANGE_UNSHARE
++#define CLOSE_RANGE_UNSHARE	(1U << 1)
++#endif /* CLOSE_RANGE_UNSHARE */
++
+ /*
+  * Creates a pipe, closes its write end, redirects fd to its read end.
+  * Returns fd on success, -1 otherwise.
+@@ -84,9 +88,8 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode,
+ 	return fd;
+ }
+ 
+-/* Closes all descriptors after stderr. */
+ static void
+-close_fds(void)
++close_fds_iteratively(void)
+ {
+ 	/*
+ 	 * An arbitrary upper limit for the maximum file descriptor number
+@@ -111,6 +114,18 @@ close_fds(void)
+ 		close(fd);
+ }
+ 
++/* Closes all descriptors after stderr. */
++static void
++close_fds(void)
++{
++#ifdef HAVE_CLOSE_RANGE
++	if (close_range(STDERR_FILENO+1, -1U, CLOSE_RANGE_UNSHARE) == 0)
++		return;
++#endif /* HAVE_CLOSE_RANGE */
++
++	close_fds_iteratively();
++}
++
+ int
+ pam_modutil_sanitize_helper_fds(pam_handle_t *pamh,
+ 				enum pam_modutil_redirect_fd stdin_mode,
+-- 
+2.33.0
+
diff --git a/backport-pam_modutil_sanitize_fds-Add-explicit-casts-to-avoid.patch b/backport-pam_modutil_sanitize_fds-Add-explicit-casts-to-avoid.patch
new file mode 100644
index 0000000..e79f328
--- /dev/null
+++ b/backport-pam_modutil_sanitize_fds-Add-explicit-casts-to-avoid.patch
@@ -0,0 +1,36 @@
+From 930200f240a50dcb84d8e3a5f0c33159b6c4309c Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Mon, 12 Oct 2020 10:15:09 +0200
+Subject: [PATCH] pam_modutil_sanitize_fds: Add explicit casts to avoid
+ warnings
+
+Conflict:NA
+Reference:https://github.com/linux-pam/linux-pam/commit/930200f240a50dcb84d8e3a5f0c33159b6c4309c
+
+---
+ libpam/pam_modutil_sanitize.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c
+index 7579c5bd..f26e8ec0 100644
+--- a/libpam/pam_modutil_sanitize.c
++++ b/libpam/pam_modutil_sanitize.c
+@@ -100,12 +100,12 @@ close_fds(void)
+ 	int fd;
+ 	struct rlimit rlim;
+ 
+-	if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > MAX_FD_NO)
++	if (getrlimit(RLIMIT_NOFILE, &rlim) || rlim.rlim_max > (rlim_t)MAX_FD_NO)
+ 		fd = MAX_FD_NO;
+-	else if (rlim.rlim_max < MIN_FD_NO)
++	else if (rlim.rlim_max < (rlim_t)MIN_FD_NO)
+ 		fd = MIN_FD_NO;
+ 	else
+-		fd = rlim.rlim_max - 1;
++		fd = (int)rlim.rlim_max - 1;
+ 
+ 	for (; fd > STDERR_FILENO; --fd)
+ 		close(fd);
+-- 
+2.33.0
+
diff --git a/pam.spec b/pam.spec
index d0243d5..624ccb6 100644
--- a/pam.spec
+++ b/pam.spec
@@ -4,7 +4,7 @@
 %define _pamconfdir %{_sysconfdir}/pam.d
 Name: pam
 Version: 1.4.0
-Release: 13
+Release: 14
 Summary: Pluggable Authentication Modules for Linux
 License: BSD and GPLv2+
 URL: http://www.linux-pam.org/
@@ -41,6 +41,9 @@ Patch6008: backport-Permit-unix_chkpwd-pam_unix.so-to-run-without-being-setuid-r
 Patch6009: backport-pam_unix-workaround-the-problem-caused-by-libnss_sys.patch
 Patch6010: backport-CVE-2024-10041.patch
 Patch6011: backport-CVE-2024-10041-pam_unix-try-to-set-uid-to-0-for-unix_chkpwd.patch
+Patch6012: backport-Revert-libpam-pam_modutil_sanitize.c-optimize-the-wa.patch
+Patch6013: backport-pam_modutil_sanitize_fds-Add-explicit-casts-to-avoid.patch
+Patch6014: backport-libpam-use-close_range-to-close-file-descriptors.patch
 
 Patch9000: add-sm3-crypt-support.patch
 
@@ -195,6 +198,9 @@ fi
 
 
 %changelog
+* Mon Mar 24 2025 hugel <gengqihu2@h-partners.com> - 1.4.0-14
+- backport patch libpam use close_range() to close file descriptors
+
 * Tue Dec 17 2024 dongyuzhen <dongyuzhen@h-partners.com> - 1.4.0-13
 - fix CVE-2024-10041