--- oath-toolkit-1.12.2/pam_oath/pam_oath.c	2012-04-04 11:32:57.000000000 +0200
+++ oath-toolkit-1.12.2/pam_oath/pam_oath.c	2012-05-31 01:27:54.575977370 +0200
@@ -159,6 +159,7 @@ pam_sm_authenticate (pam_handle_t * pamh
   if (cfg.try_first_pass || cfg.use_first_pass)
     {
       retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
+      password = strdup(password);
       if (retval != PAM_SUCCESS)
 	{
 	  DBG (("get password returned error: %s",
@@ -314,6 +315,8 @@ done:
   oath_done ();
   free (query_prompt);
   free (onlypasswd);
+  if (cfg.try_first_pass || cfg.use_first_pass)
+	  free(password);
   if (cfg.alwaysok && retval != PAM_SUCCESS)
     {
       DBG (("alwaysok needed (otherwise return with %d)", retval));