When gpasswd(1) asks for the new password, it asks twice (as is usual for confirming the new password). Each of those 2 password prompts uses agetpass() to get the password. If the second agetpass() fails, the first password, which has been copied into the 'static' buffer 'pass' via STRFCPY(), wasn't being zeroed.
Upstream commmit for this issue: https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6632 https://access.redhat.com/errata/RHSA-2023:6632
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7112 https://access.redhat.com/errata/RHSA-2023:7112
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0417 https://access.redhat.com/errata/RHSA-2024:0417
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:2577 https://access.redhat.com/errata/RHSA-2024:2577