diff --git a/SOURCES/cve-2014-1568-softokn.patch b/SOURCES/cve-2014-1568-softokn.patch
new file mode 100644
index 0000000..f754782
--- /dev/null
+++ b/SOURCES/cve-2014-1568-softokn.patch
@@ -0,0 +1,138 @@
+
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1411493325 -7200
+# Node ID 4e90910ad2f9741978820ec2314b12a504d78c4e
+# Parent  ad411fb64046d987272043f311ca477022c6fef4
+Fix bug	1064636, patch part 3, r=rrelyea
+
+diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
+--- a/lib/softoken/pkcs11c.c
++++ b/lib/softoken/pkcs11c.c
+@@ -18,16 +18,17 @@
+  *   that created or generated them.
+  */
+ #include "seccomon.h"
+ #include "secitem.h"
+ #include "secport.h"
+ #include "blapi.h"
+ #include "pkcs11.h"
+ #include "pkcs11i.h"
++#include "pkcs1sig.h"
+ #include "lowkeyi.h"
+ #include "secder.h"
+ #include "secdig.h"
+ #include "lowpbe.h"	/* We do PBE below */
+ #include "pkcs11t.h"
+ #include "secoid.h"
+ #include "alghmac.h"
+ #include "softoken.h"
+@@ -2851,75 +2852,52 @@ sftk_hashCheckSign(SFTKHashVerifyInfo *i
+         return SECFailure;
+     }
+ 
+     return RSA_HashCheckSign(info->hashOid, info->key, sig, sigLen, digest,
+                              digestLen);
+ }
+ 
+ SECStatus
+-RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
++RSA_HashCheckSign(SECOidTag digestOid, NSSLOWKEYPublicKey *key,
+                   const unsigned char *sig, unsigned int sigLen,
+-                  const unsigned char *hash, unsigned int hashLen)
++                  const unsigned char *digestData, unsigned int digestLen)
+ {
+-    SECItem it;
+-    SGNDigestInfo *di = NULL;
+-    SECStatus rv = SECSuccess;
+-
+-    it.data = NULL;
+-    it.len = nsslowkey_PublicModulusLen(key);
+-    if (!it.len) {
+-        goto loser;
+-    }
+-
+-    it.data = (unsigned char *)PORT_Alloc(it.len);
+-    if (it.data == NULL) {
+-        goto loser;
+-    }
+-
++    unsigned char *pkcs1DigestInfoData;
++    SECItem pkcs1DigestInfo;
++    SECItem digest;
++    unsigned int bufferSize;
++    SECStatus rv;
++
++    /* pkcs1DigestInfo.data must be less than key->u.rsa.modulus.len */
++    bufferSize = key->u.rsa.modulus.len;
++    pkcs1DigestInfoData = PORT_ZAlloc(bufferSize);
++    if (!pkcs1DigestInfoData) {
++        PORT_SetError(SEC_ERROR_NO_MEMORY);
++        return SECFailure;
++    }
++
++    pkcs1DigestInfo.data = pkcs1DigestInfoData;
++    pkcs1DigestInfo.len = bufferSize;
++    
+     /* decrypt the block */
+-    rv = RSA_CheckSignRecover(&key->u.rsa, it.data, &it.len, it.len, sig,
+-                              sigLen);
++    rv = RSA_CheckSignRecover(&key->u.rsa, pkcs1DigestInfo.data,
++                             &pkcs1DigestInfo.len, pkcs1DigestInfo.len,
++                             sig, sigLen);
+     if (rv != SECSuccess) {
+-        goto loser;
+-    }
+-
+-    di = SGN_DecodeDigestInfo(&it);
+-    if (di == NULL) {
+-        goto loser;
+-    }
+-    if (di->digest.len != hashLen) {
+-        goto loser; 
+-    }
+-
+-    /* make sure the tag is OK */
+-    if (SECOID_GetAlgorithmTag(&di->digestAlgorithm) != hashOid) {
+-        goto loser;
+-    }
+-    /* make sure the "parameters" are not too bogus. */
+-    if (di->digestAlgorithm.parameters.len > 2) {
+-        goto loser;
+-    }
+-    /* Now check the signature */
+-    if (PORT_Memcmp(hash, di->digest.data, di->digest.len) == 0) {
+-        goto done;
+-    }
+-
+-  loser:
+-    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+-    rv = SECFailure;
+-
+-  done:
+-    if (it.data != NULL) {
+-        PORT_Free(it.data);
+-    }
+-    if (di != NULL) {
+-        SGN_DestroyDigestInfo(di);
+-    }
+-
++        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++    } else {
++        digest.data = (PRUint8*) digestData;
++        digest.len = digestLen;
++        rv = _SGN_VerifyPKCS1DigestInfo(
++                digestOid, &digest, &pkcs1DigestInfo,
++                PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
++    }
++
++    PORT_Free(pkcs1DigestInfoData);
+     return rv;
+ }
+ 
+ static SECStatus
+ sftk_RSACheckSign(NSSLOWKEYPublicKey *key, const unsigned char *sig,
+                   unsigned int sigLen, const unsigned char *digest,
+                   unsigned int digestLen)
+ {
+
diff --git a/SPECS/nss-softokn.spec b/SPECS/nss-softokn.spec
index b730764..586c466 100644
--- a/SPECS/nss-softokn.spec
+++ b/SPECS/nss-softokn.spec
@@ -25,7 +25,7 @@
 Summary:          Network Security Services Softoken Module
 Name:             nss-softokn
 Version:          3.16.2
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -72,6 +72,8 @@ Patch9:           nss-versus-softoken-tests.patch
 # Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it.
 Patch10:           iquote.patch
 Patch11:           nss-softokn-allow-level1.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1064636
+Patch12: cve-2014-1568-softokn.patch
 
 %description
 Network Security Services Softoken Cryptographic Module
@@ -126,6 +128,9 @@ Header and library files for doing development with Network Security Services.
 # activate if needed when doing a major update with new apis
 %patch10 -p0 -b .iquote
 %patch11 -p0 -b .allow_level1
+pushd nss
+%patch12 -p1 -b .cve_2014-1568
+popd
 
 
 %build
@@ -389,6 +394,9 @@ done
 %{_includedir}/nss3/shsign.h
 
 %changelog
+* Tue Sep 23 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-3
+- Resolves: Bug 1145433 - CVE-2014-1568
+
 * Wed Jul 30 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
 - Update to nss-3.16.2
 - Resolves: Bug 1124659 - Rebase RHEL 7.1 to at least NSS-SOFTOKN 3.16.1 (FF 31)