diff --git a/SOURCES/cve-2016-1950.patch b/SOURCES/cve-2016-1950.patch
new file mode 100644
index 0000000..b6f4f3c
--- /dev/null
+++ b/SOURCES/cve-2016-1950.patch
@@ -0,0 +1,141 @@
+
+# HG changeset patch
+# User David Keeler <dkeeler@mozilla.com>
+# Date 1455892169 -3600
+# Node ID b9a31471759d751a56bf261b24c138c8f5d3925f
+# Parent 9e2af044dfa443ccff8587177c8f1b5b7b627f37
+bug 1245528 - fix bugs in ASN.1 decoding, r=ryan.sleevi
+
+diff --git a/lib/util/secasn1d.c b/lib/util/secasn1d.c
+--- a/lib/util/secasn1d.c
++++ b/lib/util/secasn1d.c
+@@ -9,16 +9,18 @@
+
+ /* #define DEBUG_ASN1D_STATES 1 */
+
+ #ifdef DEBUG_ASN1D_STATES
+ #include <stdio.h>
+ #define PR_Assert sec_asn1d_Assert
+ #endif
+
++#include <limits.h>
++
+ #include "secasn1.h"
+ #include "secerr.h"
+
+ typedef enum {
+ beforeIdentifier,
+ duringIdentifier,
+ afterIdentifier,
+ beforeLength,
+@@ -1588,28 +1590,63 @@ sec_asn1d_parse_leaf (sec_asn1d_state *s
+
+ if (state->pending < len)
+ len = state->pending;
+
+ bufLen = len;
+
+ item = (SECItem *)(state->dest);
+ if (item != NULL && item->data != NULL) {
++ unsigned long offset;
+ /* Strip leading zeroes when target is unsigned integer */
+ if (state->underlying_kind == SEC_ASN1_INTEGER && /* INTEGER */
+ item->len == 0 && /* MSB */
+ item->type == siUnsignedInteger) /* unsigned */
+ {
+ while (len > 1 && buf[0] == 0) { /* leading 0 */
+ buf++;
+ len--;
+ }
+ }
+- PORT_Memcpy (item->data + item->len, buf, len);
+- item->len += len;
++ offset = item->len;
++ if (state->underlying_kind == SEC_ASN1_BIT_STRING) {
++ // The previous bit string must have no unused bits.
++ if (item->len & 0x7) {
++ PORT_SetError (SEC_ERROR_BAD_DER);
++ state->top->status = decodeError;
++ return 0;
++ }
++ // If this is a bit string, the length is bits, not bytes.
++ offset = item->len >> 3;
++ }
++ if (state->underlying_kind == SEC_ASN1_BIT_STRING) {
++ unsigned long len_in_bits;
++ // Protect against overflow during the bytes-to-bits conversion.
++ if (len >= (ULONG_MAX >> 3) + 1) {
++ PORT_SetError (SEC_ERROR_BAD_DER);
++ state->top->status = decodeError;
++ return 0;
++ }
++ len_in_bits = (len << 3) - state->bit_string_unused_bits;
++ // Protect against overflow when computing the total length in bits.
++ if (UINT_MAX - item->len < len_in_bits) {
++ PORT_SetError (SEC_ERROR_BAD_DER);
++ state->top->status = decodeError;
++ return 0;
++ }
++ item->len += len_in_bits;
++ } else {
++ if (UINT_MAX - item->len < len) {
++ PORT_SetError (SEC_ERROR_BAD_DER);
++ state->top->status = decodeError;
++ return 0;
++ }
++ item->len += len;
++ }
++ PORT_Memcpy (item->data + offset, buf, len);
+ }
+ state->pending -= bufLen;
+ if (state->pending == 0)
+ state->place = beforeEndOfContents;
+
+ return bufLen;
+ }
+
+@@ -1666,24 +1703,16 @@ sec_asn1d_parse_more_bit_string (sec_asn
+ } else {
+ /* An empty bit string with no unused bits is OK. */
+ state->place = beforeEndOfContents;
+ }
+ return 0;
+ }
+
+ len = sec_asn1d_parse_leaf (state, buf, len);
+- if (state->place == beforeEndOfContents && state->dest != NULL) {
+- SECItem *item;
+-
+- item = (SECItem *)(state->dest);
+- if (item->len)
+- item->len = (item->len << 3) - state->bit_string_unused_bits;
+- }
+-
+ return len;
+ }
+
+
+ /*
+ * XXX All callers should be looking at return value to detect
+ * out-of-memory errors (and stop!).
+ */
+@@ -2203,17 +2232,17 @@ sec_asn1d_concat_substrings (sec_asn1d_s
+ ? PR_TRUE : PR_FALSE;
+
+ substring = state->subitems_head;
+ while (substring != NULL) {
+ /*
+ * All bit-string substrings except the last one should be
+ * a clean multiple of 8 bits.
+ */
+- if (is_bit_string && (substring->next == NULL)
++ if (is_bit_string && (substring->next != NULL)
+ && (substring->len & 0x7)) {
+ PORT_SetError (SEC_ERROR_BAD_DER);
+ state->top->status = decodeError;
+ return;
+ }
+ item_len += substring->len;
+ substring = substring->next;
+ }
+
diff --git a/SOURCES/hasht-dont-include-prtypes.patch b/SOURCES/hasht-dont-include-prtypes.patch
index 6f85c8e..2a2ee9b 100644
--- a/SOURCES/hasht-dont-include-prtypes.patch
+++ b/SOURCES/hasht-dont-include-prtypes.patch
@@ -1,6 +1,6 @@
diff -up ./nss/lib/util/hasht.h.prtypes ./nss/lib/util/hasht.h
---- ./nss/lib/util/hasht.h.prtypes 2013-11-09 09:23:30.000000000 -0800
-+++ ./nss/lib/util/hasht.h 2013-11-25 02:59:15.481044180 -0800
+--- ./nss/lib/util/hasht.h.prtypes 2013-11-23 21:23:12.729136309 -0800
++++ ./nss/lib/util/hasht.h 2013-11-23 21:23:32.873289479 -0800
@@ -5,7 +5,6 @@
#ifndef _HASHT_H_
#define _HASHT_H_
diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec
index 2be6b13..6b9a3e0 100644
--- a/SPECS/nss-util.spec
+++ b/SPECS/nss-util.spec
@@ -5,7 +5,7 @@
Summary: Network Security Services Utilities Library
Name: nss-util
Version: 3.19.1
-Release: 4%{?dist}
+Release: 9%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -36,9 +36,12 @@ Source3: nss-util-config.in
Patch1: build-nss-util-only.patch
Patch2: hasht-dont-include-prtypes.patch
Patch7: pkcs1sig-include-prtypes.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
Patch8: nss-util-3.19.1-tls12-mechanisms.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205157
Patch9: nss-3.20.1-security-fix.patch
+Patch10: cve-2016-1950.patch
%description
Utilities for Network Security Services and the Softoken module
@@ -65,6 +68,7 @@ Header and library files for doing development with Network Security Services.
pushd nss
%patch8 -p1 -b .tls12_mechs
%patch9 -p1 -b .various_flaws
+%patch10 -p1 -b .cve-2016-1950
popd
@@ -100,10 +104,12 @@ export NSS_USE_SYSTEM_SQLITE
NSS_BUILD_NSSUTIL_ONLY=1
export NSS_BUILD_NSSUTIL_ONLY
-%if %{__isa_bits} == 64
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
USE_64=1
export USE_64
%endif
+%endif
# make util
%{__make} -C ./nss/coreconf
@@ -232,8 +238,24 @@ done
%{_includedir}/nss3/templates/templates.c
%changelog
-* Fri Oct 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-4
-- Resolves: Bug 1269357 - CVE-2015-7182 CVE-2015-7181
+* Thu Mar 03 2016 Kai Engert <kaie@redhat.com> - 3.19.1-9
+- Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ...
+
+* Thu Feb 25 2016 Kai Engert <kaie@redhat.com> - 3.19.1-8
+- Fix a spec file syntax error
+
+* Thu Feb 25 2016 Kai Engert <kaie@redhat.com> - 3.19.1-7
+- Rebuild to ensure use of correct NSPR.
+
+* Wed Feb 24 2016 Kai Engert <kaie@redhat.com> - 3.19.1-6
+- Include the fix for CVE-2016-1950 from NSS 3.19.2.3
+
+* Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-5
+- Merge security fix from the RHEL-7.1 branch
+- Resolves: Bug 1269358 - CVE-2015-7182 CVE-2015-7181
+
+* Thu Jul 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-4
+- Add links to filed upstream bugs to better track patches in spec file
* Thu Jun 18 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-3
- Remove unused patch
@@ -242,11 +264,10 @@ done
- Add support for TLS 1.2 SHA384 per PKCS #11 v2.40
* Fri Jun 05 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-1
-- Rebase to nss-3.19.1
-- Resolves: Bug 1224451
+- Resolves: Bug 1228913: Rebase to nss-3.19.1 for CVE-2015-4000 [RHEL-7.1]
-* Mon Apr 13 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
-- Resolves: Bug 1211373 - [RHEL7.1] nss-util 3.18 rebase required for firefox 38 ESR
+* Mon Mar 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
+- Resolves: Bug 1200931 - [RHEL7.1] nss-util 3.18 rebase required for firefox 38 ESR
* Thu Jan 22 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-2
- Bump the release number to be higher than the one for rhel-7.0