diff --git a/.gitignore b/.gitignore
index f37de1b..1364787 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/nss-util-3.16.2.tar.gz
+SOURCES/nss-util-3.16.2.3.tar.gz
diff --git a/.nss-util.metadata b/.nss-util.metadata
index aa9ac64..18acf54 100644
--- a/.nss-util.metadata
+++ b/.nss-util.metadata
@@ -1 +1 @@
-b0daf5ef12d60579867aaeccc52d1a772d6d45f7 SOURCES/nss-util-3.16.2.tar.gz
+7caf9def7d49b78e081522da65c409c7c9d05f6b SOURCES/nss-util-3.16.2.3.tar.gz
diff --git a/SOURCES/cve-2014-1568-utils.patch b/SOURCES/cve-2014-1568-utils.patch
deleted file mode 100644
index 2b55e28..0000000
--- a/SOURCES/cve-2014-1568-utils.patch
+++ /dev/null
@@ -1,273 +0,0 @@
-angeset patch
-# User Kai Engert <kaie@kuix.de>
-# Date 1411493332 -7200
-# Node ID fb7208e91ae8e819b38a80480f816efb32fbfab3
-# Parent 4e90910ad2f9741978820ec2314b12a504d78c4e
-Fix bug 1064636, patch part 1, r=rrelyea
-
-diff --git a/lib/util/manifest.mn b/lib/util/manifest.mn
---- a/lib/util/manifest.mn
-+++ b/lib/util/manifest.mn
-@@ -17,16 +17,17 @@ EXPORTS = \
- nssrwlkt.h \
- nssutil.h \
- pkcs11.h \
- pkcs11f.h \
- pkcs11p.h \
- pkcs11t.h \
- pkcs11n.h \
- pkcs11u.h \
-+ pkcs1sig.h \
- portreg.h \
- secasn1.h \
- secasn1t.h \
- seccomon.h \
- secder.h \
- secdert.h \
- secdig.h \
- secdigt.h \
-@@ -53,16 +54,17 @@ CSRCS = \
- dersubr.c \
- dertime.c \
- errstrs.c \
- nssb64d.c \
- nssb64e.c \
- nssrwlk.c \
- nssilock.c \
- oidstring.c \
-+ pkcs1sig.c \
- portreg.c \
- secalgid.c \
- secasn1d.c \
- secasn1e.c \
- secasn1u.c \
- secitem.c \
- secload.c \
- secoid.c \
-diff --git a/lib/util/nssutil.def b/lib/util/nssutil.def
---- a/lib/util/nssutil.def
-+++ b/lib/util/nssutil.def
-@@ -266,8 +266,14 @@ NSSUTIL_QuoteSize;
- SECITEM_AllocArray;
- SECITEM_DupArray;
- SECITEM_FreeArray;
- SECITEM_ReallocItemV2;
- SECITEM_ZfreeArray;
- ;+ local:
- ;+ *;
- ;+};
-+;+NSSUTIL_3.17.1 { # NSS Utilities 3.17.1 release
-+;+ global:
-+_SGN_VerifyPKCS1DigestInfo;
-+;+ local:
-+;+ *;
-+;+};
-diff --git a/lib/util/pkcs1sig.c b/lib/util/pkcs1sig.c
-new file mode 100644
---- /dev/null
-+++ b/lib/util/pkcs1sig.c
-@@ -0,0 +1,169 @@
-+/* This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
-+ */
-+
-+#include "pkcs1sig.h"
-+#include "hasht.h"
-+#include "secerr.h"
-+#include "secasn1t.h"
-+#include "secoid.h"
-+
-+typedef struct pkcs1PrefixStr pkcs1Prefix;
-+struct pkcs1PrefixStr {
-+ unsigned int len;
-+ PRUint8 *data;
-+};
-+
-+typedef struct pkcs1PrefixesStr pkcs1Prefixes;
-+struct pkcs1PrefixesStr {
-+ unsigned int digestLen;
-+ pkcs1Prefix prefixWithParams;
-+ pkcs1Prefix prefixWithoutParams;
-+};
-+
-+/* The value for SGN_PKCS1_DIGESTINFO_MAX_PREFIX_LEN_EXCLUDING_OID is based on
-+ * the possible prefix encodings as explained below.
-+ */
-+#define MAX_PREFIX_LEN_EXCLUDING_OID 10
-+
-+static SECStatus
-+encodePrefix(const SECOidData *hashOid, unsigned int digestLen,
-+ pkcs1Prefix *prefix, PRBool withParams)
-+{
-+ /* with params coding is:
-+ * Sequence (2 bytes) {
-+ * Sequence (2 bytes) {
-+ * Oid (2 bytes) {
-+ * Oid value (derOid->oid.len)
-+ * }
-+ * NULL (2 bytes)
-+ * }
-+ * OCTECT (2 bytes);
-+ *
-+ * without params coding is:
-+ * Sequence (2 bytes) {
-+ * Sequence (2 bytes) {
-+ * Oid (2 bytes) {
-+ * Oid value (derOid->oid.len)
-+ * }
-+ * }
-+ * OCTECT (2 bytes);
-+ */
-+
-+ unsigned int innerSeqLen = 2 + hashOid->oid.len;
-+ unsigned int outerSeqLen = 2 + innerSeqLen + 2 + digestLen;
-+ unsigned int extra = 0;
-+
-+ if (withParams) {
-+ innerSeqLen += 2;
-+ outerSeqLen += 2;
-+ extra = 2;
-+ }
-+
-+ if (innerSeqLen >= 128 ||
-+ outerSeqLen >= 128 ||
-+ (outerSeqLen + 2 - digestLen) >
-+ (MAX_PREFIX_LEN_EXCLUDING_OID + hashOid->oid.len)) {
-+ /* this is actually a library failure, It shouldn't happen */
-+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+ return SECFailure;
-+ }
-+
-+ prefix->len = 6 + hashOid->oid.len + extra + 2;
-+ prefix->data = PORT_Alloc(prefix->len);
-+ if (!prefix->data) {
-+ PORT_SetError(SEC_ERROR_NO_MEMORY);
-+ return SECFailure;
-+ }
-+
-+ prefix->data[0] = SEC_ASN1_SEQUENCE|SEC_ASN1_CONSTRUCTED;
-+ prefix->data[1] = outerSeqLen;
-+ prefix->data[2] = SEC_ASN1_SEQUENCE|SEC_ASN1_CONSTRUCTED;
-+ prefix->data[3] = innerSeqLen;
-+ prefix->data[4] = SEC_ASN1_OBJECT_ID;
-+ prefix->data[5] = hashOid->oid.len;
-+ PORT_Memcpy(&prefix->data[6], hashOid->oid.data, hashOid->oid.len);
-+ if (withParams) {
-+ prefix->data[6 + hashOid->oid.len] = SEC_ASN1_NULL;
-+ prefix->data[6 + hashOid->oid.len + 1] = 0;
-+ }
-+ prefix->data[6 + hashOid->oid.len + extra] = SEC_ASN1_OCTET_STRING;
-+ prefix->data[6 + hashOid->oid.len + extra + 1] = digestLen;
-+
-+ return SECSuccess;
-+}
-+
-+SECStatus
-+_SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
-+ const SECItem* digest,
-+ const SECItem* dataRecoveredFromSignature,
-+ PRBool unsafeAllowMissingParameters)
-+{
-+ SECOidData *hashOid;
-+ pkcs1Prefixes pp;
-+ const pkcs1Prefix* expectedPrefix;
-+ SECStatus rv, rv2, rv3;
-+
-+ if (!digest || !digest->data ||
-+ !dataRecoveredFromSignature || !dataRecoveredFromSignature->data) {
-+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+ return SECFailure;
-+ }
-+
-+ hashOid = SECOID_FindOIDByTag(digestAlg);
-+ if (hashOid == NULL) {
-+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+ return SECFailure;
-+ }
-+
-+ pp.digestLen = digest->len;
-+ pp.prefixWithParams.data = NULL;
-+ pp.prefixWithoutParams.data = NULL;
-+
-+ rv2 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithParams, PR_TRUE);
-+ rv3 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithoutParams, PR_FALSE);
-+
-+ rv = SECSuccess;
-+ if (rv2 != SECSuccess || rv3 != SECSuccess) {
-+ rv = SECFailure;
-+ }
-+
-+ if (rv == SECSuccess) {
-+ /* We don't attempt to avoid timing attacks on these comparisons because
-+ * signature verification is a public key operation, not a private key
-+ * operation.
-+ */
-+
-+ if (dataRecoveredFromSignature->len ==
-+ pp.prefixWithParams.len + pp.digestLen) {
-+ expectedPrefix = &pp.prefixWithParams;
-+ } else if (unsafeAllowMissingParameters &&
-+ dataRecoveredFromSignature->len ==
-+ pp.prefixWithoutParams.len + pp.digestLen) {
-+ expectedPrefix = &pp.prefixWithoutParams;
-+ } else {
-+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+ rv = SECFailure;
-+ }
-+ }
-+
-+ if (rv == SECSuccess) {
-+ if (memcmp(dataRecoveredFromSignature->data, expectedPrefix->data,
-+ expectedPrefix->len) ||
-+ memcmp(dataRecoveredFromSignature->data + expectedPrefix->len,
-+ digest->data, digest->len)) {
-+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+ rv = SECFailure;
-+ }
-+ }
-+
-+ if (pp.prefixWithParams.data) {
-+ PORT_Free(pp.prefixWithParams.data);
-+ }
-+ if (pp.prefixWithoutParams.data) {
-+ PORT_Free(pp.prefixWithoutParams.data);
-+ }
-+
-+ return rv;
-+}
-diff --git a/lib/util/pkcs1sig.h b/lib/util/pkcs1sig.h
-new file mode 100644
---- /dev/null
-+++ b/lib/util/pkcs1sig.h
-@@ -0,0 +1,30 @@
-+/* This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
-+ */
-+
-+#ifndef _PKCS1SIG_H_
-+#define _PKCS1SIG_H_
-+
-+#include "hasht.h"
-+#include "seccomon.h"
-+#include "secoidt.h"
-+
-+/* SGN_VerifyPKCS1DigestInfo verifies that the length of the digest is correct
-+ * for the given algorithm, then verifies that the recovered data from the
-+ * PKCS#1 signature is a properly-formatted DigestInfo that identifies the
-+ * given digest algorithm, then verifies that the digest in the DigestInfo
-+ * matches the given digest.
-+ *
-+ * dataRecoveredFromSignature must be the result of calling PK11_VerifyRecover
-+ * or equivalent.
-+ *
-+ * If unsafeAllowMissingParameters is true (not recommended), then a DigestInfo
-+ * without the mandatory ASN.1 NULL parameter will also be accepted.
-+ */
-+SECStatus _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
-+ const SECItem* digest,
-+ const SECItem* dataRecoveredFromSignature,
-+ PRBool unsafeAllowMissingParameters);
-+
-+#endif /* _PKCS1SIG_H_ */
diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec
index 5f874ad..177d75f 100644
--- a/SPECS/nss-util.spec
+++ b/SPECS/nss-util.spec
@@ -2,8 +2,8 @@
Summary: Network Security Services Utilities Library
Name: nss-util
-Version: 3.16.2
-Release: 2%{?dist}
+Version: 3.16.2.3
+Release: 1%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -33,8 +33,6 @@ Source3: nss-util-config.in
Patch1: build-nss-util-only.patch
Patch2: hasht-dont-include-prtypes.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1064636
-Patch6: cve-2014-1568-utils.patch
Patch7: pkcs1sig-include-prtypes.patch
%description
@@ -58,9 +56,6 @@ Header and library files for doing development with Network Security Services.
%setup -q
%patch1 -p0 -b .utilonly
%patch2 -p0 -b .prtypes
-pushd nss
-%patch6 -p1 -b .cve-2014-1568
-popd
%patch7 -p0 -b .include_prtypes
@@ -228,6 +223,9 @@ done
%{_includedir}/nss3/templates/templates.c
%changelog
+* Wed Nov 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2.1-1
+- Resolves: Bug 1165525 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
+
* Tue Sep 23 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-2
- Resolves: bug 1145433 - CVE-2014-1568