From 0430b8f1288be694a7e09a686c8d6d21e38bd14c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 01 2021 04:13:27 +0000
Subject: import nss-3.67.0-4.el8_4


---

diff --git a/SOURCES/nss-3.67-fix-sdb-timeout.patch b/SOURCES/nss-3.67-fix-sdb-timeout.patch
new file mode 100644
index 0000000..120cb5b
--- /dev/null
+++ b/SOURCES/nss-3.67-fix-sdb-timeout.patch
@@ -0,0 +1,63 @@
+diff --git a/lib/softoken/sdb.c b/lib/softoken/sdb.c
+--- a/lib/softoken/sdb.c
++++ b/lib/softoken/sdb.c
+@@ -1519,16 +1519,18 @@ sdb_Begin(SDB *sdb)
+ 
+     sqlerr = sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL);
+ 
+     do {
+         sqlerr = sqlite3_step(stmt);
+         if (sqlerr == SQLITE_BUSY) {
+             PR_Sleep(SDB_BUSY_RETRY_TIME);
+         }
++        /* don't retry BEGIN transaction*/
++        retry = 0;
+     } while (!sdb_done(sqlerr, &retry));
+ 
+     if (stmt) {
+         sqlite3_reset(stmt);
+         sqlite3_finalize(stmt);
+     }
+ 
+ loser:
+diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
+--- a/lib/softoken/sftkdb.c
++++ b/lib/softoken/sftkdb.c
+@@ -1521,17 +1521,17 @@ sftkdb_DestroyObject(SFTKDBHandle *handl
+     if (handle == NULL) {
+         return CKR_TOKEN_WRITE_PROTECTED;
+     }
+     db = SFTK_GET_SDB(handle);
+     objectID &= SFTK_OBJ_ID_MASK;
+ 
+     crv = (*db->sdb_Begin)(db);
+     if (crv != CKR_OK) {
+-        goto loser;
++        return crv;
+     }
+     crv = (*db->sdb_DestroyObject)(db, objectID);
+     if (crv != CKR_OK) {
+         goto loser;
+     }
+     /* if the database supports meta data, delete any old signatures
+      * that we may have added */
+     if ((db->sdb_flags & SDB_HAS_META) == SDB_HAS_META) {
+@@ -2456,17 +2456,17 @@ sftkdb_Update(SFTKDBHandle *handle, SECI
+         return CKR_OK;
+     }
+     /*
+      * put the whole update under a transaction. This allows us to handle
+      * any possible race conditions between with the updateID check.
+      */
+     crv = (*handle->db->sdb_Begin)(handle->db);
+     if (crv != CKR_OK) {
+-        goto loser;
++        return crv;
+     }
+     inTransaction = PR_TRUE;
+ 
+     /* some one else has already updated this db */
+     if (sftkdb_hasUpdate(sftkdb_TypeString(handle),
+                          handle->db, handle->updateID)) {
+         crv = CKR_OK;
+         goto done;
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index b88d808..1cef870 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -47,7 +47,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          4%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -153,6 +153,8 @@ Patch230:         nss-3.66-no-small-primes.patch
 Patch232:         nss-3.66-fix-gtest-parsing.patch
 # no upstream bug yet
 Patch233:         nss-3.67-fix-coverity-issues.patch
+# no upstream bug yet
+Patch234:         nss-3.67-fix-sdb-timeout.patch
 
 
 %description
@@ -925,6 +927,14 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Tue Jun 29 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
+- Better fix for the sdb timeout. The issue wasn't a race, it was
+  the sqlite timeout waiting to begin a transaction under heavy
+  thread usage.
+
+* Mon Jun 28 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3
+- Fix sdb race condition
+
 * Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-2
 - Fix coverity issues