diff --git a/SOURCES/Bug-1174527-fixsegfault.patch b/SOURCES/Bug-1174527-fixsegfault.patch
new file mode 100644
index 0000000..ff24334
--- /dev/null
+++ b/SOURCES/Bug-1174527-fixsegfault.patch
@@ -0,0 +1,23 @@
+diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
+--- a/lib/pkcs12/p12local.c
++++ b/lib/pkcs12/p12local.c
+@@ -923,17 +923,18 @@ sec_pkcs12_convert_item_to_unicode(PLAre
+ if(!arena) {
+ PORT_Free(dest->data);
+ dest->data = NULL;
+ dest->len = 0;
+ }
+ return PR_FALSE;
+ }
+
+- if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
++ if ((dest->len >= 2) &&
++ (dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
+ if(dest->len + 2 > 3 * src->len) {
+ if(arena) {
+ dest->data = (unsigned char*)PORT_ArenaGrow(arena,
+ dest->data, dest->len,
+ dest->len + 2);
+ } else {
+ dest->data = (unsigned char*)PORT_Realloc(dest->data,
+ dest->len + 2);
diff --git a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch
new file mode 100644
index 0000000..d3e0f21
--- /dev/null
+++ b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch
@@ -0,0 +1,154 @@
+diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
+--- a/lib/pki/pki3hack.c
++++ b/lib/pki/pki3hack.c
+@@ -849,18 +849,21 @@ fill_CERTCertificateFields(NSSCertificat
+ }
+
+ static CERTCertificate *
+ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
+ {
+ nssDecodedCert *dc = NULL;
+ CERTCertificate *cc = NULL;
+ CERTCertTrust certTrust;
++ nssPKIObject *object = &c->object;
+
+- nssPKIObject_Lock(&c->object);
++ /* make sure object does not go away until we finish */
++ nssPKIObject_AddRef(object);
++ nssPKIObject_Lock(object);
+
+ dc = c->decoding;
+ if (!dc) {
+ dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
+ if (!dc) {
+ goto loser;
+ }
+ cc = (CERTCertificate *)dc->data;
+@@ -898,17 +901,18 @@ stan_GetCERTCertificate(NSSCertificate *
+ trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+
+ CERT_LockCertTrust(cc);
+ cc->trust = trust;
+ CERT_UnlockCertTrust(cc);
+ }
+
+ loser:
+- nssPKIObject_Unlock(&c->object);
++ nssPKIObject_Unlock(object);
++ nssPKIObject_Destroy(object);
+ return cc;
+ }
+
+ NSS_IMPLEMENT CERTCertificate *
+ STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
+ {
+ if (c->decoding) {
+ return stan_GetCERTCertificate(c, PR_TRUE);
+@@ -1265,16 +1269,17 @@ done:
+ */
+ static PRStatus
+ DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
+ {
+ int numNotDestroyed = 0; /* the ones skipped plus the failures */
+ int failureCount = 0; /* actual deletion failures by devices */
+ int index;
+
++ nssPKIObject_AddRef(tObject);
+ nssPKIObject_Lock(tObject);
+ /* Keep going even if a module fails to delete. */
+ for (index = 0; index < tObject->numInstances; index++) {
+ nssCryptokiObject *instance = tObject->instances[index];
+ if (!instance) {
+ continue;
+ }
+
+@@ -1298,16 +1303,17 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo
+ if (numNotDestroyed == 0) {
+ nss_ZFreeIf(tObject->instances);
+ tObject->numInstances = 0;
+ } else {
+ tObject->numInstances = numNotDestroyed;
+ }
+
+ nssPKIObject_Unlock(tObject);
++ nssPKIObject_Destroy(tObject);
+
+ return failureCount == 0 ? PR_SUCCESS : PR_FAILURE;
+ }
+
+ /*
+ ** Delete trust objects matching the slot of the given certificate.
+ ** Returns an error if any device fails to delete.
+ */
+@@ -1324,30 +1330,32 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert
+ int i;
+
+ /* Iterate through the cert and trust object instances looking for
+ * those with matching pk11 slots to delete. Even if some device
+ * can't delete we keep going. Keeping a status variable for the
+ * loop so that once it's failed the other gets set.
+ */
+ NSSRWLock_LockRead(td->tokensLock);
++ nssPKIObject_AddRef(cobject);
+ nssPKIObject_Lock(cobject);
+ for (i = 0; i < cobject->numInstances; i++) {
+ nssCryptokiObject *cInstance = cobject->instances[i];
+ if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) {
+ PRStatus status;
+ if (!tobject->numInstances || !tobject->instances) continue;
+ status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject);
+ if (status == PR_FAILURE) {
+ /* set the outer one but keep going */
+ nssrv = PR_FAILURE;
+ }
+ }
+ }
+ nssPKIObject_Unlock(cobject);
++ nssPKIObject_Destroy(cobject);
+ NSSRWLock_UnlockRead(td->tokensLock);
+ return nssrv;
+ }
+
+ /* CERT_TraversePermCertsForSubject */
+ NSS_IMPLEMENT PRStatus
+ nssTrustDomain_TraverseCertificatesBySubject (
+ NSSTrustDomain *td,
+diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
+--- a/lib/pki/tdcache.c
++++ b/lib/pki/tdcache.c
+@@ -386,16 +386,17 @@ struct token_cert_dtor {
+
+ static void
+ remove_token_certs(const void *k, void *v, void *a)
+ {
+ NSSCertificate *c = (NSSCertificate *)k;
+ nssPKIObject *object = &c->object;
+ struct token_cert_dtor *dtor = a;
+ PRUint32 i;
++ nssPKIObject_AddRef(object);
+ nssPKIObject_Lock(object);
+ for (i=0; i<object->numInstances; i++) {
+ if (object->instances[i]->token == dtor->token) {
+ nssCryptokiObject_Destroy(object->instances[i]);
+ object->instances[i] = object->instances[object->numInstances-1];
+ object->instances[object->numInstances-1] = NULL;
+ object->numInstances--;
+ dtor->certs[dtor->numCerts++] = c;
+@@ -404,16 +405,17 @@ remove_token_certs(const void *k, void *
+ dtor->certs = nss_ZREALLOCARRAY(dtor->certs,
+ NSSCertificate *,
+ dtor->arrSize);
+ }
+ break;
+ }
+ }
+ nssPKIObject_Unlock(object);
++ nssPKIObject_Destroy(object);
+ return;
+ }
+
+ /*
+ * Remove all certs for the given token from the cache. This is
+ * needed if the token is removed.
+ */
+ NSS_IMPLEMENT PRStatus
diff --git a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1139349.patch b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1139349.patch
deleted file mode 100644
index d3e0f21..0000000
--- a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1139349.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
---- a/lib/pki/pki3hack.c
-+++ b/lib/pki/pki3hack.c
-@@ -849,18 +849,21 @@ fill_CERTCertificateFields(NSSCertificat
- }
-
- static CERTCertificate *
- stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
- {
- nssDecodedCert *dc = NULL;
- CERTCertificate *cc = NULL;
- CERTCertTrust certTrust;
-+ nssPKIObject *object = &c->object;
-
-- nssPKIObject_Lock(&c->object);
-+ /* make sure object does not go away until we finish */
-+ nssPKIObject_AddRef(object);
-+ nssPKIObject_Lock(object);
-
- dc = c->decoding;
- if (!dc) {
- dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
- if (!dc) {
- goto loser;
- }
- cc = (CERTCertificate *)dc->data;
-@@ -898,17 +901,18 @@ stan_GetCERTCertificate(NSSCertificate *
- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
-
- CERT_LockCertTrust(cc);
- cc->trust = trust;
- CERT_UnlockCertTrust(cc);
- }
-
- loser:
-- nssPKIObject_Unlock(&c->object);
-+ nssPKIObject_Unlock(object);
-+ nssPKIObject_Destroy(object);
- return cc;
- }
-
- NSS_IMPLEMENT CERTCertificate *
- STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
- {
- if (c->decoding) {
- return stan_GetCERTCertificate(c, PR_TRUE);
-@@ -1265,16 +1269,17 @@ done:
- */
- static PRStatus
- DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
- {
- int numNotDestroyed = 0; /* the ones skipped plus the failures */
- int failureCount = 0; /* actual deletion failures by devices */
- int index;
-
-+ nssPKIObject_AddRef(tObject);
- nssPKIObject_Lock(tObject);
- /* Keep going even if a module fails to delete. */
- for (index = 0; index < tObject->numInstances; index++) {
- nssCryptokiObject *instance = tObject->instances[index];
- if (!instance) {
- continue;
- }
-
-@@ -1298,16 +1303,17 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo
- if (numNotDestroyed == 0) {
- nss_ZFreeIf(tObject->instances);
- tObject->numInstances = 0;
- } else {
- tObject->numInstances = numNotDestroyed;
- }
-
- nssPKIObject_Unlock(tObject);
-+ nssPKIObject_Destroy(tObject);
-
- return failureCount == 0 ? PR_SUCCESS : PR_FAILURE;
- }
-
- /*
- ** Delete trust objects matching the slot of the given certificate.
- ** Returns an error if any device fails to delete.
- */
-@@ -1324,30 +1330,32 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert
- int i;
-
- /* Iterate through the cert and trust object instances looking for
- * those with matching pk11 slots to delete. Even if some device
- * can't delete we keep going. Keeping a status variable for the
- * loop so that once it's failed the other gets set.
- */
- NSSRWLock_LockRead(td->tokensLock);
-+ nssPKIObject_AddRef(cobject);
- nssPKIObject_Lock(cobject);
- for (i = 0; i < cobject->numInstances; i++) {
- nssCryptokiObject *cInstance = cobject->instances[i];
- if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) {
- PRStatus status;
- if (!tobject->numInstances || !tobject->instances) continue;
- status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject);
- if (status == PR_FAILURE) {
- /* set the outer one but keep going */
- nssrv = PR_FAILURE;
- }
- }
- }
- nssPKIObject_Unlock(cobject);
-+ nssPKIObject_Destroy(cobject);
- NSSRWLock_UnlockRead(td->tokensLock);
- return nssrv;
- }
-
- /* CERT_TraversePermCertsForSubject */
- NSS_IMPLEMENT PRStatus
- nssTrustDomain_TraverseCertificatesBySubject (
- NSSTrustDomain *td,
-diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
---- a/lib/pki/tdcache.c
-+++ b/lib/pki/tdcache.c
-@@ -386,16 +386,17 @@ struct token_cert_dtor {
-
- static void
- remove_token_certs(const void *k, void *v, void *a)
- {
- NSSCertificate *c = (NSSCertificate *)k;
- nssPKIObject *object = &c->object;
- struct token_cert_dtor *dtor = a;
- PRUint32 i;
-+ nssPKIObject_AddRef(object);
- nssPKIObject_Lock(object);
- for (i=0; i<object->numInstances; i++) {
- if (object->instances[i]->token == dtor->token) {
- nssCryptokiObject_Destroy(object->instances[i]);
- object->instances[i] = object->instances[object->numInstances-1];
- object->instances[object->numInstances-1] = NULL;
- object->numInstances--;
- dtor->certs[dtor->numCerts++] = c;
-@@ -404,16 +405,17 @@ remove_token_certs(const void *k, void *
- dtor->certs = nss_ZREALLOCARRAY(dtor->certs,
- NSSCertificate *,
- dtor->arrSize);
- }
- break;
- }
- }
- nssPKIObject_Unlock(object);
-+ nssPKIObject_Destroy(object);
- return;
- }
-
- /*
- * Remove all certs for the given token from the cache. This is
- * needed if the token is removed.
- */
- NSS_IMPLEMENT PRStatus
diff --git a/SOURCES/nss-3.16-tcache-race.patch b/SOURCES/nss-3.16-tcache-race.patch
new file mode 100644
index 0000000..8bbb329
--- /dev/null
+++ b/SOURCES/nss-3.16-tcache-race.patch
@@ -0,0 +1,29 @@
+diff -up ./nss/lib/pki/tdcache.c.race ./nss/lib/pki/tdcache.c
+--- ./nss/lib/pki/tdcache.c.race 2014-12-18 15:39:42.975354956 -0800
++++ ./nss/lib/pki/tdcache.c 2014-12-18 15:42:33.934201074 -0800
+@@ -399,6 +399,8 @@ remove_token_certs(const void *k, void *
+ object->instances[i] = object->instances[object->numInstances-1];
+ object->instances[object->numInstances-1] = NULL;
+ object->numInstances--;
++ /* make sure id doesn't disappear on us before we finish */
++ nssPKIObject_AddRef(object);
+ dtor->certs[dtor->numCerts++] = c;
+ if (dtor->numCerts == dtor->arrSize) {
+ dtor->arrSize *= 2;
+@@ -441,13 +443,15 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ for (i=0; i<dtor.numCerts; i++) {
+ if (dtor.certs[i]->object.numInstances == 0) {
+ nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
++ nssPKIObject_Destroy(&dtor.certs[i]->object);
+ dtor.certs[i] = NULL; /* skip this cert in the second for loop */
+- }
++ }
+ }
+ PZ_Unlock(td->cache->lock);
+ for (i=0; i<dtor.numCerts; i++) {
+ if (dtor.certs[i]) {
+ STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
++ nssPKIObject_Destroy(&dtor.certs[i]->object);
+ }
+ }
+ nss_ZFreeIf(dtor.certs);
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index eb50b36..0a233c4 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -21,7 +21,7 @@
Summary: Network Security Services
Name: nss
Version: 3.16.2.3
-Release: 2%{?dist}
+Release: 5%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -101,11 +101,15 @@ Patch56: p-ignore-setpolicy.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684
Patch62: dont-hold-issuer-cert-handles-in-crl-cache.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069
-Patch64: Crash-in-stan_GetCERTCertificate-rhbz1139349.patch
+Patch64: Crash-in-stan_GetCERTCertificate-rhbz1094468.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083360
# support TLS_FALLBACK_SCSV in tstclnt and ssltap
-Patch88: p-1083360.patch
+Patch88: p-1083360.patch
Patch89: certutil-man-supply-missing-options.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1111901
+Patch90: Bug-1174527-fixsegfault.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069
+Patch91: nss-3.16-tcache-race.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -201,10 +205,14 @@ popd
%patch56 -p0 -b .1026677
%patch62 -p0 -b .1034409
pushd nss
-%patch64 -p1 -b .1139349
+%patch64 -p1 -b .1094468
%patch88 -p1 -b .support_tls_fallback_scsv
popd
-%patch89 -p0 -b .missing_options
+%patch89 -p0 -b .missing_options
+ pushd nss
+%patch90 -p1 -b .1174527
+popd
+%patch91 -p0 -b .race
#########################################################
# Higher-level libraries and test tools need access to
@@ -290,7 +298,7 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
-%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
+%if %{__isa_bits} == 64
USE_64=1
export USE_64
%endif
@@ -396,7 +404,7 @@ export FREEBL_NO_DEPEND
BUILD_OPT=1
export BUILD_OPT
-%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
+%if %{__isa_bits} == 64
USE_64=1
export USE_64
%endif
@@ -785,44 +793,52 @@ fi
%changelog
+* Mon Jan 19 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-5
+- Reverse the sense of a test in patch to fix pk12util segfault
+- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files
+
+* Thu Jan 08 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-4
+- Fix race condition
+- Resolves: Bug 1094468 - 389-ds-base server reported crash in stan_GetCERTCertificate
+- under the replication replay failure condition
+
+* Wed Jan 07 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-3
+- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files
+
* Tue Nov 25 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-2
- Restore patch for certutil man page
- supply missing options descriptions
-- Resolves: Bug 1165525 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
+- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
-* Wed Nov 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-1
-- Resolves: Bug 1165525 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
+* Thu Nov 13 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-10
+- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
- Support TLS_FALLBACK_SCSV in tstclnt and ssltap
-* Fri Sep 26 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-8
-- Fix crash in stan_GetCERTCertificate
-- Resolves: Bug 1139349
+* Mon Sep 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-9
+- Resolves: Bug 1145434 - CVE-2014-1568
+- Using a release number higher than on rhel-7.0 branch
-* Wed Sep 24 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-7
-- Resolves: Bug 1145433 - CVE-2014-1568
+* Mon Aug 11 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-4
+- Fix crash in stan_GetCERTCertificate
+- Resolves: Bug 1094468
-* Wed Sep 24 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-6
-- Rolling back to commit e5fb6e476c179665976e906604496cbbb24f22a7
-- Related: Bug 1145433
+* Tue Aug 05 2014 Elio Maldonado <pbrobinson@redhat.com> 3.16.2-3
+- Generic 32/64 bit platform detection (fix ppc64le build)
+- Resolves: Bug 1125619 - nss fails to build on arch: ppc64le (missing dependencies)
+- Fix contributed by Peter Robinson <pbrobinson@redhat.com>
-* Wed Aug 06 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-2
-- Restore missing options descriptions fix for certutil manpage
-- Document certutil options --dump-ext-val, --extGeneric, and --extSAN
-- Related: Bug 1124659 - Rebase RHEL 7 to at least NSS 3.16.1
+* Fri Aug 01 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-2
+- Fix libssl and test patches that disable ssl2 support
+- Resolves: Bug 1123435
+- Replace expired PayPal test certificate with current one
-* Fri Aug 01 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
+* Tue Jul 08 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
- Rebase to nss-3.16.2
-- Resolves: Bug 1124659 - Rebase RHEL 7 to at least NSS 3.16.1 (FF 31)
+- Resolves: Bug 1103252 - Rebase RHEL 7.1 to at least NSS 3.16.1 (FF 31)
- Fix test failure detection in the %%check section
- Move removal of unwanted source directories to the end of the %%prep section
- Update various patches on account of the rebase
- Remove unused patches rendered obsolete by the rebase
-- Fix libssl and test patches that disable ssl2 support
-- Replace expired PayPal test certificate that breaks the build
-
-* Fri Jul 04 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-7
-- Fix race-condition in certificate validation
-- Resolves: Bug 1116201
* Mon Mar 03 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-6
- Disallow disabling the internal module