nss update

mozilla-release/patches/TOP-1905160-NSS3903-11513.patch

@@ -0,0 +1,615 @@
+# HG changeset patch
+# User John Schanck <jschanck@mozilla.com>
+# Date 1719577097 0
+# Node ID 4da5c2aa3065c7589ad7255344498a497eeea73d
+# Parent  7c85beb46b4680943cd7ab00d52a9b55bdd9a4a3
+Bug 1905160 - land NSS NSS_3_90_3_RTM UPGRADE_NSS_RELEASE, r=keeler a=dmeehan
+
+Differential Revision: https://phabricator.services.mozilla.com/D215174
+
+diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
+--- a/security/nss/TAG-INFO
++++ b/security/nss/TAG-INFO
+@@ -1,1 +1,1 @@
+-NSS_3_90_2_RTM
+\ No newline at end of file
++NSS_3_90_3_RTM
+\ No newline at end of file
+diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
+--- a/security/nss/coreconf/coreconf.dep
++++ b/security/nss/coreconf/coreconf.dep
+@@ -5,8 +5,9 @@
+ 
+ /*
+  * A dummy header file that is a dependency for all the object files.
+  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
+  * depend builds.  See comments in rules.mk.
+  */
+ 
+ #error "Do not include this header file."
++
+diff --git a/security/nss/doc/rst/releases/index.rst b/security/nss/doc/rst/releases/index.rst
+--- a/security/nss/doc/rst/releases/index.rst
++++ b/security/nss/doc/rst/releases/index.rst
+@@ -3,16 +3,18 @@
+ Releases
+ ========
+ 
+ .. toctree::
+    :maxdepth: 0
+    :glob:
+    :hidden:
+ 
++   nss_3_90_3.rst
++   nss_3_90_2.rst
+    nss_3_90_1.rst
+    nss_3_90_0.rst
+    nss_3_89_1.rst
+    nss_3_89.rst
+    nss_3_88_1.rst
+    nss_3_88.rst
+    nss_3_87_1.rst
+    nss_3_87.rst
+@@ -50,18 +52,21 @@ Releases
+    nss_3_68.rst
+    nss_3_67.rst
+    nss_3_66.rst
+    nss_3_65.rst
+    nss_3_64.rst
+ 
+ .. note::
+ 
+-   **NSS 3.90.1 (ESR)** is the latest version of NSS.
++   **NSS 3.90.3 (ESR)** is the latest version of NSS.
+    Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_91_0_release_notes`
+ 
+ 
+ .. container::
+ 
+-   Changes in 3.90.1 included in this release:
++   Changes in 3.90.3 included in this release:
+ 
+-   - Bug 1813401 - regenerate NameConstraints test certificates.
+-   - Bug 1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
+\ No newline at end of file
++   - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
++   - Bug 1748105 - clean up escape handling.
++   - Bug 1895032 - remove redundant AllocItem implementation. r=nss-reviewers,rrelyea
++   - Bug 1836925 - Disable ASM support for Curve25519.
++   - Bug 1836781 - Disable ASM support for Curve25519 for all but X86_64.
+diff --git a/security/nss/doc/rst/releases/nss_3_90_3.rst b/security/nss/doc/rst/releases/nss_3_90_3.rst
+new file mode 100644
+--- /dev/null
++++ b/security/nss/doc/rst/releases/nss_3_90_3.rst
+@@ -0,0 +1,59 @@
++.. _mozilla_projects_nss_nss_3_90_3_release_notes:
++
++NSS 3.90.3 release notes
++========================
++
++`Introduction <#introduction>`__
++--------------------------------
++
++.. container::
++
++   Network Security Services (NSS) 3.90.3 was released on *27th June 2024**.
++
++
++`Distribution Information <#distribution_information>`__
++--------------------------------------------------------
++
++.. container::
++
++   The HG tag is NSS_3_90_3_RTM. NSS 3.90.3 requires NSPR 4.35 or newer.
++
++   NSS 3.90.3 source distributions are available on ftp.mozilla.org for secure HTTPS download:
++
++   -  Source tarballs:
++      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_90_3_RTM/src/
++
++   Other releases are available :ref:`mozilla_projects_nss_releases`.
++
++.. _changes_in_nss_3.90.3:
++
++`Changes in NSS 3.90.3 <#changes_in_nss_3.90.3>`__
++--------------------------------------------------
++
++.. container::
++
++   - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
++   - Bug 1748105 - clean up escape handling.
++   - Bug 1895032 - remove redundant AllocItem implementation. r=nss-reviewers,rrelyea
++   - Bug 1836925 - Disable ASM support for Curve25519.
++   - Bug 1836781 - Disable ASM support for Curve25519 for all but X86_64.
++
++`Compatibility <#compatibility>`__
++----------------------------------
++
++.. container::
++
++   NSS 3.90.3 shared libraries are backwards-compatible with all older NSS 3.x shared
++   libraries. A program linked with older NSS 3.x shared libraries will work with
++   this new version of the shared libraries without recompiling or
++   relinking. Furthermore, applications that restrict their use of NSS APIs to the
++   functions listed in NSS Public Functions will remain compatible with future
++   versions of the NSS shared libraries.
++
++`Feedback <#feedback>`__
++------------------------
++
++.. container::
++
++   Bugs discovered should be reported by filing a bug report on
++   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
+diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c
+--- a/security/nss/lib/certdb/alg1485.c
++++ b/security/nss/lib/certdb/alg1485.c
+@@ -1,14 +1,15 @@
+ /* alg1485.c - implementation of RFCs 1485, 1779 and 2253.
+  *
+  * This Source Code Form is subject to the terms of the Mozilla Public
+  * License, v. 2.0. If a copy of the MPL was not distributed with this
+  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ 
++#include <limits.h>
+ #include "prprf.h"
+ #include "cert.h"
+ #include "certi.h"
+ #include "xconst.h"
+ #include "genname.h"
+ #include "secitem.h"
+ #include "secerr.h"
+ 
+@@ -594,25 +595,31 @@ typedef enum {
+ /* Some characters must be escaped as a hex string, e.g. c -> \nn .
+  * Others must be escaped by preceding with a '\', e.g. c -> \c , but
+  * there are certain "special characters" that may be handled by either
+  * escaping them, or by enclosing the entire attribute value in quotes.
+  * A NULL value for pEQMode implies selecting minimalEscape mode.
+  * Some callers will do quoting when needed, others will not.
+  * If a caller selects minimalEscapeAndQuote, and the string does not
+  * need quoting, then this function changes it to minimalEscape.
++ * Limit source to 16K, which avoids any possibility of overflow.
++ * Maximum output size would be 3*srclen+2.
+  */
+ static int
+ cert_RFC1485_GetRequiredLen(const char* src, int srclen, EQMode* pEQMode)
+ {
+     int i, reqLen = 0;
+     EQMode mode = pEQMode ? *pEQMode : minimalEscape;
+     PRBool needsQuoting = PR_FALSE;
+     char lastC = 0;
+ 
++    /* avoids needing to check for overflow */
++    if (srclen > 16384) {
++        return -1;
++    }
+     /* need to make an initial pass to determine if quoting is needed */
+     for (i = 0; i < srclen; i++) {
+         char c = src[i];
+         reqLen++;
+         if (NEEDS_HEX_ESCAPE(c)) { /* c -> \xx  */
+             reqLen += 2;
+         } else if (NEEDS_ESCAPE(c)) { /* c -> \c   */
+             reqLen++;
+@@ -632,33 +639,36 @@ cert_RFC1485_GetRequiredLen(const char* 
+         (OPTIONAL_SPACE(src[srclen - 1]) || OPTIONAL_SPACE(src[0]))) {
+         needsQuoting = PR_TRUE;
+     }
+ 
+     if (needsQuoting)
+         reqLen += 2;
+     if (pEQMode && mode == minimalEscapeAndQuote && !needsQuoting)
+         *pEQMode = minimalEscape;
++    /* Maximum output size would be 3*srclen+2 */
+     return reqLen;
+ }
+ 
+ static const char hexChars[16] = { "0123456789abcdef" };
+ 
+ static SECStatus
+ escapeAndQuote(char* dst, int dstlen, char* src, int srclen, EQMode* pEQMode)
+ {
+     int i, reqLen = 0;
+     EQMode mode = pEQMode ? *pEQMode : minimalEscape;
+ 
++    reqLen = cert_RFC1485_GetRequiredLen(src, srclen, &mode);
++    /* reqLen is max 16384*3 + 2 */
+     /* space for terminal null */
+-    reqLen = cert_RFC1485_GetRequiredLen(src, srclen, &mode) + 1;
+-    if (reqLen > dstlen) {
++    if (reqLen < 0 || reqLen + 1 > dstlen) {
+         PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+         return SECFailure;
+     }
++    reqLen += 1;
+ 
+     if (mode == minimalEscapeAndQuote)
+         *dst++ = C_DOUBLE_QUOTE;
+     for (i = 0; i < srclen; i++) {
+         char c = src[i];
+         if (NEEDS_HEX_ESCAPE(c)) {
+             *dst++ = C_BACKSLASH;
+             *dst++ = hexChars[(c >> 4) & 0x0f];
+@@ -976,18 +986,32 @@ AppendAVA(stringBuf* bufp, CERTAVA* ava,
+         if (!avaValue) {
+             if (unknownTag)
+                 PR_smprintf_free(unknownTag);
+             return SECFailure;
+         }
+     }
+ 
+     nameLen = strlen(tagName);
+-    valueLen =
+-        (useHex ? avaValue->len : cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, &mode));
++
++    if (useHex) {
++        valueLen = avaValue->len;
++    } else {
++        int reqLen = cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, &mode);
++        if (reqLen < 0) {
++            SECITEM_FreeItem(avaValue, PR_TRUE);
++            return SECFailure;
++        }
++        valueLen = reqLen;
++    }
++    if (UINT_MAX - nameLen < 2 ||
++        valueLen > UINT_MAX - nameLen - 2) {
++        SECITEM_FreeItem(avaValue, PR_TRUE);
++        return SECFailure;
++    }
+     len = nameLen + valueLen + 2; /* Add 2 for '=' and trailing NUL */
+ 
+     maxName = nameLen;
+     maxValue = valueLen;
+     if (len <= sizeof(tmpBuf)) {
+         encodedAVA = tmpBuf;
+     } else if (strict != CERT_N2A_READABLE) {
+         encodedAVA = PORT_Alloc(len);
+@@ -1193,30 +1217,33 @@ avaToString(PLArenaPool* arena, CERTAVA*
+     char* buf = NULL;
+     SECItem* avaValue;
+     int valueLen;
+ 
+     avaValue = CERT_DecodeAVAValue(&ava->value);
+     if (!avaValue) {
+         return buf;
+     }
+-    valueLen =
+-        cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, NULL) + 1;
+-    if (arena) {
+-        buf = (char*)PORT_ArenaZAlloc(arena, valueLen);
+-    } else {
+-        buf = (char*)PORT_ZAlloc(valueLen);
+-    }
+-    if (buf) {
+-        SECStatus rv =
+-            escapeAndQuote(buf, valueLen, (char*)avaValue->data, avaValue->len, NULL);
+-        if (rv != SECSuccess) {
+-            if (!arena)
+-                PORT_Free(buf);
+-            buf = NULL;
++    int reqLen = cert_RFC1485_GetRequiredLen((char*)avaValue->data, avaValue->len, NULL);
++    /* reqLen is max 16384*3 + 2 */
++    if (reqLen >= 0) {
++        valueLen = reqLen + 1;
++        if (arena) {
++            buf = (char*)PORT_ArenaZAlloc(arena, valueLen);
++        } else {
++            buf = (char*)PORT_ZAlloc(valueLen);
++        }
++        if (buf) {
++            SECStatus rv =
++                escapeAndQuote(buf, valueLen, (char*)avaValue->data, avaValue->len, NULL);
++            if (rv != SECSuccess) {
++                if (!arena)
++                    PORT_Free(buf);
++                buf = NULL;
++            }
+         }
+     }
+     SECITEM_FreeItem(avaValue, PR_TRUE);
+     return buf;
+ }
+ 
+ /* RDNs are sorted from most general to most specific.
+  * This code returns the FIRST one found, the most general one found.
+diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
+--- a/security/nss/lib/ckfw/builtins/certdata.txt
++++ b/security/nss/lib/ckfw/builtins/certdata.txt
+@@ -19426,18 +19426,24 @@ CKA_VALUE MULTILINE_OCTAL
+ \170\112\075\102\173\153\176\376\367\106\352\321\353\216\357\210
+ \150\133\350\301\331\161\176\375\144\357\377\147\107\210\130\045
+ \057\076\206\007\275\373\250\345\202\250\254\245\323\151\103\315
+ \061\210\111\204\123\222\300\261\071\033\071\203\001\060\304\362
+ \251\372\320\003\275\162\067\140\126\037\066\174\275\071\221\365
+ \155\015\277\173\327\222
+ END
+ CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
+-CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
++# For Server Distrust After: Sun Jun 30 00:00:00 2024
++CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
++\062\064\060\066\063\060\060\060\060\060\060\060\132
++END
++# For Email Distrust After: Sun Jun 30 00:00:00 2024
++CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
++\062\064\060\066\063\060\060\060\060\060\060\060\132
++END
+ 
+ # Trust for "GLOBALTRUST 2020"
+ # Issuer: CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT
+ # Serial Number:5a:4b:bd:5a:fb:4f:8a:5b:fa:65:e5
+ # Subject: CN=GLOBALTRUST 2020,O=e-commerce monitoring GmbH,C=AT
+ # Not Valid Before: Mon Feb 10 00:00:00 2020
+ # Not Valid After : Sun Jun 10 00:00:00 2040
+ # Fingerprint (SHA-256): 9A:29:6A:51:82:D1:D4:51:A2:E3:7F:43:9B:74:DA:AF:A2:67:52:33:29:F9:0F:9A:0D:20:07:C3:34:E2:3C:9A
+diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h
+--- a/security/nss/lib/ckfw/builtins/nssckbi.h
++++ b/security/nss/lib/ckfw/builtins/nssckbi.h
+@@ -41,18 +41,18 @@
+  *   made on that branch.
+  *
+  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+  * whether we may use its full range (0-255) or only 0-99 because
+  * of the comment in the CK_VERSION type definition.
+  * It's recommend to switch back to 0 after having reached version 98/99.
+  */
+ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
+-#define NSS_BUILTINS_LIBRARY_VERSION "2.60"
++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 61
++#define NSS_BUILTINS_LIBRARY_VERSION "2.61"
+ 
+ /* These version numbers detail the semantic changes to the ckfw engine. */
+ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+ #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
+ 
+ /* These version numbers detail the semantic changes to ckbi itself
+  * (new PKCS #11 objects), etc. */
+ #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
+diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
+--- a/security/nss/lib/freebl/Makefile
++++ b/security/nss/lib/freebl/Makefile
+@@ -563,17 +563,16 @@ endif # target == SunO
+ ifdef USE_64
+ # no __int128 at least up to lcc 1.23 (pretending to be gcc5)
+ # NB: CC_NAME is not defined here
+ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
+     ifdef CC_IS_CLANG
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+     else ifeq (1,$(CC_IS_GCC))
+-        SUPPORTS_VALE_CURVE25519 = 1
+         ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
+         endif
+         ifneq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+             NSS_DISABLE_AVX2 = 1
+         endif
+         ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+@@ -588,21 +587,16 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null 
+     endif
+ endif # lcc
+ endif # USE_64
+ 
+ ifndef HAVE_INT128_SUPPORT
+     DEFINES += -DKRML_VERIFIED_UINT128
+ endif
+ 
+-ifdef SUPPORTS_VALE_CURVE25519
+-    VERIFIED_SRCS += Hacl_Curve25519_64.c
+-    DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM
+-endif
+-
+ ifndef NSS_DISABLE_CHACHAPOLY
+     ifeq ($(CPU_ARCH),x86_64)
+         ifndef NSS_DISABLE_AVX2
+             EXTRA_SRCS += Hacl_Poly1305_256.c Hacl_Chacha20_Vec256.c Hacl_Chacha20Poly1305_256.c
+             DEFINES += -DHACL_CAN_COMPILE_VEC256
+         endif # NSS_DISABLE_AVX2
+         ifndef NSS_DISABLE_SSE3
+             EXTRA_SRCS += Hacl_Poly1305_128.c Hacl_Chacha20_Vec128.c Hacl_Chacha20Poly1305_128.c
+diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp
+--- a/security/nss/lib/freebl/freebl.gyp
++++ b/security/nss/lib/freebl/freebl.gyp
+@@ -861,22 +861,16 @@
+         'conditions': [
+           [ 'disable_altivec==0 and target_arch=="ppc64le"', {
+             'defines': [
+               'PPC_GCM',
+             ],
+           }],
+         ],
+       }],
+-      [ 'supports_vale_curve25519==1', {
+-        'defines': [
+-          # The Makefile does version-tests on GCC, but we're not doing that here.
+-          'HACL_CAN_COMPILE_INLINE_ASM',
+-        ],
+-      }],
+       [ 'OS=="linux" or OS=="android"', {
+         'conditions': [
+           [ 'target_arch=="x64"', {
+             'defines': [
+               'MP_IS_LITTLE_ENDIAN',
+               'NSS_BEVAND_ARCFOUR',
+               'MPI_AMD64',
+               'MP_ASSEMBLY_MULTIPLY',
+@@ -929,21 +923,16 @@
+           }],
+         ],
+       }],
+     ],
+   },
+   'variables': {
+     'module': 'nss',
+     'conditions': [
+-      [ 'target_arch=="x64" and cc_is_gcc==1', {
+-        'supports_vale_curve25519%': 1,
+-      }, {
+-        'supports_vale_curve25519%': 0,
+-      }],
+       [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
+         'have_int128_support%': 1,
+       }, {
+         'have_int128_support%': 0,
+       }],
+       [ 'target_arch=="arm"', {
+         # When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when enabling NEON for these objects.
+         # Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
+diff --git a/security/nss/lib/freebl/freebl_base.gypi b/security/nss/lib/freebl/freebl_base.gypi
+--- a/security/nss/lib/freebl/freebl_base.gypi
++++ b/security/nss/lib/freebl/freebl_base.gypi
+@@ -146,21 +146,16 @@
+         'verified/Hacl_Curve25519_51.c',
+       ],
+     }, {
+       'sources': [
+         # All other architectures get the generic 32 bit implementation.
+         'ecl/curve25519_32.c',
+       ],
+     }],
+-    ['supports_vale_curve25519==1', {
+-      'sources': [
+-        'verified/Hacl_Curve25519_64.c',
+-      ],
+-    }],
+     ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
+       'sources': [
+         # Gyp does not support per-file cflags, so working around like this.
+         # ppc performance greatly benefits from specific flags.
+         'sha512.c',
+       ],
+     }],
+     [ 'disable_chachapoly==0', {
+diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
+--- a/security/nss/lib/nss/nss.h
++++ b/security/nss/lib/nss/nss.h
+@@ -17,20 +17,20 @@
+ 
+ /*
+  * NSS's major version, minor version, patch level, build number, and whether
+  * this is a beta release.
+  *
+  * The format of the version string should be
+  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
+  */
+-#define NSS_VERSION "3.90.2" _NSS_CUSTOMIZED
++#define NSS_VERSION "3.90.3" _NSS_CUSTOMIZED
+ #define NSS_VMAJOR 3
+ #define NSS_VMINOR 90
+-#define NSS_VPATCH 2
++#define NSS_VPATCH 3
+ #define NSS_VBUILD 0
+ #define NSS_BETA PR_FALSE
+ 
+ #ifndef RC_INVOKED
+ 
+ #include "seccomon.h"
+ 
+ typedef struct NSSInitParametersStr NSSInitParameters;
+diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
+--- a/security/nss/lib/softoken/softkver.h
++++ b/security/nss/lib/softoken/softkver.h
+@@ -12,16 +12,16 @@
+ 
+ /*
+  * Softoken's major version, minor version, patch level, build number,
+  * and whether this is a beta release.
+  *
+  * The format of the version string should be
+  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
+  */
+-#define SOFTOKEN_VERSION "3.90.2" SOFTOKEN_ECC_STRING
++#define SOFTOKEN_VERSION "3.90.3" SOFTOKEN_ECC_STRING
+ #define SOFTOKEN_VMAJOR 3
+ #define SOFTOKEN_VMINOR 90
+-#define SOFTOKEN_VPATCH 2
++#define SOFTOKEN_VPATCH 3
+ #define SOFTOKEN_VBUILD 0
+ #define SOFTOKEN_BETA PR_FALSE
+ 
+ #endif /* _SOFTKVER_H_ */
+diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
+--- a/security/nss/lib/util/nssutil.h
++++ b/security/nss/lib/util/nssutil.h
+@@ -14,20 +14,20 @@
+ 
+ /*
+  * NSS utilities's major version, minor version, patch level, build number,
+  * and whether this is a beta release.
+  *
+  * The format of the version string should be
+  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
+  */
+-#define NSSUTIL_VERSION "3.90.2"
++#define NSSUTIL_VERSION "3.90.3"
+ #define NSSUTIL_VMAJOR 3
+ #define NSSUTIL_VMINOR 90
+-#define NSSUTIL_VPATCH 2
++#define NSSUTIL_VPATCH 3
+ #define NSSUTIL_VBUILD 0
+ #define NSSUTIL_BETA PR_FALSE
+ 
+ SEC_BEGIN_PROTOS
+ 
+ /*
+  * Returns a const string of the UTIL library version.
+  */
+diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
+--- a/security/nss/lib/util/secitem.c
++++ b/security/nss/lib/util/secitem.c
+@@ -233,45 +233,30 @@ SECITEM_DupItem(const SECItem *from)
+ }
+ 
+ SECItem *
+ SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from)
+ {
+     SECItem *to;
+ 
+     if (from == NULL) {
+-        return (NULL);
+-    }
+-
+-    if (arena != NULL) {
+-        to = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+-    } else {
+-        to = (SECItem *)PORT_Alloc(sizeof(SECItem));
+-    }
+-    if (to == NULL) {
+-        return (NULL);
++        return NULL;
+     }
+ 
+-    if (arena != NULL) {
+-        to->data = (unsigned char *)PORT_ArenaAlloc(arena, from->len);
+-    } else {
+-        to->data = (unsigned char *)PORT_Alloc(from->len);
+-    }
+-    if (to->data == NULL) {
+-        PORT_Free(to);
+-        return (NULL);
++    to = SECITEM_AllocItem(arena, NULL, from->len);
++    if (to == NULL) {
++        return NULL;
+     }
+ 
+-    to->len = from->len;
+     to->type = from->type;
+     if (to->len) {
+         PORT_Memcpy(to->data, from->data, to->len);
+     }
+ 
+-    return (to);
++    return to;
+ }
+ 
+ SECStatus
+ SECITEM_CopyItem(PLArenaPool *arena, SECItem *to, const SECItem *from)
+ {
+     to->type = from->type;
+     if (from->data && from->len) {
+         if (arena) {
+

mozilla-release/patches/series

@@ -7112,6 +7112,7 @@ TOP-NOBUG-REGEXP-44-irregexp-25318.patch
 TOP-NOBUG-REGEXP-45-final-25318.patch
 TOP-NOBUG-REGEXP-46-fixes-25318.patch
 1861843-2-version-beta-mr-25319.patch
+TOP-1905160-NSS3903-11513.patch
 1902849-version-release-mr-25319.patch
 1902851-1-version-prebeta-mr-25320.patch
 1902935-seamonkey-credits-25320.patch