diff --git a/nss.spec b/nss.spec
index 2e4cdff..2671e22 100644
--- a/nss.spec
+++ b/nss.spec
@@ -9,7 +9,7 @@ Name:             nss
 Version:          3.35.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          3%{?dist}
+Release:          4%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -91,6 +91,7 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
 Patch62: nss-skip-util-gtest.patch
+Patch63: sign-sprintf-check.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -174,6 +175,7 @@ low level services.
 pushd nss
 %patch59 -p1 -b .check_policy_file
 %patch62 -p1 -b .skip_util_gtest
+%patch63 -p2 -b .sign-sprintf-check
 popd
 
 #########################################################
@@ -749,6 +751,9 @@ done
 
 
 %changelog
+* Mon Jan 29 2018 Kai Engert <kaie@redhat.com> - 3.35.0-4
+- Fix a compiler error with gcc 8, mozbz#1434070
+
 * Mon Jan 29 2018 Kai Engert <kaie@redhat.com> - 3.35.0-3
 - Stop pulling in nss-pem automatically, packages that need it should
   depend on it, rhbz#1539401
diff --git a/sign-sprintf-check.patch b/sign-sprintf-check.patch
new file mode 100644
index 0000000..c213946
--- /dev/null
+++ b/sign-sprintf-check.patch
@@ -0,0 +1,56 @@
+diff -up ./nss/cmd/signtool/sign.c.org ./nss/cmd/signtool/sign.c
+--- ./nss/cmd/signtool/sign.c.org	2018-01-18 15:19:59.000000000 +0100
++++ ./nss/cmd/signtool/sign.c	2018-01-29 22:46:32.599450048 +0100
+@@ -83,7 +83,12 @@ SignArchive(char *tree, char *keyName, c
+         /* rsa/dsa to zip */
+         sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
+                                                                    : "rsa"));
+-        sprintf(fullfn, "%s/%s", tree, tempfn);
++        if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
++            PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
++                       tree);
++            errorCount++;
++            exit(ERRX);
++        }
+         JzipAdd(fullfn, tempfn, zipfile, compression_level);
+ 
+         /* Loop through all files & subdirectories, add to archive */
+@@ -93,12 +98,22 @@ SignArchive(char *tree, char *keyName, c
+     }
+     /* mf to zip */
+     strcpy(tempfn, "META-INF/manifest.mf");
+-    sprintf(fullfn, "%s/%s", tree, tempfn);
++    if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
++        PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
++                   tree);
++        errorCount++;
++        exit(ERRX);
++    }
+     JzipAdd(fullfn, tempfn, zipfile, compression_level);
+ 
+     /* sf to zip */
+     sprintf(tempfn, "META-INF/%s.sf", base);
+-    sprintf(fullfn, "%s/%s", tree, tempfn);
++    if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
++        PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
++                   tree);
++        errorCount++;
++        exit(ERRX);
++    }
+     JzipAdd(fullfn, tempfn, zipfile, compression_level);
+ 
+     /* Add the rsa/dsa file to the zip archive normally */
+@@ -106,7 +121,12 @@ SignArchive(char *tree, char *keyName, c
+         /* rsa/dsa to zip */
+         sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
+                                                                    : "rsa"));
+-        sprintf(fullfn, "%s/%s", tree, tempfn);
++        if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
++            PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
++                       tree);
++            errorCount++;
++            exit(ERRX);
++        }
+         JzipAdd(fullfn, tempfn, zipfile, compression_level);
+     }
+