From 8ae8c86871630f7133efb9074efd16764ea0e413 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20=C4=8Cajka?= <jcajka@redhat.com>
Date: Tue, 29 Jan 2019 12:52:29 +0100
Subject: [PATCH] Fix for CVE-2019-6486

---
 CVE-2019-6486.patch | 39 +++++++++++++++++++++++++++++++++++++++
 golang.spec         |  8 +++++++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-6486.patch

diff --git a/CVE-2019-6486.patch b/CVE-2019-6486.patch
new file mode 100644
index 0000000..5091d32
--- /dev/null
+++ b/CVE-2019-6486.patch
@@ -0,0 +1,39 @@
+From 193c16a3648b8670a762e925b6ac6e074f468a20 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Tue, 22 Jan 2019 16:02:41 -0500
+Subject: [PATCH] crypto/elliptic: reduce subtraction term to prevent long busy loop
+
+If beta8 is unusually large, the addition loop might take a very long
+time to bring x3-beta8 back positive.
+
+This would lead to a DoS vulnerability in the implementation of the
+P-521 and P-384 elliptic curves that may let an attacker craft inputs
+to ScalarMult that consume excessive amounts of CPU.
+
+This fixes CVE-2019-6486.
+
+Fixes #29903
+
+Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a
+Reviewed-on: https://team-review.git.corp.google.com/c/399777
+Reviewed-by: Adam Langley <agl@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/159218
+Reviewed-by: Julie Qiu <julie@golang.org>
+---
+
+diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
+index 4fc2b5e..c84657c 100644
+--- a/src/crypto/elliptic/elliptic.go
++++ b/src/crypto/elliptic/elliptic.go
+@@ -210,8 +210,9 @@
+ 
+ 	x3 := new(big.Int).Mul(alpha, alpha)
+ 	beta8 := new(big.Int).Lsh(beta, 3)
++	beta8.Mod(beta8, curve.P)
+ 	x3.Sub(x3, beta8)
+-	for x3.Sign() == -1 {
++	if x3.Sign() == -1 {
+ 		x3.Add(x3, curve.P)
+ 	}
+ 	x3.Mod(x3, curve.P)
diff --git a/golang.spec b/golang.spec
index 6c8b1aa..3ba1d70 100644
--- a/golang.spec
+++ b/golang.spec
@@ -106,7 +106,7 @@
 
 Name:           golang
 Version:        1.12
-Release:        0.beta2.1%{?dist}
+Release:        0.beta2.2%{?dist}
 Summary:        The Go Programming Language
 # source tree includes several copies of Mark.Twain-Tom.Sawyer.txt under Public Domain
 License:        BSD and Public Domain
@@ -183,6 +183,7 @@ Requires:       go-srpm-macros
 
 Patch1:       0001-Don-t-use-the-bundled-tzdata-at-runtime-except-for-t.patch
 Patch2:       0002-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch
+Patch3:       CVE-2019-6486.patch
 
 # Having documentation separate was broken
 Obsoletes:      %{name}-docs < 1.1-4
@@ -308,6 +309,7 @@ Requires:       %{name} = %{version}-%{release}
 
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 cp %{SOURCE1} ./src/runtime/
 
@@ -546,6 +548,10 @@ fi
 %endif
 
 %changelog
+* Sun Jan 27 2019 Jakub Čajka <jcajka@redhat.com> - 1.12-0.beta2.2
+- Fix for CVE-2019-6486
+- Resolves: BZ#1668973
+
 * Fri Jan 11 2019 Jakub Čajka <jcajka@redhat.com> - 1.12-0.beta2.1
 - Rebase to go1.12beta2