[release-branch.go1.10] all: merge release-branch.go1.10-security into release-branch.go1.10

Change-Id: Iddb571880e8b688b8de9cd013f497f6eed0c7692
2019-01-23 16:25:08 -05:00 · 2019-01-23 16:25:08 -05:00 · bd0449f8d1
parent c731a7daf4 b0cb374daf
commit bd0449f8d1
3 changed files with 10 additions and 2 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-go1.10.7
+go1.10.8
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@ -87,6 +87,13 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.7+labe
 Go 1.10.7 milestone</a> on our issue tracker for details.
 </p>

+<p>
+go1.10.8 (released 2019/01/23) includes a security fix to the
+<code>crypto/elliptic</code> package.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.8+label%3ACherryPickApproved">Go
+1.10.8 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.9">go1.9 (released 2017/08/24)</h2>

 <p>
--- a/src/crypto/elliptic/elliptic.go
+++ b/src/crypto/elliptic/elliptic.go
@ -210,8 +210,9 @@ func (curve *CurveParams) doubleJacobian(x, y, z *big.Int) (*big.Int, *big.Int,

 	x3 := new(big.Int).Mul(alpha, alpha)
 	beta8 := new(big.Int).Lsh(beta, 3)
+	beta8.Mod(beta8, curve.P)
 	x3.Sub(x3, beta8)
-	for x3.Sign() == -1 {
+	if x3.Sign() == -1 {
 		x3.Add(x3, curve.P)
 	}
 	x3.Mod(x3, curve.P)