From f4dc8ac6dfa036d98aa0990ae22268a9650899d0 Mon Sep 17 00:00:00 2001
From: Léo Le Bouter <lle-bout@zaclys.net>
Date: Fri, 2 Apr 2021 21:33:02 +0200
Subject: gnu: curl: Update to 7.76.0 [security fixes].

Fixes CVE-2021-22876 and CVE-2021-22890.

* gnu/packages/curl.scm (curl/fixed): New variable.
(curl)[replacement]: New field.
* gnu/packages/patches/curl-7.76-use-ssl-cert-env.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/packages/curl.scm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'gnu/packages/curl.scm')

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 730676875c..94dc51cfc5 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -62,6 +62,7 @@
               (base32
                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
              (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+   (replacement curl/fixed)
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -151,6 +152,20 @@ tunneling, and so on.")
     (name "curl-minimal")
     (inputs (alist-delete "openldap" (package-inputs curl))))))
 
+(define-public curl/fixed
+  (package
+    (inherit curl)
+    (version "7.76.0")
+    (source
+     (origin
+       (inherit (package-source curl))
+       (uri (string-append "https://curl.haxx.se/download/curl-"
+                           version ".tar.xz"))
+       (patches (search-patches "curl-7.76-use-ssl-cert-env.patch"))
+       (sha256
+        (base32
+         "1j2g04m6als6hmqzvddv84c31m0x90bfgyz3bjrwdkarbkby40k3"))))))
+
 (define-public kurly
   (package
     (name "kurly")
-- 
cgit v1.2.3