From af91d13385d0f6239a0d7a777d6a72e11a40af2e Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Wed, 24 Jun 2020 20:24:30 +0200
Subject: gnu: cURL: Replace with 7.71.0 [fixes CVE-2020-8169, CVE-2020-8177].

* gnu/packages/curl.scm (curl-7.71.0): New variable.
(curl)[replacement]: New field.
---
 gnu/packages/curl.scm | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'gnu')

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 48d7dd40bd..bf93639716 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -52,6 +52,7 @@
   (package
    (name "curl")
    (version "7.69.1")
+   (replacement curl-7.71.0)
    (source (origin
             (method url-fetch)
             (uri (string-append "https://curl.haxx.se/download/curl-"
@@ -168,6 +169,31 @@ tunneling, and so on.")
     (name "curl-minimal")
     (inputs (alist-delete "openldap" (package-inputs curl))))))
 
+;; Replacement package to fix CVE-2020-8169 and CVE-2020-8177.
+(define curl-7.71.0
+  (package
+    (inherit curl)
+    (version "7.71.0")
+    (source (origin
+              (inherit (package-source curl))
+              (uri (string-append "https://curl.haxx.se/download/curl-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "0wlppmx9iry8slh4pqcxj7lwc6fqwnlhh9ri2pcym2rx76a8gwfd"))))
+    (arguments
+     (substitute-keyword-arguments (package-arguments curl)
+       ((#:phases phases)
+        `(modify-phases ,phases
+           (replace 'check
+             (lambda _
+               ;; Test 1510 is now disabled upstream, and the test runner
+               ;; complains that it can not disable a non-existing test.
+               ;; Thus, override the phase to not delete the test.
+               (substitute* "tests/runtests.pl"
+                 (("/bin/sh") (which "sh")))
+               (invoke "make" "-C" "tests" "test")))))))))
+
 (define-public kurly
   (package
     (name "kurly")
-- 
cgit v1.2.3