From f93502a48b368c74ba4ed1ff573f07f59b8c91f1 Mon Sep 17 00:00:00 2001
From: Marius Bakke <address@hidden>
Date: Wed, 9 Aug 2017 21:04:04 +0200
Subject: [PATCH] gnu: curl: Replace with 7.55.0 [security fixes].

Fixes CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-100101.
See <https://curl.haxx.se/docs/security.html> for details.

* gnu/packages/curl.scm (curl)[replacement]: New field.
(curl-7.55.0): New variable.
---
 gnu/packages/curl.scm | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index af15aa38c..0c551e108 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2015 Tomáš Čech <address@hidden>
 ;;; Copyright © 2015 Ludovic Courtès <address@hidden>
 ;;; Copyright © 2016, 2017 Leo Famulari <address@hidden>
+;;; Copyright © 2017 Marius Bakke <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -24,6 +25,7 @@
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (gnu packages)
   #:use-module (gnu packages compression)
@@ -40,6 +42,7 @@
 (define-public curl
   (package
    (name "curl")
+   (replacement curl-7.55.0)
    (version "7.54.1")
    (source (origin
             (method url-fetch)
@@ -119,3 +122,27 @@ tunneling, and so on.")
    (license (license:non-copyleft "file://COPYING"
                                   "See COPYING in the distribution."))
    (home-page "https://curl.haxx.se/")))
+
+(define-public curl-7.55.0
+  (package
+    (inherit curl)
+    (version "7.55.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://curl.haxx.se/download/curl-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "1785vxi0jamiv9d1wr1l45g0fm9ircxdfyfzf7ld8zv0z0i8bmfd"))))
+    (arguments
+     `(,@(substitute-keyword-arguments (package-arguments curl)
+           ((#:phases phases)
+            `(modify-phases ,phases
+               (add-before 'install 'fix-Makefile
+                 ;; Fix a regression in 7.55 where docs are not installed.
+                 ;; https://github.com/curl/curl/commit/a7bbbb7c368c6096802007f61f19a02e9d75285b
+                 (lambda _
+                   (substitute* "Makefile"
+                     (("install-data-hook:\n")
+                      "install-data-hook:\n\tcd docs/libcurl && $(MAKE) install\n"))
+                   #t)))))))))
-- 
2.14.0