gnu: curl: Update to 8.5.0 [security fixes].

Fixes CVE-2023-46218 and CVE-2023-46219.  See
<https://curl.se/docs/CVE-2023-46218.html> and
<https://curl.se/docs/CVE-2023-46219.html> respectively.

* gnu/packages/curl.scm (curl): Update to 8.5.0.
* gnu/packages/patches/curl-use-ssl-cert-env.patch: Update patch.

Change-Id: Iaa6aa5de0f45576dc06bf5eca1eec502e5c83332

gnu/packages/curl.scm

@@ -65,14 +65,14 @@
 (define-public curl
   (package
     (name "curl")
-    (version "8.4.0")
+    (version "8.5.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://curl.se/download/curl-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "0bd8y8v66biyqvg70ka1sdd0aixs6yzpnvfsig907xzh9af2mihn"))
+                "1sqfflilf7mcz1g03lazyr6v6pf1rsrzprrknsir10hdwawqvas2"))
               (patches (search-patches "curl-use-ssl-cert-env.patch"))))
     (build-system gnu-build-system)
     (outputs '("out"
@@ -127,6 +127,9 @@
                                    (if parallel-tests?
                                        (number->string (parallel-job-count))
                                        "1")))
+                       ;; Ignore test 1477 due to a missing file in the 8.5.0
+                       ;; release.  See
+                       ;; <https://github.com/curl/curl/issues/12462>.
                        (arguments `("-C" "tests" "test"
                                     ,@make-flags
                                     ,(if #$(or (system-hurd?)
@@ -134,8 +137,10 @@
                                                (target-aarch64?))
                                          ;; protocol FAIL
                                          (string-append "TFLAGS=\"~1474 "
+                                                        "~1477 "
                                                         job-count "\"")
-                                         (string-append "TFLAGS=" job-count)))))
+                                         (string-append "TFLAGS=\"~1477 "
+                                                        job-count "\"")))))
                   ;; The top-level "make check" does "make -C tests quiet-test", which
                   ;; is too quiet.  Use the "test" target instead, which is more
                   ;; verbose.

gnu/packages/patches/curl-use-ssl-cert-env.patch

@@ -5,37 +5,37 @@ must be called when no other threads exist).
 This fixes network functionality in rust:cargo, and probably removes the need
 for other future workarounds.
 ===================================================================
---- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
-+++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
-@@ -134,6 +134,9 @@
- #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+--- curl-8.5.0.orig/lib/easy.c	2023-12-17 00:36:32.400468561 -0500
++++ curl-8.5.0/lib/easy.c	2023-12-17 00:39:08.898612331 -0500
+@@ -137,6 +137,9 @@
+ static char *leakpointer;
  #endif
- 
+
 +char * Curl_ssl_cert_dir = NULL;
 +char * Curl_ssl_cert_file = NULL;
 +
  /**
   * curl_global_init() globally initializes curl given a bitwise set of the
   * different features of what to initialize.
-@@ -155,6 +158,9 @@
- #endif
+@@ -163,6 +166,9 @@
+     goto fail;
    }
- 
+
 +  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
 +  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
 +
    if(!Curl_ssl_init()) {
      DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
-     return CURLE_FAILED_INIT;
-@@ -260,6 +266,9 @@
+     goto fail;
+@@ -287,6 +293,9 @@
    Curl_ssl_cleanup();
    Curl_resolver_global_cleanup();
- 
+
 +  free(Curl_ssl_cert_dir);
 +  free(Curl_ssl_cert_file);
 +
- #ifdef WIN32
-   Curl_win32_cleanup(init_flags);
+ #ifdef _WIN32
+   Curl_win32_cleanup(easy_init_flags);
  #endif
 diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
 --- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100