gnu: python-pycrypto: Fix CVE-2013-7459.

* gnu/packages/patches/python-pycrypto-CVE-2013-7459.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/python.scm (python-pycrypto, python2-pycrypto)[source]: Use the
patch. Use pypi-uri.

1 files changed, 5 insertions, 7 deletions

diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 5faebae3d9..d8ca83d810 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -958,13 +958,11 @@ Python 3 support.")
 (define-public python2-setuptools
   (package-with-python2 python-setuptools))
 
-;;; Pycrypto is abandoned upstream [0] and contains at least one bug that can be
-;;; exploited to achieve arbitrary code execution [1].
+;;; Pycrypto is abandoned upstream:
 ;;;
-;;; TODO Remove this package from GNU Guix.
+;;; https://github.com/dlitz/pycrypto/issues/173
 ;;;
-;;; [0] https://github.com/dlitz/pycrypto/issues/173
-;;; [1] https://github.com/dlitz/pycrypto/issues/176
+;;; TODO Remove this package from GNU Guix.
 (define-public python-pycrypto
   (package
     (name "python-pycrypto")
@@ -972,8 +970,8 @@ Python 3 support.")
     (source
      (origin
       (method url-fetch)
-      (uri (string-append "https://pypi.python.org/packages/source/p/"
-                          "pycrypto/pycrypto-" version ".tar.gz"))
+      (uri (pypi-uri "pycrypto" version))
+      (patches (search-patches "python-pycrypto-CVE-2013-7459.patch"))
       (sha256
        (base32
         "0g0ayql5b9mkjam8hym6zyg6bv77lbh66rv1fyvgqb17kfc1xkpj"))))