diff --git a/SOURCES/0075-curl-7.29.0-CVE-2020-8177.patch b/SOURCES/0075-curl-7.29.0-CVE-2020-8177.patch
new file mode 100644
index 0000000..a03f89c
--- /dev/null
+++ b/SOURCES/0075-curl-7.29.0-CVE-2020-8177.patch
@@ -0,0 +1,51 @@
+From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 31 May 2020 23:09:59 +0200
+Subject: [PATCH] tool_getparam: -i is not OK if -J is used
+
+Reported-by: sn on hackerone
+Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
+
+Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_cb_hdr.c   | 6 ++++++
+ src/tool_getparam.c | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
+index 3b10238..b80707f 100644
+--- a/src/tool_cb_hdr.c
++++ b/src/tool_cb_hdr.c
+@@ -112,6 +112,12 @@ size_t tool_header_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
+       len = (ssize_t)cb - (p - str);
+       filename = parse_filename(p, len);
+       if(filename) {
++        if(outs->stream) {
++          /* indication of problem, get out! */
++          free(filename);
++          return failure;
++        }
++
+         outs->filename = filename;
+         outs->alloc_filename = TRUE;
+         outs->is_cd_filename = TRUE;
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 764caa2..c5c7429 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -1404,6 +1404,11 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
+         return err;
+       break;
+     case 'i':
++      if(config->content_disposition) {
++        warnf(config,
++              "--include and --remote-header-name cannot be combined.\n");
++        return PARAM_BAD_USE;
++      }
+       config->include_headers = toggle; /* include the headers as well in the
+                                            general output stream */
+       break;
+-- 
+2.21.3
+
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index fe56d67..8c8a795 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.29.0
-Release: 59%{?dist}
+Release: 59%{?dist}.1
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -229,6 +229,9 @@ Patch73:  0073-curl-7.29.0-post-cdev.patch
 # http: free protocol-specific struct in setup_connection callback (#1836773)
 Patch74:  0074-curl-7.29.0-http-setup_connection.patch
 
+# avoid overwriting a local file with -J (CVE-2020-8177)
+Patch75:  0075-curl-7.29.0-CVE-2020-8177.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.29.0-multilib.patch
 
@@ -433,6 +436,7 @@ documentation of the library, too.
 %patch72 -p1
 %patch73 -p1
 %patch74 -p1
+%patch75 -p1
 
 # regenerate Makefile.in files
 aclocal -I m4
@@ -548,6 +552,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.29.0-59.el7_9.1
+- avoid overwriting a local file with -J (CVE-2020-8177)
+
 * Tue Jun 02 2020 Kamil Dudka <kdudka@redhat.com> - 7.29.0-59
 - http: free protocol-specific struct in setup_connection callback (#1836773)