diff --git a/curl-secure-getenv.patch b/curl-secure-getenv.patch
new file mode 100644
index 0000000..04e3d73
--- /dev/null
+++ b/curl-secure-getenv.patch
@@ -0,0 +1,37 @@
+--- lib/getenv.c.orig
++++ lib/getenv.c
+@@ -31,6 +31,14 @@
+ 
+ #include "memdebug.h"
+ 
++#ifndef HAVE_SECURE_GETENV
++#  ifdef HAVE__SECURE_GETENV
++#    define secure_getenv __secure_getenv
++#  else
++#    error neither secure_getenv nor __secure_getenv is available
++#  endif
++#endif
++
+ static
+ char *GetEnv(const char *variable)
+ {
+@@ -45,7 +53,7 @@ char *GetEnv(const char *variable)
+     ExpandEnvironmentStringsA(temp, env, sizeof(env));
+   return (env[0] != '\0')?strdup(env):NULL;
+ #else
+-  char *env = getenv(variable);
++  char *env = secure_getenv(variable);
+ #ifdef __VMS
+   if(env && strcmp("HOME",variable) == 0)
+     env = decc_translate_vms(env);
+--- configure.ac.orig
++++ configure.ac
+@@ -3480,6 +3480,8 @@ if test "x$want_curldebug_assumed" = "xy
+   ac_configure_args="$ac_configure_args --enable-curldebug"
+ fi
+ 
++AC_CHECK_FUNCS([__secure_getenv secure_getenv])
++
+ AC_CONFIG_FILES([Makefile \
+            docs/Makefile \
+            docs/examples/Makefile \
diff --git a/curl.changes b/curl.changes
index 70262c1..83d2b71 100644
--- a/curl.changes
+++ b/curl.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sun Feb 17 17:04:34 UTC 2013 - crrodriguez@opensuse.org
+
+- Use secure_getenv if available. libcurl might be linked
+ to a program where "secure execution" is required.
+
 -------------------------------------------------------------------
 Thu Feb  7 10:54:15 UTC 2013 - vcizek@suse.com
 
diff --git a/curl.spec b/curl.spec
index f370425..509abc7 100644
--- a/curl.spec
+++ b/curl.spec
@@ -34,6 +34,7 @@ Source4:        %{name}.keyring
 Patch:          libcurl-ocloexec.patch
 Patch1:         dont-mess-with-rpmoptflags.diff
 Patch2:         curl-CVE-2013-0249.patch
+Patch3:         curl-secure-getenv.patch
 # Use rpmbuild -D 'VERIFY_SIG 1' to verify signature during build or run one-shot check by "gpg-offline --verify --package=curl curl-*.asc".
 %if 0%{?VERIFY_SIG}
 BuildRequires:  gpg-offline
@@ -100,7 +101,7 @@ user interaction or any kind of interactivity.
 %patch
 %patch1
 %patch2 -p1
-
+%patch3
 %build
 autoreconf -fi
 # local hack to make curl-config --libs stop printing libraries it depends on