[curl] curl removes wrong file on error [CVE-2022-27778] ($2400 USD)

We discussed this vulnerability during Episode 145 on 16 May 2022

A nice little logic error abusing an edge case between two different command flags. Curl may remove the wrong file when --no-clobber and --remove-on-error flags are used together. What happens is that --no-clobber will tell curl not to overwrite an existing file, so if a file already exists it simply appends a number to the original file name. Later, if an error happens --remove-on-error is not aware of the new filename and will attempt to remove the original filename that curl was trying to not to clobber.

An actual attack abusing this is hard to imagine, requiring a rather constrained situation to be exploited but it is a great example of bugs that exist in the intersection between different features creating problematic edge cases.