curl: CVE-2021-22922: Wrong content via metalink not discarded

Summary:

When compiled --with-libmetalink and used with --metalink curl does check the cryptographics hash of the downloaded files. However, the only indication that the hash was incorrect is a message displayed to the user. The files with incorrect hashes are left to the disk as-is.

Since curl implements the hash validation and reports incorrect hashes there might be an expectation that files with incorrect hashes would not be kept either. Since the metalink can be used with insecure protocols such as http and ftp, the hash validation might be used an actual way to verify the download integrity against tampering.

Steps To Reproduce:

1.Configure libcurl --with-libmetalink and build libcurl
2. Have metalinktest.xml with <file name="testfile"> containing incorrect sha-256 hash for it.
3. Execute: curl --metalink https://testsite/metalinktest.xml

The following message will be displayed:
Metalink: validating (testfile) [sha-256] FAILED (digest mismatch)

Yet, the downloaded file testfile with incorrect hash mismatch is kept.

Fix

It might be more sensible to download the file to a temporary name first, verify the hash and only then store the file to final name if the hash is correct. If hash mismatch is found remove the temporary file.

Impact

Modified or tampered files are kept and possibly incorrectly assumed valid