CVE-2022-27778: curl removes wrong file on error

## Summary: Curl command has a logic flaw that results in removal of a wrong file when combining `--no-clobber` and `--remove-on-error` if the target file name exists and an error occurs. ## Steps To Reproduce: 1. `echo "important file" > foo` 2. `echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n" | nc -l -p 9999` 3. `curl -m 3 --no-clobber --remove-on-error --output foo http://testserver.tld:9999/` 4. `ls -l foo*` 5. `cat foo.1` `-m 3` is used here to simulate a denial of service of the connection performed by the attacker. The bug appears to happen because the remote-on-error `unlink` is called without considering the no-clobber generated file name: - no-clobber name generation; https://github.com/curl/curl/blob/3fd1d8df3a2497078d580f43c17311e6f58186a1/src/tool_cb_wrt.c#L88 - remove-on-error unlink: https://github.com/curl/curl/blob/f7f26077bc563375becdb2adbcd49eb9f28590f9/src/tool_operate.c#L598 ## Impact Removal of a file that was supposed not to be overwritten (data loss). Incomplete file left of disk when it should have been removed. This can lead to potential loss of integrity or availability. For this attack to work the attacker of course would need to know a scenario where the victim is performing curl operation with `--no-clobber` `--remove-on-error` options.