Version in base suite: 7.88.1-10

Base version: curl_7.88.1-10
Target version: curl_7.88.1-10+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/curl/curl_7.88.1-10.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/curl/curl_7.88.1-10+deb12u1.dsc

 changelog                    |    8 ++++++++
 patches/CVE-2023-32001.patch |   34 ++++++++++++++++++++++++++++++++++
 patches/series               |    3 +++
 3 files changed, 45 insertions(+)

diff -Nru curl-7.88.1/debian/changelog curl-7.88.1/debian/changelog
--- curl-7.88.1/debian/changelog	2023-05-18 22:43:40.000000000 +0000
+++ curl-7.88.1/debian/changelog	2023-07-23 21:43:52.000000000 +0000
@@ -1,3 +1,11 @@
+curl (7.88.1-10+deb12u1) bookworm-security; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2023-32001: TOCTOU race condition in Curl_fopen():
+    - Done by d/p/CVE-2023-32001.patch (Closes: #1041812).
+
+ -- Carlos Henrique Lima Melara <charlesmelara@riseup.net>  Sun, 23 Jul 2023 18:43:52 -0300
+
 curl (7.88.1-10) unstable; urgency=medium
 
   * Add new patches to fix CVEs (closes: #1036239):
diff -Nru curl-7.88.1/debian/patches/CVE-2023-32001.patch curl-7.88.1/debian/patches/CVE-2023-32001.patch
--- curl-7.88.1/debian/patches/CVE-2023-32001.patch	1970-01-01 00:00:00.000000000 +0000
+++ curl-7.88.1/debian/patches/CVE-2023-32001.patch	2023-07-23 21:43:52.000000000 +0000
@@ -0,0 +1,34 @@
+From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001
+From: SaltyMilk <soufiane.elmelcaoui@gmail.com>
+Date: Mon, 10 Jul 2023 21:43:28 +0200
+Subject: [PATCH] fopen: optimize
+
+Closes #11419
+---
+ lib/fopen.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/lib/fopen.c b/lib/fopen.c
+index c9c9e3d6e73a2..b6e3cadddef65 100644
+--- a/lib/fopen.c
++++ b/lib/fopen.c
+@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
+   int fd = -1;
+   *tempname = NULL;
+ 
+-  if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
+-    /* a non-regular file, fallback to direct fopen() */
+-    *fh = fopen(filename, FOPEN_WRITETEXT);
+-    if(*fh)
+-      return CURLE_OK;
++  *fh = fopen(filename, FOPEN_WRITETEXT);
++  if(!*fh)
+     goto fail;
+-  }
++  if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode))
++    return CURLE_OK;
++  fclose(*fh);
++  *fh = NULL;
+ 
+   result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
+   if(result)
diff -Nru curl-7.88.1/debian/patches/series curl-7.88.1/debian/patches/series
--- curl-7.88.1/debian/patches/series	2023-05-18 22:43:40.000000000 +0000
+++ curl-7.88.1/debian/patches/series	2023-07-23 21:43:52.000000000 +0000
@@ -24,6 +24,9 @@
 CVE-2023-28321.patch
 CVE-2023-28322.patch
 
+# Patches from 8.2.0.
+CVE-2023-32001.patch
+
 # Do not add patches below.
 # Used to generate packages for the other crypto libraries.
 90_gnutls.patch