The crossfire-maps ship a file that our ebuild installs as /usr/share/games/crossfire/maps/Info/combine.pl The file creates files insecurely. It is my understanding that it is not needed by the server (debian does not install the file anymore), but we can also get proper tempfile handling into the script with the help from upstream. This does not affect 1.9.0 (our stable).
Games: please comment.
So, a random, poorly-coded perl script that is installed in a directory not in any path, and never called by any installed binary is grounds for a security bug? Seems pretty unnecessary. I changed the package to not install that script anymore but this doesn't qualify as a security bug to me.
30 Jan 2010; Michael Sterrett <mr_bones_@gentoo.org> crossfire-server-1.11.0.ebuild: Skip install of combine.pl (bug #236205) Closing as noglsa - vulnerable versions were ~arch only.