Bug 22483 describes a security issue with tempfile creation in znew and gzexe. That problem was theoretically fixed and a glsa sent out.
However the patch doesn't check the exit status of the tempfile command. If tempfile should fail, then it's possible for a rogue command to be executed a few lines later in the script.
I've fixed the patch and bumped the stable rev to 1.3.3-r3 to carry out the change. At this point we just need a GLSA. Somebody from security mind handling that?
GLSA updated with unaffected version -r4 and better description. Security please review.
Note: Changelog is not updated with new -r4
> Note: Changelog is not updated with new -r4
That was a ChangeLog error: it said -r3 instead of -r4. I just fixed it now.