Description of problem: vcdiff script writes to a predictable tmp file. This could be used for attack by malicious user.
Created attachment 137341 [details] Patch fixing tmp file usage
PATH=$PATH:/usr/ccs/bin:/usr/sccs:/usr/xpg4/bin # common SCCS hangouts I don't like this either, it's unnecessary, but most likely has no security consequences. CVE Name was requested. Unless anyone objects, this will get public on Friday. Chip, please communicate this upstream, and tell them not to commit fix until friday.
CVE-2008-1694
This issue was fixed prior to the GA releases of RHEL6 and 7. Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.