/etc/profile.d/lang.csh contains the lines sed ... > /tmp/csh.$$ source /tmp/csh.$$ which is a classic security gotcha race condition. A symlink flipping attack or similar (with pid prediction) allows any local user to substitute code that will be run by the attacked user. /tmp should *never* be used directly for creating temporary files like that. Either per-user temp directories should be used or else you can jump through hoops and create a temp directory within /tmp, do some stringent checks and then put your temp file in that one. I think the OpenBSD crowd probably have a script for that. In this case, you don't need a temp file in any case and eval would be better. I'll give this a couple of weeks to be fixed before notifying bugtraq.
fixed in the 4.63-1 errata release.