Comment 5 for bug 638636

FYI: the issue of wild characters in Name: was reported to a vendor-sec representative
in December and fixed @rpm5.org by adding PCRE validation patterns for all tags, not
just spot checking NVR. The issue is considerably more complex than, say,
   Name: ~;
and can be exercised by any script, not just rpmbuild, that constructs file paths
from RPM package tags.

Not that vendor-sec is worth much these days ...