Comment 1 for bug 247445

See also this post in the CERT vulnerability analysis blog: http://www.cert.org/blogs/vuls/2008/07/using_package_managers.html
They have assigned a vulnerability number to this issue (VU#230187) but it doesn't seem to be public yet.