sdiff 2.7 in the diffutils package allows local users to overwrite files via a symlink attack.

getty_ps 2.0.7j allows local users to overwrite arbitrary files via a symlink attack.

squid 2.3 and earlier allows local users to overwrite arbitrary files via a symlink attack in some configurations.

gpm 1.19.3 allows local users to overwrite arbitrary files via a symlink attack.

inn 2.2.3 allows local users to overwrite arbitrary files via a symlink attack in some configurations.

exmh 2.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the exmhErrorMsg temporary file.

Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack.

Some functions that implement the locale subsystem on Unix do not properly cleanse user-injected format strings, which allows local attackers to execute arbitrary commands via functions such as gettext and catopen.

Kernel logging daemon (klogd) in Linux does not properly cleanse user-injected format strings, which allows local users to gain root privileges by triggering malformed kernel messages.

A race condition in MandrakeUpdate allows local users to modify RPM files while they are in the /tmp directory before they are installed.