source: wwwsecurityfocuscom/bid/82/info
pkgtool creates the file /tmp/reply insecurely and follows symbolic links An attacker can create a symbolic link from /tmp/reply to any file and wait for root to run the program This will clober the target file
The file created has permissions -rw-rw-rw-
$ cp /etc/passwd /tmp/passwd
$ ln -s /tm ...