Symbolic link vulnerability in the slpd script slpd.all_init for OpenSLP prior to 1.0.11 allows local users to overwrite arbitrary files via the route.check temporary file.
openslp openslp