eupdatedb in esearch 0.6.1 and previous versions allows local users to create arbitrary files via a symlink attack on the esearchdb.py.tmp temporary file.