The bzexe command in bzip2 1.0.5 and previous versions generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.
/* bzexec_PoCc -- bzip2 (bzexe) race condition PoC
Author: vladz (vladzdevzerofr)
Tested on: Debian 603 up to date (bzip2 version 105-6)
This PoC exploits a race condition in the bzexe script This tool is
rarely used so I wasn't supposed to write an exploit But some people
on the full-disclosure list had doubts ...