The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.
Exploitability
AV:LAC:LAu:NImpact
C:NI:PA:N2.1/AV:L/AC:L/Au:N/C:N/I:P/A:N