XFree86 4.0.1 /tmp Vulnerabilities
A number of vulnerabilities exist in XFree86 4.0.1 and priors handling and use of files in /tmp. They are as follows:
XFree86 4.0.1 and prior, when installed from source, creates manpage aliases as temporary files in /tmp, prior to being installed in /usr/X11R6/man. The temporary filenames are based on the process id. It is rm'd before being overwritten, however shell redirection, without noclobber being set. Exploiting this vulnerability requires predicting the UID, and racing the installation script creation of these files after removing them. This should not be difficult.
gccmakedep uses /tmp insecurely, and uses mktemp() in the 3.3.x branch.
imake, under Linux, uses tmpnam() insecurely when determining the version of libc, and in the 4.0 version, uses mktemp(), which makes the filename further predictable.
xman uses mktemp() insecurely.
libXaw uses tmpnam() insecurely.