The Nautilus file manager in Red Hat Linux 7.2 has a symlink vulnerability.
The Nautilus file manager (used by default in the GNOME desktop environment) writes metadata files containing information about files and directories that have been visited in the file manager. The metadata file code in Red Hat Linux 7.2 can be tricked into chasing a symlink and overwriting the symlink target. The errata packages repair this problem in two ways. First they create metadata files using mkstemp() and then renaming the files, instead of creating the files in-place with a fixed filename. This patch in the errata packages was backported from the latest upstream version of Nautilus on cvs.gnome.org. Second, Nautilus used to have a preference to store metadata only in the user's home directory, rather than in each directory being browsed. This errata removes the preference and hardcodes its value to always use the home directory. This disables the shared-metadata functionality, so if two users browse the same directory they may see different icons, emblems, and so forth. Nautilus has only been shipped in Red Hat Linux 7.2; earlier versions do not contain Nautilus and thus are not vulnerable. This problem should only be exploitable locally (filesystem access is needed to create a malicious symlink). If Nautilus is not run as root, the impact should be limited to overwriting files that unprivileged users have access to. If Nautilus is run as root, a malicious symlink could overwrite system-critical files such as /etc/passwd with Nautilus metadata. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0157 to this issue. The BUGTRAQ ID for this issue is 4373.