The populate_conns function in src/populate_conns.c in GSAMBAD 0.1.4 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/gsambadtmp temporary file.
Related bugs and status
CVE-2007-2838 (Candidate)
is related to these bugs: