A symlink following vulnerability was found in the ABRT post-create event handler scripts in /etc/libreport/events.d/abrt_event.conf. Event scripts write output files using shell redirections (e.g., "printf ... > $DUMP_DIR/var_log_messages") which use open() with O_WRONLY|O_CREAT|O_TRUNC without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process (running as root in the abrt_handle_event_t SELinux domain, which is effectively unconfined) follows the symlink and writes content to the symlink target. In contrast, dd_save_text (used by SetElement) correctly uses O_NOFOLLOW. An attacker who has gained filesystem control of the dump directory can replace output files with symlinks pointing to sensitive system files such as /var/spool/cron/root.