The crossfire-maps package, as shipped within Fedora releases of 8, 9 and 10, is prone to the symlink attack. Affected file: /usr/share/crossfire/maps/Info/combine.pl Relevant part of the code: 36: system("ppmmake \\#000 $DEST_WIDTH $DEST_HEIGHT > /tmp/tmp.ppm"); 40: system("cp images/combine.ppm /tmp/tmp.ppm"); 62: system("pngtopnm images/world_$dx\_$dy.png | pnmscale -xysize $TILE_WIDTH $TILE_HEIGHT > /tmp/ppm.tmp"); 65: system("pnmpaste /tmp/ppm.tmp $sx $sy /tmp/tmp.ppm > /tmp/tmp.ppm1"); 66: unlink("/tmp/tmp.ppm"); 67: rename("/tmp/tmp.ppm1", "/tmp/tmp.ppm"); 71:system("mv /tmp/tmp.ppm images/combine.ppm"); Description: A malicious user could precreate a symbolic link pointing to the file '/tmp/tmp.ppm'. Subsequent run of the crossfire command, would destroy / truncate the target of the symlink to zero size. Affected versions: This issue affects the versions of the crossfire-maps package, as shipped within Fedora releases of 8, 9 and 10.