Robert Vogelgesang reported that dhcpd init script as used in dhcp packages in Red Hat Enterprise Linux 3 does not create temporary files safely inside configtest() function. Temporary file created by the script has predictable name (using script's process id), allowing local attacker to perform a symlink attack. When init script is called with configtest, restart or reload argument, arbitrary file may be overwritten by the output of 'dhcpd -t' (dhcpd.conf syntax check).
This issue did not affect dhcp packages in Red Hat Enterprise Linux 4 and 5, and current Fedora versions (9, 10, 11).
This issue has been addressed in following products:
Red Hat Enterprise Linux 3
Via RHSA-2009:1154 https://rhn.redhat.com/errata/RHSA-2009-1154.html
MITRE's CVE-2009-1893 entry:
The configtest function in the Red Hat dhcpd init script for DHCP
3.0.1 in Red Hat Enterprise Linux (RHEL) 3 allows local users to
overwrite arbitrary files via a symlink attack on an unspecified
temporary file, related to the "dhcpd -t" command.