kfm as included with KDE 1.x can allow a local attacker to gain additional privileges via a symlink attack in the kfm cache directory in /tmp.
https://exchange.xforce.ibmcloud.com/vulnerabilities/6428
http://archives.neohapsis.com/archives/bugtraq/2001-04/0336.html