cvsupd.sh in CVSup 1.2 allows local users to overwrite arbitrary files and gain privileges via a symlink attack on /var/tmp/cvsupd.out.
http://www.securityfocus.com/bid/6150
http://www.iss.net/security_center/static/10610.php
http://archives.neohapsis.com/archives/freebsd/2002-11/0011.html