msxlsview.sh in xlsview for catdoc 0.91 and earlier allows local users to overwrite arbitrary files via a symlink attack on predictable temporary file names ("word$$.html").
https://exchange.xforce.ibmcloud.com/vulnerabilities/16335
http://www.securityfocus.com/bid/11560
http://www.debian.org/security/2004/dsa-575
http://secunia.com/advisories/13022/
http://secunia.com/advisories/13021/
http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=183525