The ed editor for Sun Solaris 2.6, 7, and 8 allows local users to create or overwrite arbitrary files via a symlink attack on temporary files.
https://exchange.xforce.ibmcloud.com/vulnerabilities/13952
http://www.securityfocus.com/bid/9199
http://www.auscert.org.au/render.html?it=3688
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57443-1