The handler code for backupninja 0.8 and earlier creates temporary files with predictable filenames, which allows local users to modify arbitrary files via a symlink attack.
https://exchange.xforce.ibmcloud.com/vulnerabilities/22461
http://www.securityfocus.com/bid/14978
http://www.debian.org/security/2005/dsa-827