updatejail in jailer 0.4 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/#####.updatejail temporary file.
http://www.securityfocus.com/bid/32413
http://www.debian.org/security/2008/dsa-1674
http://secunia.com/advisories/32959