sup 1.8 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files.