Man2html 2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file.