tmp_smtp.c in pktstat 1.8.5 allows local users to overwrite arbitrary files via a symlink attack on /tmp/smtp.log.