One of the oldest bugs in this category is probably the elm mailbox bug. At startup, the elm mail reader used to create a temporary file named /tmp/mbox.username, and copy the contents of the user's mailbox to it.
To see why this is a security problem, consider an evil person named Mallet.4.1 Mallet creates a symbolic link to Joe's .rhosts file, and sends a mail message to Joe that (in addition to several lines of mail headers) contains the two words localhost mallet on a line by themselves:
ln -s /home/joe/.rhosts /tmp/mbox.joe
echo "localhost mallet" | /usr/sbin/sendmail joe
When user Joe starts elm to read his email some time later, elm opens /tmp/mbox.joe for writing. Since mbox.joe is a symbolic link, the kernel will follow the symbolic link and open user Joe's .rhosts file instead.
So the entire contents of the mailbox, including the line localhost mallet will end up in .rhosts. Now all Mallet has to do is type rlogin -l joe localhost, and he's logged into Joe's account. Why? Because he just put a line into Joe's .rhosts file that gives Mallet access to this account when logging in from the same host. Of course, Mallet's little trick also appended a lot of junk to .rhosts, but the rlogin daemon is quite forgiving when dealing with junk lines.