feynmf.pl in feynmf 1.08, as used in TeXLive 2007, allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the feynmf$$.pl temporary file.