At SecurityFocus: "During execution of the program, files are created in the /tmp
directory. However, these files are created in an insecure manner,
which makes it possible to guess the filename of a future /tmp file. This
makes it possible for a user with malicious motives to create a number
of symbolic links in the /tmp directory, and potentially append to or
overwrite system files that are write-accessible to the UID executing
mgetty, normally root."
January 12, 2001