COMMAND

    /usr/src/linux/scripts/Configure

SYSTEMS AFFECTED

    Linux

PROBLEM

    Peter  van  Dijk  found  following.   There  _is_  a  /tmp race in
    /usr/src/linux/scripts/Configure, as  used by  make config  (which
    is obsoleted by make menuconfig):

    if [ -f $DEFAULTS ]; then
      echo "#"
      echo "# Using defaults found in" $DEFAULTS
      echo "#"
      . $DEFAULTS
      sed -e 's/# \(.*\) is not.*/\1=n/' < $DEFAULTS > /tmp/conf.$$
      . /tmp/conf.$$
      rm /tmp/conf.$$
    else

    File is created  and sourced. What  more could you  wish?  And  to
    exploit you'll have from start of script to this point to catch it
    and create a fifo in /tmp.   You know the rest (think GCC  symlink
    exploit - you can  find it on these  pages): get whatever it  puts
    into the fifo and give it back with a little extra, like  creating
    suid shell in /tmp.

SOLUTION

    Use menuconfig.