We received the following report via full-disclosure.
The issue is public.

Just to get the CAN into bugzilla. Fixed for 10.0 already du to upstream fix.

---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated sharutils package fixes security issue
Advisory ID:       FLSA:154991
Issue date:        2005-07-10
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CAN-2005-0990
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated packages for sharutils which fix a security vulnerability are
now available.

The sharutils package contains a set of tools for encoding and decoding
packages of files in binary or text format.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way unshar creates temporary files. A local user
could use symlinks to overwrite arbitrary files the victim running
unshar has write access to. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-0990 to this
issue.

All users of sharutils should upgrade to these packages, which resolve
this issue.