Now people think fifos are a problem, and likely people will come up
with hacks so that fifos now have a new semantic in /tmp. That's
an incorrect workaround or fix.
Anything which is created non-atomically has problems. Not just with
symbolic links, not just with fifos.
Think regular files.
In many of these scenarios it is quite possible for the attacker to
guess what the filename will be beforehands. gcc is an example, mail
is another. The attacker simply must create the temporary file before
the victim program does. Now the attacker owns the victim's temporary
file. I bet someone could write an exploit which modifies the
compiler's intermediate files and inserts trojan code automatically.
Yes, it's a race. (I would suggest cpp files since they contain much
blank space which can be compacted to make room for trojan code).
The attacker owns the file because he created it before the victim
did, and the victim did not use an atomic file creation.
Code like this should be modified to create files atomically and
safely. I'm sorry, but there just isn't a way around the problem.