compiz-fusion-plugins-extra includes a "crash handler" plugin

compiz-fusion-plugins-extra includes a "crash handler" plugin - the source of this program can be found at src/crashhandler/crashhandler.c. In the source file the function crash_handler() - executes some debugging commands after compiz crashes (I sent it a SIGABRT as a test :) ) it performs some debugging before dumping the output to /tmp/gdb.tmp (which gets deleted) and placed into the configured crash directory (which by default is /tmp). In both cases the program does not verify if the files already exist or a symbolic links.
Note: A user would need to have the compiz-fusion-plugins-extra installed and enable the crash-handler plugin.

The vulnerable code is the following:
        // backtrace
        char cmd[1024];

        snprintf (cmd, 1024,
                  "echo -e \"set prompt\nthread apply all bt full\n"
                  "echo \\\\\\n\necho \\\\\\n\nbt\nquit\" > /tmp/gdb.tmp;"
                  "gdb -q %s %i < /tmp/gdb.tmp | "
                  "grep -v \"No symbol table\" | "
                  "tee %s/compiz_crash-%i.out; rm -f /tmp/gdb.tmp; "
                  "echo \"\n[CRASH_HANDLER]: "
                  "\\\"%s/compiz_crash-%i.out\\\" created!\n\"",
                 programName, getpid (), crashhandlerGetDirectory (cDisplay),
                 getpid (), crashhandlerGetDirectory (cDisplay), getpid () );

        system (cmd);