Bugzilla versions 2.9 through 2.16.10 use a script called syncshadowdb to manually replicate data between a master database and a slave. The script uses temporary files in an unsafe way since it selects a name for the file based on PID and does not make any effort to determine if the file exists and if it is a symlink. A local user could use this to direct symlink attacks and overwrite files that Bugzilla has access to.
93790c5a8d3316a6d1d1db5a5d4d0009b19eff072c4ccee7b43fc98982b908f3