dman does this:

    mandir=`mktemp --tmpdir="${TMPDIR:-/tmp}" -d dman.XXXXXX`
    trap "rm -rf $mandir" EXIT HUP INT QUIT TERM

When a signal arrives, it removes $mandir, and then... it doesn't exit,
but continues whatever it was doing. This gives the local attacker an
opportunity to create their own malicious $mandir.

See #911720 and #911969 for similar bugs in devscripts.