This is a warning I get from gcc when compiling csound, and after reading the 
manpage of that function, I agree. tmpnam returns a string that is guaranteed 
to not be the name of an existing filename... but this is only at the time of 
the calling. In the time between the call to tmpnam and fopen, an attacker 
could create a symlink with that name, and destroy data that it would not 
have been able to otherwise.
In linux, this is easily solvable by replacing the tmpnam call with mkstemp, 
but I'm not sure if there is an equivalent call for OSX or Windows. The 
function is POSIX, so I'm guessing OSX should have it, and probably Windows 
in some sort of compatibility layer. Can anyone confirm?

Saludos,
Felipe Sateler