Yes, that build of libiodbc is exhibiting the same insecurity as the previous build of llvm.
ELF binaries optionally include a character string that names the directory from which libraries will be loaded. This is colloquially known as the rpath, although there are really two such ELF fields, see
https://wiki.debian.org/RpathIssue (which explains about how this relates to other mechanisms such as LD_LIBRARY_PATH).
Normally libtool, cmake etc will set this to an empty string during the build process. Subsequently, the 'chrpath' command can set this to anything, so long as it fits in the original character string field, which is an ugly hack really. Not all upstream packages are as careful about this as they should be, and some of them think rpaths are useful for the upstream devs, and getting rid of them is the packager's responsibility
The problem is that any process which can create directories and files in /tmp (i.e., any process
) could potentially drop a library into (for example) /tmp/ImageMagick-6.7.7-10/magick/.libs which would do something bad (instead of the intended actions) when something else invokes an ImageMagick command. If 'something else' is a root process, 'something bad' would be done as root, which is as bad as it gets.
As an old Multics user, my opinion is that having so many mechanisms for finding libraries, especially having hardcoded paths in executables, is a recipe for confusion and disaster, but the rarity of actual real world disasters shows that I'm only right about the confusion thing