Am I missing something? Yes it’s a bug, but you would already need to be root to unlink and symlink the root mailbox…
You’re only unlinking your own mailbox, and symlinking it to root’s mailbox (or any other file). When mail.local runs on that file (symlink) it changes ownership of the file (the target of the symlink) to the user because it thinks it just created it as a new plain file.
This exploit links it to atrun instead of root’s mailbox, so that you then become owner of atrun, and then you can just edit it and turn it into a shell script, which gets run by root’s crontab and creates a setuid-root shell.
You are correct that you shouldn’t be able to unlink and symlink your own mailbox in /var/mail, but NetBSD creates that directory with mode 1777 like /tmp, rather than 0755 like on OpenBSD.
So NetBSD fixed the TOCTOU bug in mail.local, but should probably also make /var/mail more restrictive so users can’t create junk there.
On a typical Unix box, /var/mail has too wide permissions.