appdmg and pkgdmg providers write packages to insecure location
|Assignee:||Patrick Carlisle||% Done:|
|Affected Puppet version:||2.6.0||Branch:||https://github.com/pcarlisle/puppet-cve-test/tree/ticket/2.7.x/13260-dmg-providers|
These providers are only used on darwin. If a remote source is given for a package, the package is downloaded to a predictable filename in /tmp. It is possible to create a symlink at this name and use it to clobber any file on the system, or by switching the symlink install arbitrary packages (and package installers can execute arbitrary code).