CVE-2012-1906 (retired)

Priority
Description
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise
(PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable
file names when installing Mac OS X packages from a remote source, which
allows local users to overwrite arbitrary files or install arbitrary
packages via a symlink attack on a temporary file in /tmp.
Notes
 tyhicks> Yama mitigates this
 tyhicks> Despite these being OS X package providers, we do ship them so they
  will get patched
Package
Upstream:needs-triage
More Information

Updated: 2019-03-26 12:01:32 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)