(#13260) Use mktmpdir when downloading packages
c51447dfa81cUnpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

(#13260) Use mktmpdir when downloading packages

This fixes a security vulnerability in the appdmg and pkgdmg providers where
they would curl packages directly into /tmp and the install them, allowing an
attacker to craft a symlink and overwrite arbitrary files or install arbitrary
packages.

Conflicts:

lib/puppet/provider/package/appdmg.rb
lib/puppet/provider/package/pkgdmg.rb

Details

Provenance

Patrick Carlisle <patrick@puppetlabs.com>	Authored on
Matthaus Litteken <matthaus@puppetlabs.com>	Committed on Apr 3 2012, 11:28 PM
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPU568ded50ec6c: Fix for bucket_path security vulnerability

Branches

Unknown

Tags

Unknown

Event Timeline

Matthaus Litteken <matthaus@puppetlabs.com> committed rPUc51447dfa81c: (#13260) Use mktmpdir when downloading packages (authored by Patrick Carlisle <patrick@puppetlabs.com>).Apr 3 2012, 11:28 PM

Changes (2)

Path

Size

lib/

puppet/

provider/

package/

appdmg.rb

pkgdmg.rb

rPUc51447dfa81c

View Options

lib/puppet/provider/package/appdmg.rb