"A bug in Puppet uses a predictable filename in /tmp.
When installing Mac OS X packages from a remote source, Puppet uses a predictable filename in /tmp to store the package. Using a symlink at that filename, it is possible to either overwrite arbitrary files on the system or to install an arbitrary package. (Note that OS X package installers can also execute arbitrary code.)"
It is recommended that users update to 2.5.1 or 2.6.15 or 2.7.13 to avoid this issue.