It is possible to cause cups-exec to execute backends without a sandbox profile by causing cupsdCreateProfile() to fail. An attacker that has obtained sandboxed root access can accomplish this by setting the CUPS temporary directory to immutable using chflags, which will prevent the profile from being written to disk. References: https://blog.gdssecurity.com/labs/2018/7/11/cups-local-privilege-escalation-and-sandbox-escapes.html Upstream patch: https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc
Created cups tracking bugs for this issue: Affects: fedora-all [bug 1607293]
Fedora and RHEL are not affected by this flaw since Sandbox feature is not enabled on Linux.
Statement: This issue did not affect the versions of cups as shipped with Red Hat Enterprise Linux as cups on Linux does not support the Sandbox feature.