If an attacker is able to exploit an exposed IPP server to respond with a valid response to be added to the system, and if discovered via mDNS, an existing printer can be directly hijacked (its IPP url replaced with a malicious one) making it indistinguishable from the original one. The `cfGetPrinterAttributes` API does not perform any sanitization on any of the IPP attributes returned by the server. Attributes that are then saved, as they are, in a temporary PPD file via `ppdCreatePPDFromIPP2`. `ppdCreatePPDFromIPP2` doesn't perform any sanitization itself and in fact it just writes to the file any attributes contents. This allows an attacker to return a malicious IPP attribute in the form of `printer-privacy-policy-uri` (which is just one of the several attributes that can be used, the RCE was also confirmed with `printer-info`, `printer-name` and `printer-make-and-model`).
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:7346 https://access.redhat.com/errata/RHSA-2024:7346
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2024:7461 https://access.redhat.com/errata/RHSA-2024:7461
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:7462 https://access.redhat.com/errata/RHSA-2024:7462
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:7463 https://access.redhat.com/errata/RHSA-2024:7463
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2024:7506 https://access.redhat.com/errata/RHSA-2024:7506
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:7504 https://access.redhat.com/errata/RHSA-2024:7504
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:7503 https://access.redhat.com/errata/RHSA-2024:7503
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Via RHSA-2024:7551 https://access.redhat.com/errata/RHSA-2024:7551
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2024:7553 https://access.redhat.com/errata/RHSA-2024:7553
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2024:7623 https://access.redhat.com/errata/RHSA-2024:7623