The sandbox profile dynamically generated by cupsdCreateProfile() unintentionally allows write access to /etc/cups. This can be used by an attacker that has obtained sandboxed root access to alter /etc/cups/cups-files.conf, leading to unsandboxed root code execution. References: https://blog.gdssecurity.com/labs/2018/7/11/cups-local-privilege-escalation-and-sandbox-escapes.html Upstream patch: https://github.com/apple/cups/commit/d47f6aec436e0e9df6554436e391471097686ecc
Created cups tracking bugs for this issue: Affects: fedora-all [bug 1607293]
Fedora and RHEL are not affected by this flaw since Sandbox feature is not enabled on Linux.
Statement: This issue did not affect the versions of cups as shipped with Red Hat Enterprise Linux as cups on Linux does not support the Sandbox feature.