ppdCreatePPDFromIPP2 does not sanitize IPP attributes when creating the PPD buffer
Package
libppd
Affected versions
<= 2.1b1
Patched versions
None
Description
Credits
-
evilsocket Reporter
evilsocket
Reporter
Summary
ppdCreatePPDFromIPP2 does not sanitize IPP attributes when creating the PPD buffer
Details
ppdCreatePPDFromIPP2 does not sanitize IPP attributes when creating the PPD buffer, when used in combination with other functions such as cfGetPrinterAttributes5 this results to user controlled input and ultimately code execution via Foomatic.
PoC
This bug is part of an exploit chain leading to RCE described here.
Impact
Code execution.