Processed: Re: Bug#911844: okular: Prints to the wrong printer
Processing commands for cont...@bugs.debian.org: > severity 911844 important Bug #911844 [okular] okular: Prints to the wrong printer Severity set to 'important' from 'critical' > thanks Stopping processing here. Please contact me if you need assistance. -- 911844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911844 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#911844: okular: Prints to the wrong printer
severity: important thanks Hi Brian, Brian Potkin - 10.06.19, 21:32: > Severity: critical > thanks > > On Thu 25 Oct 2018 at 12:50:25 +0100, Brian Potkin wrote: > > Package: okular > > Version: 4:17.12.2-2 > > Severity: critical > > Tags: upstream security > > > > > > > > "critical" because a document should always go to where it is sent. > > Please reduce the severity if I have overestimated the security > > implications. > > > > The CUPS version being used is 2.2.8-5 and cups-browsed is not > > running. The issue was encountered while taking another look at > > #911702.> […] > > The job is always sent to a local queue when its destination > > precedes > > realq_desktop alphabetically. […] > I have retested this. There is no change on the present unstable. I > cannot see why a confidential print job going to a staff printer is > anything but a security issue. Maybe this is something that merits > the tag of normal but explanations are in short supply. Brian, before raising a bug severity to the highest severity possible, please read and understand the Debian's release team guidelines regarding release critical bugs¹ as well as the general descriptions of bug severities². A "critical" bug is a bug that introduces a (remotely exploitable) security hole on systems you install the package to. A "grave" bug is a bug that introduces a (remotely exploitable) security hole allowing access to the accounts of users using the package. None of this is the case here. If at all, the bug might be "serious" if in the maintainers opinion it would make the package unsuitable for release. Now please respect the reduced bug severity. Raising the severity again won't get you any priority handling with an already understaffed Debian Qt/KDE team. This is a community of people who are mostly doing unpaid work. Two ways to use your (and our) time in a more productive manner are: 1) Retest with Okular 18.04 from Debian experimental (in case you run buster/sid). Or start KDE Neon in a machine and try with the newest Okular available there. 2) Remind upstream in a friendly way to have a look at the issue. Once there is a patch upstream it is very likely it could be backported for buster. Maybe it would be an idea to raise the upstream bug to KDE's security team. [1] https://release.debian.org/testing/rc_policy.txt [2] https://www.debian.org/Bugs/Developer Thanks, -- Martin
Bug#911844: okular: Prints to the wrong printer
Hi Brian! El lun., 10 jun. 2019 16:54, Brian Potkin escribió: > Severity: critical > thanks > > > > On Thu 25 Oct 2018 at 12:50:25 +0100, Brian Potkin wrote: > > > Package: okular > > Version: 4:17.12.2-2 > > Severity: critical > > Tags: upstream security > > > > > > > > "critical" because a document should always go to where it is sent. > > Please reduce the severity if I have overestimated the security > > implications. Please feel free to prove me wrong. As far as I understand printing sometimes means an unencrypted connection to a printer, which means a man in the middle attack should be easy to achieve. Thus whenever you are printing you should already trust the network and whatever is in it. Exception is probably a printer managed directly by CUPS.
Processed (with 1 error): Re: Bug#911844: okular: Prints to the wrong printer
Processing commands for cont...@bugs.debian.org: > On Thu 25 Oct 2018 at 12:50:25 +0100, Brian Potkin wrote: Unknown command or malformed arguments to command. > forwarded 911844 https://bugs.kde.org/show_bug.cgi?id=402015 Bug #911844 [okular] okular: Prints to the wrong printer Set Bug forwarded-to-address to 'https://bugs.kde.org/show_bug.cgi?id=402015'. > thanks Stopping processing here. Please contact me if you need assistance. -- 911844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911844 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#911844: okular: Prints to the wrong printer
Package: okular Version: 4:17.12.2-2 Severity: critical Tags: upstream security "critical" because a document should always go to where it is sent. Please reduce the severity if I have overestimated the security implications. The CUPS version being used is 2.2.8-5 and cups-browsed is not running. The issue was encountered while taking another look at #911702. brian@test:~$ lpstat -e aaa realq_desktop test aaa and test are local queues set up with lpadmin -p -v file:/home/brian/capture -E -m drv:///sample.drv/generic.ppd and realq_desktop is a queue on a remote machine. Okular was started from a terminal. Printing to realq_desktop produces an output of request id is aaa-41 (1 file(s)) The job is always sent to a local queue when its destination precedes realq_desktop alphabetically. Removing the aaa queue gets /usr/bin/lp: No such file of directory (which is #911702) I believe printing from LibreOffice to be based on the same principles as printing from Okular. Printing from that application is not an issue. qpdfview is another affected application. Regards, Brian.
