Bug#911844: okular: Prints to the wrong printer
Severity: critical
thanks
On Thu 25 Oct 2018 at 12:50:25 +0100, Brian Potkin wrote:
> Package: okular
> Version: 4:17.12.2-2
> Severity: critical
> Tags: upstream security
>
>
>
> "critical" because a document should always go to where it is sent.
> Please reduce the severity if I have overestimated the security
> implications.
>
> The CUPS version being used is 2.2.8-5 and cups-browsed is not running.
> The issue was encountered while taking another look at #911702.
>
> brian@test:~$ lpstat -e
> aaa
> realq_desktop
> test
>
> aaa and test are local queues set up with
>
> lpadmin -p <destination> -v file:/home/brian/capture -E -m drv:///sample.drv/generic.ppd
>
> and realq_desktop is a queue on a remote machine.
>
> Okular was started from a terminal. Printing to realq_desktop produces an
> output of
>
> request id is aaa-41 (1 file(s))
>
> The job is always sent to a local queue when its destination precedes
> realq_desktop alphabetically.
>
> Removing the aaa queue gets
>
> /usr/bin/lp: No such file of directory (which is #911702)
>
> I believe printing from LibreOffice to be based on the same principles
> as printing from Okular. Printing from that application is not an issue.
> qpdfview is another affected application.
I have retested this. There is no change on the present unstable. I
cannot see why a confidential print job going to a staff printer is
anything but a security issue. Maybe this is something that merits
the tag of normal but explanations are in short supply.
Regards,
Brian.
Reply to: