[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug severity and private data disclosure

On Mon, Jun 10, 2013 at 1:15 PM, Vincent Lefevre <vincent@vinc17.net> wrote:
> I reported a bug involving private data disclosure, more precisely,
> on some network, when printing a file with CUPS 1.6, the file is
> printed on a wrong printer[*]. The bug severity was downgraded to
> important (i.e. non-RC), despite the obvious security problem. The
> given reason was that this kind of security problem is not mentioned
> on:
>   http://www.debian.org/Bugs/Developer.en.html#severities
> If Debian really minds about some forms of security bugs such as
> private data disclosure, something should be done... Perhaps replace
>   allowing access to the accounts of users who use the package
> by
>   allowing access to private data of users who use the package
> (BTW, logging passwords in general log files would fall in the same
> class of security bugs.)
> [*] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=711848
> --
> Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


hplip is affected by the same kind of bug see #653062. I am a teacher
and instead of printing on the correct printer it print the subject of
my test on the student network printer*....


* i have the same short name of the printer of the student and staff
network only the FQDN change...

> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20130610111552.GA17145@ypig.lip.ens-lyon.fr">http://lists.debian.org/[🔎] 20130610111552.GA17145@ypig.lip.ens-lyon.fr

Reply to: