[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#911844: okular: Prints to the wrong printer

On Tue 11 Jun 2019 at 09:53:50 +0200, Martin Steigerwald wrote:

> severity: important
> thanks
> 
> Hi Brian,
> 
> Brian Potkin - 10.06.19, 21:32:
> > Severity: critical
> > thanks
> > 
> > On Thu 25 Oct 2018 at 12:50:25 +0100, Brian Potkin wrote:
> > > Package: okular
> > > Version: 4:17.12.2-2
> > > Severity: critical
> > > Tags: upstream security
> > > 
> > > 
> > > 
> > > "critical" because a document should always go to where it is sent.
> > > Please reduce the severity if I have overestimated the security
> > > implications.
> > > 
> > > The CUPS version being used is 2.2.8-5 and cups-browsed is not
> > > running. The issue was encountered while taking another look at
> > > #911702.> 
> […]
> > > The job is always sent to a local queue when its destination
> > > precedes
> > > realq_desktop alphabetically.
> […]
> > I have retested this. There is no change on the present unstable. I
> > cannot see why a confidential print job going to a staff printer is
> > anything but a security issue. Maybe this is something that merits
> > the tag of normal but explanations are in short supply.
> 
> Brian, before raising a bug severity to the highest severity possible, 
> please read and understand the Debian's release team guidelines 
> regarding release critical bugs¹ as well as the general descriptions of 
> bug severities².
> 
> A "critical" bug is a bug that introduces a (remotely exploitable) 
> security hole on systems you install the package to. A "grave" bug is a 
> bug that introduces a (remotely exploitable) security hole allowing 
> access to the accounts of users using the package.

Thank you, Martin, for taking the time and trouble to explain. I admit
to feeling uneasy about raising the severity level and did give it some
thought - but obviously not enough. Anyway, something it's for me to
take into account for the future.

> None of this is the case here.
> 
> If at all, the bug might be "serious" if in the maintainers opinion it 
> would make the package unsuitable for release.
> 
> Now please respect the reduced bug severity. Raising the severity again 
> won't get you any priority handling with an already understaffed Debian 
> Qt/KDE team. This is a community of people who are mostly doing unpaid 
> work.
 
I have no intention of touching the severity level again.

> Two ways to use your (and our) time in a more productive manner are:
> 
> 1) Retest with Okular 18.04 from Debian experimental (in case you run 
> buster/sid). Or start KDE Neon in a machine and try with the newest 
> Okular available there.

There might be time for me to do both of these today or tomorrow.
 
> 2) Remind upstream in a friendly way to have a look at the issue. Once 
> there is a patch upstream it is very likely it could be backported for 
> buster. Maybe it would be an idea to raise the upstream bug to KDE's 
> security team.

You seem to have done that. Thanks.

Regards,

Brian.
Reply to: