severity: important

Hi Brian,

Brian Potkin - 10.06.19, 21:32:
> Severity: critical
> thanks
> On Thu 25 Oct 2018 at 12:50:25 +0100, Brian Potkin wrote:
> > Package: okular
> > Version: 4:17.12.2-2
> > Severity: critical
> > Tags: upstream security
> > 
> > 
> > 
> > "critical" because a document should always go to where it is sent.
> > Please reduce the severity if I have overestimated the security
> > implications.
> > 
> > The CUPS version being used is 2.2.8-5 and cups-browsed is not
> > running. The issue was encountered while taking another look at
> > #911702.> 
> > The job is always sent to a local queue when its destination
> > precedes
> > realq_desktop alphabetically.
> I have retested this. There is no change on the present unstable. I
> cannot see why a confidential print job going to a staff printer is
> anything but a security issue. Maybe this is something that merits
> the tag of normal but explanations are in short supply.

Brian, before raising a bug severity to the highest severity possible, 
please read and understand the Debian's release team guidelines 
regarding release critical bugs¹ as well as the general descriptions of 
bug severities².

A "critical" bug is a bug that introduces a (remotely exploitable) 
security hole on systems you install the package to. A "grave" bug is a 
bug that introduces a (remotely exploitable) security hole allowing 
access to the accounts of users using the package.

None of this is the case here.

If at all, the bug might be "serious" if in the maintainers opinion it 
would make the package unsuitable for release.

Now please respect the reduced bug severity. Raising the severity again 
won't get you any priority handling with an already understaffed Debian 
Qt/KDE team. This is a community of people who are mostly doing unpaid 

Two ways to use your (and our) time in a more productive manner are:

1) Retest with Okular 18.04 from Debian experimental (in case you run 
buster/sid). Or start KDE Neon in a machine and try with the newest 
Okular available there.

2) Remind upstream in a friendly way to have a look at the issue. Once 
there is a patch upstream it is very likely it could be backported for 
buster. Maybe it would be an idea to raise the upstream bug to KDE's 
security team.




Reply via email to