[Secure-testing-team] Bug#711848: cups-client: lp and lpr print the document on a wrong printer

[Vincent Lefevre]

Package: cups-client
Version: 1.6.2-8
Severity: grave
Tags: security
Justification: user security hole

I have the following options in ".cups/lpoptions":

Dest lip-multi-3 ColorModel=Gray Resolution=1200dpi
Default lipucb-mono-1

The lpq command gives as expected:

lipucb-mono-1 is ready
no entries

But when I print a document with "lpr file.pdf", I get nothing on
this printer. Then I tried: "lp file.pdf", and I get nothing either
on this printer, but the following line was output in the terminal:

request id is lip-multi-1-292103 (1 file(s))

lip-multi-1 is a printer in a different building...

The LPDEST and PRINTER environment variables are not set.

CUPS 1.5.x didn't have such a problem.

This is a big security problem when one wants to print documents
with confidential information...

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cups-client depends on:
ii  adduser        3.113+nmu3
ii  cups-common    1.6.2-8
ii  libc6          2.17-5
ii  libcups2       1.6.2-8
ii  libcupsimage2  1.6.2-8

Versions of packages cups-client recommends:
pn  smbclient  <none>

Versions of packages cups-client suggests:
ii  cups      1.6.2-8
ii  cups-bsd  1.6.2-8
ii  xpp       1.5-cvs20050828-1.2

-- no debconf information