#658332 printer-driver-cups-pdf: including username in output poses a privacy risk

Package:
printer-driver-cups-pdf
Source:
cups-pdf
Description:
printer driver for PDF writing via CUPS
Submitter:
Ryo Furue
Date:
2025-03-29 09:39:01 UTC
Severity:
wishlist
Tags:
#658332#5
Date:
2012-02-02 02:22:46 UTC
From:
To:
Dear Maintainer,

The PDF files produced from cups-pdf always contains Author,
which is bad for security if the user wants to generate
sensitive PDF files.

The Author field is in the format of "(username)".
I confirmed this from LibreOffice writer, and Opera (browser),
and Chrome (browser).  When I tested LibreOffice, I specifically
switched off the inclusion of the user info in the document.

The PDF file produced by cups-pdf contains the "(username)" string
in two places.  One is as a regular PDF metadata, which you can
remove using a tool like pdftk.  But, I don't know how to delete
the other one, which takes the form of

<rdf:Description rdf:about='864de34d-855f-11ec-0000-eb4edbf2574'
xmlns:dc='http://purl.org/dc/elements/1.1/'
dc:format='application/pdf'><dc:title><rdf:Alt><rdf:li
xml:lang='x-default'>(Print -
Google)</rdf:li></rdf:Alt></dc:title><dc:creator><rdf:Seq><rdf:li>(furue)</rdf:li></rdf:Seq></dc:creator></rdf:Description>

In the above, "(furue)" is the string in question.

Regards,
Ryo

#658332#34
Date:
2021-09-27 11:32:22 UTC
From:
To:
Greetings,

Does the issue you reported against printer-driver-cups-pdf still
apply to the 3.0.1-9 version currently shipping with Debian 11
(Bullseye)?

Martin-Éric

#658332#37
Date:
2021-09-27 11:32:22 UTC
From:
To:
Greetings,

Does the issue you reported against printer-driver-cups-pdf still
apply to the 3.0.1-9 version currently shipping with Debian 11
(Bullseye)?

Martin-Éric

#658332#44
Date:
2021-09-28 03:42:38 UTC
From:
To:
Dear Martin-Éric,

Sorry I no longer use Debian, and I don't have access to a Debian machine.

But, if this printer driver is still used today, you don't want to close
this bug without testing, because including the user name in the PDF file
without the user's knowledge isn't acceptable.  As far as I remember, I was
worried about this problem when I needed to submit an anonymized document.
Such needs still exist today.

To test this, you just open some document on a webbrowser and print it into
a PDF file and

$ strings generatedfile.pdf | grep -i <sensitiveinformation>

Also, I think there are tools to print PDF metadata.

When I did this on my current computer (macOS), the PDF file indeed didn't
include any user information as far as I can tell.

Regards,

Ryo

#658332#49
Date:
2021-09-28 03:42:38 UTC
From:
To:
Dear Martin-Éric,

Sorry I no longer use Debian, and I don't have access to a Debian machine.

But, if this printer driver is still used today, you don't want to close
this bug without testing, because including the user name in the PDF file
without the user's knowledge isn't acceptable.  As far as I remember, I was
worried about this problem when I needed to submit an anonymized document.
Such needs still exist today.

To test this, you just open some document on a webbrowser and print it into
a PDF file and

$ strings generatedfile.pdf | grep -i <sensitiveinformation>

Also, I think there are tools to print PDF metadata.

When I did this on my current computer (macOS), the PDF file indeed didn't
include any user information as far as I can tell.

Regards,

Ryo

#658332#52
Date:
2021-09-28 03:42:38 UTC
From:
To:
Dear Martin-Éric,

Sorry I no longer use Debian, and I don't have access to a Debian machine.

But, if this printer driver is still used today, you don't want to close
this bug without testing, because including the user name in the PDF file
without the user's knowledge isn't acceptable.  As far as I remember, I was
worried about this problem when I needed to submit an anonymized document.
Such needs still exist today.

To test this, you just open some document on a webbrowser and print it into
a PDF file and

$ strings generatedfile.pdf | grep -i <sensitiveinformation>

Also, I think there are tools to print PDF metadata.

When I did this on my current computer (macOS), the PDF file indeed didn't
include any user information as far as I can tell.

Regards,

Ryo

#658332#77
Date:
2025-03-11 18:44:55 UTC
From:
To:
Revisiting the above issue, I notice that files printed by e.g.
Firefox to CUPS-PDF indeed include the creator and Author strings. I
don't see anything in CUPS-PDF source that would produce these. I'm
thus begining to wonder whether CUPS itself includes these fields by
standard? If yes, shall we reassign this bug to CUPS?

Martin-Éric