I attached the wrong diff. I'm now attaching the right one.
Regards,
Bart Martens
diff -Nru flashplugin-nonfree-3.1/debian/changelog flashplugin-nonfree-3.2/debian/changelog
--- flashplugin-nonfree-3.1/debian/changelog 2012-09-15 14:50:34.000000000 +0200
+++ flashplugin-nonfree-3.2/debian/changelog 2012-12-13 22:07:41.000000000 +0100
@@ -1,3 +1,16 @@
+flashplugin-nonfree (1:3.2) unstable; urgency=low
+
+ * update-flashplugin-nonfree: Added use of "gpg --verify" to notice files
+ without signature. Thanks to Ansgar Burchardt for reporting the security
+ issue (via private e-mail on 13 Dec 2012).
+ * get-upstream-version.pl: Added validation of link to flash.
+ Thanks to Henrik Ahlgren for reporting the security issue (on
+ debian-security on 12 Dec 2012).
+ * debian/postinst: Added removal of cached get-upstream-version.pl so that a
+ fresh copy is downloaded.
+
+ -- Bart Martens <ba...@debian.org> Thu, 13 Dec 2012 17:45:13 +0000
+
flashplugin-nonfree (1:3.1) unstable; urgency=low
* get-upstream-version.pl: Added error handling with "failed to read $url".
diff -Nru flashplugin-nonfree-3.1/debian/postinst flashplugin-nonfree-3.2/debian/postinst
--- flashplugin-nonfree-3.1/debian/postinst 2010-06-17 18:54:42.000000000 +0200
+++ flashplugin-nonfree-3.2/debian/postinst 2012-12-13 19:07:59.000000000 +0100
@@ -4,6 +4,7 @@
case "$1" in
configure)
+ rm -f /var/cache/flashplugin-nonfree/get-upstream-version.pl
update-flashplugin-nonfree --install --fast || true
;;
diff -Nru flashplugin-nonfree-3.1/get-upstream-version.pl flashplugin-nonfree-3.2/get-upstream-version.pl
--- flashplugin-nonfree-3.1/get-upstream-version.pl 2012-09-15 14:39:21.000000000 +0200
+++ flashplugin-nonfree-3.2/get-upstream-version.pl 2012-12-13 18:46:50.000000000 +0100
@@ -50,6 +50,7 @@
my $link_to_flash = $1;
$link_to_flash =~ s,^/,,;
+die "link to flash contains invalid characters: $link_to_flash" if( $link_to_flash !~ m%^[a-zA-Z0-9/=?]+$% );
$url = "http://www.adobe.com/$link_to_flash";;
$page = read_page( $ARGV[0], $url );
diff -Nru flashplugin-nonfree-3.1/update-flashplugin-nonfree flashplugin-nonfree-3.2/update-flashplugin-nonfree
--- flashplugin-nonfree-3.1/update-flashplugin-nonfree 2012-09-15 14:28:52.000000000 +0200
+++ flashplugin-nonfree-3.2/update-flashplugin-nonfree 2012-12-13 18:25:48.000000000 +0100
@@ -194,6 +194,8 @@
wget $wgetoptions $downloadurl \
|| die_hard_with_a_cleanup "wget failed to download $downloadurl"
+ gpg -q --homedir "." --verify get-upstream-version.pl.gz.pgp 2> /dev/null \
+ || die_hard_with_a_cleanup "gpg rejected signature of get-upstream-version.pl.gz.pgp"
gpg -q --homedir "." < get-upstream-version.pl.gz.pgp > get-upstream-version.pl.gz 2> /dev/null \
|| die_hard_with_a_cleanup "gpg rejected signature of get-upstream-version.pl.gz.pgp"
@@ -239,6 +241,8 @@
wget $wgetoptions $downloadurl \
|| die_hard_with_a_cleanup "wget failed to download $downloadurl"
[ "$verbose" != "yes" ] || echo "verifying PGP $downloadfile ..."
+ gpg -q --homedir "." --verify $downloadfile 2> /dev/null \
+ || die_hard_with_a_cleanup "gpg rejected signature of $downloadurl"
gpg -q --homedir "." < $downloadfile > checksums.txt 2> /dev/null \
|| die_hard_with_a_cleanup "gpg rejected signature of $downloadurl"
