I attached the wrong diff. I'm now attaching the right one. Regards,
Bart Martens
diff -Nru flashplugin-nonfree-3.1/debian/changelog flashplugin-nonfree-3.2/debian/changelog --- flashplugin-nonfree-3.1/debian/changelog 2012-09-15 14:50:34.000000000 +0200 +++ flashplugin-nonfree-3.2/debian/changelog 2012-12-13 22:07:41.000000000 +0100 @@ -1,3 +1,16 @@ +flashplugin-nonfree (1:3.2) unstable; urgency=low + + * update-flashplugin-nonfree: Added use of "gpg --verify" to notice files + without signature. Thanks to Ansgar Burchardt for reporting the security + issue (via private e-mail on 13 Dec 2012). + * get-upstream-version.pl: Added validation of link to flash. + Thanks to Henrik Ahlgren for reporting the security issue (on + debian-security on 12 Dec 2012). + * debian/postinst: Added removal of cached get-upstream-version.pl so that a + fresh copy is downloaded. + + -- Bart Martens <ba...@debian.org> Thu, 13 Dec 2012 17:45:13 +0000 + flashplugin-nonfree (1:3.1) unstable; urgency=low * get-upstream-version.pl: Added error handling with "failed to read $url". diff -Nru flashplugin-nonfree-3.1/debian/postinst flashplugin-nonfree-3.2/debian/postinst --- flashplugin-nonfree-3.1/debian/postinst 2010-06-17 18:54:42.000000000 +0200 +++ flashplugin-nonfree-3.2/debian/postinst 2012-12-13 19:07:59.000000000 +0100 @@ -4,6 +4,7 @@ case "$1" in configure) + rm -f /var/cache/flashplugin-nonfree/get-upstream-version.pl update-flashplugin-nonfree --install --fast || true ;; diff -Nru flashplugin-nonfree-3.1/get-upstream-version.pl flashplugin-nonfree-3.2/get-upstream-version.pl --- flashplugin-nonfree-3.1/get-upstream-version.pl 2012-09-15 14:39:21.000000000 +0200 +++ flashplugin-nonfree-3.2/get-upstream-version.pl 2012-12-13 18:46:50.000000000 +0100 @@ -50,6 +50,7 @@ my $link_to_flash = $1; $link_to_flash =~ s,^/,,; +die "link to flash contains invalid characters: $link_to_flash" if( $link_to_flash !~ m%^[a-zA-Z0-9/=?]+$% ); $url = "http://www.adobe.com/$link_to_flash"; $page = read_page( $ARGV[0], $url ); diff -Nru flashplugin-nonfree-3.1/update-flashplugin-nonfree flashplugin-nonfree-3.2/update-flashplugin-nonfree --- flashplugin-nonfree-3.1/update-flashplugin-nonfree 2012-09-15 14:28:52.000000000 +0200 +++ flashplugin-nonfree-3.2/update-flashplugin-nonfree 2012-12-13 18:25:48.000000000 +0100 @@ -194,6 +194,8 @@ wget $wgetoptions $downloadurl \ || die_hard_with_a_cleanup "wget failed to download $downloadurl" + gpg -q --homedir "." --verify get-upstream-version.pl.gz.pgp 2> /dev/null \ + || die_hard_with_a_cleanup "gpg rejected signature of get-upstream-version.pl.gz.pgp" gpg -q --homedir "." < get-upstream-version.pl.gz.pgp > get-upstream-version.pl.gz 2> /dev/null \ || die_hard_with_a_cleanup "gpg rejected signature of get-upstream-version.pl.gz.pgp" @@ -239,6 +241,8 @@ wget $wgetoptions $downloadurl \ || die_hard_with_a_cleanup "wget failed to download $downloadurl" [ "$verbose" != "yes" ] || echo "verifying PGP $downloadfile ..." + gpg -q --homedir "." --verify $downloadfile 2> /dev/null \ + || die_hard_with_a_cleanup "gpg rejected signature of $downloadurl" gpg -q --homedir "." < $downloadfile > checksums.txt 2> /dev/null \ || die_hard_with_a_cleanup "gpg rejected signature of $downloadurl"