Bug#695954: unblock: flashplugin-nonfree/1:3.2

[Bart Martens <bartm@debian.org>]

I attached the wrong diff.  I'm now attaching the right one.

Regards,

Bart Martens

diff -Nru flashplugin-nonfree-3.1/debian/changelog flashplugin-nonfree-3.2/debian/changelog
--- flashplugin-nonfree-3.1/debian/changelog	2012-09-15 14:50:34.000000000 +0200
+++ flashplugin-nonfree-3.2/debian/changelog	2012-12-13 22:07:41.000000000 +0100
@@ -1,3 +1,16 @@
+flashplugin-nonfree (1:3.2) unstable; urgency=low
+
+  * update-flashplugin-nonfree: Added use of "gpg --verify" to notice files
+    without signature.  Thanks to Ansgar Burchardt for reporting the security
+    issue (via private e-mail on 13 Dec 2012).
+  * get-upstream-version.pl: Added validation of link to flash.
+    Thanks to Henrik Ahlgren for reporting the security issue (on
+    debian-security on 12 Dec 2012).
+  * debian/postinst: Added removal of cached get-upstream-version.pl so that a
+    fresh copy is downloaded.
+
+ -- Bart Martens <bartm@debian.org>  Thu, 13 Dec 2012 17:45:13 +0000
+
 flashplugin-nonfree (1:3.1) unstable; urgency=low
 
   * get-upstream-version.pl: Added error handling with "failed to read $url".
diff -Nru flashplugin-nonfree-3.1/debian/postinst flashplugin-nonfree-3.2/debian/postinst
--- flashplugin-nonfree-3.1/debian/postinst	2010-06-17 18:54:42.000000000 +0200
+++ flashplugin-nonfree-3.2/debian/postinst	2012-12-13 19:07:59.000000000 +0100
@@ -4,6 +4,7 @@
 
 case "$1" in
     configure)
+	rm -f /var/cache/flashplugin-nonfree/get-upstream-version.pl
 	update-flashplugin-nonfree --install --fast || true
     ;;
 
diff -Nru flashplugin-nonfree-3.1/get-upstream-version.pl flashplugin-nonfree-3.2/get-upstream-version.pl
--- flashplugin-nonfree-3.1/get-upstream-version.pl	2012-09-15 14:39:21.000000000 +0200
+++ flashplugin-nonfree-3.2/get-upstream-version.pl	2012-12-13 18:46:50.000000000 +0100
@@ -50,6 +50,7 @@
 
 my $link_to_flash = $1;
 $link_to_flash =~ s,^/,,;
+die "link to flash contains invalid characters: $link_to_flash" if( $link_to_flash !~ m%^[a-zA-Z0-9/=?]+$% );
 
 $url = "http://www.adobe.com/$link_to_flash";;
 $page = read_page( $ARGV[0], $url );
diff -Nru flashplugin-nonfree-3.1/update-flashplugin-nonfree flashplugin-nonfree-3.2/update-flashplugin-nonfree
--- flashplugin-nonfree-3.1/update-flashplugin-nonfree	2012-09-15 14:28:52.000000000 +0200
+++ flashplugin-nonfree-3.2/update-flashplugin-nonfree	2012-12-13 18:25:48.000000000 +0100
@@ -194,6 +194,8 @@
 		wget $wgetoptions $downloadurl \
 			|| die_hard_with_a_cleanup "wget failed to download $downloadurl"
 
+		gpg -q --homedir "." --verify get-upstream-version.pl.gz.pgp 2> /dev/null \
+			|| die_hard_with_a_cleanup "gpg rejected signature of get-upstream-version.pl.gz.pgp"
 		gpg -q --homedir "." < get-upstream-version.pl.gz.pgp > get-upstream-version.pl.gz 2> /dev/null \
 			|| die_hard_with_a_cleanup "gpg rejected signature of get-upstream-version.pl.gz.pgp"
 
@@ -239,6 +241,8 @@
 			wget $wgetoptions $downloadurl \
 				|| die_hard_with_a_cleanup "wget failed to download $downloadurl"
 			[ "$verbose" != "yes" ] || echo "verifying PGP $downloadfile ..."
+			gpg -q --homedir "." --verify $downloadfile 2> /dev/null \
+				|| die_hard_with_a_cleanup "gpg rejected signature of $downloadurl"
 			gpg -q --homedir "." < $downloadfile > checksums.txt 2> /dev/null \
 				|| die_hard_with_a_cleanup "gpg rejected signature of $downloadurl"