Bug#695956: pu: package flashplugin-nonfree/1:2.8.2+squeeze1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: squeeze
Please consider updating flashplugin-nonfree in squeeze for fixing a security
bug. Diff attached. A prepared package is here :
http://people.debian.org/~bartm/flashplugin-nonfree/stable/
diff -ruN ../orig/flashplugin-nonfree-2.8.2/debian/changelog ./debian/changelog
--- ../orig/flashplugin-nonfree-2.8.2/debian/changelog 2010-09-17 21:04:37.000000000 +0200
+++ ./debian/changelog 2012-12-14 19:05:13.000000000 +0100
@@ -1,3 +1,11 @@
+flashplugin-nonfree (1:2.8.2+squeeze1) stable; urgency=low
+
+ * update-flashplugin-nonfree: Added use of "gpg --verify" to notice files
+ without signature. Thanks to Ansgar Burchardt for reporting the security
+ issue (via private e-mail on 13 Dec 2012).
+
+ -- Bart Martens <bartm@debian.org> Fri, 14 Dec 2012 19:03:40 +0100
+
flashplugin-nonfree (1:2.8.2) unstable; urgency=low
* Removed "64 bit player temporarily not supported". Closes: #586273.
diff -ruN ../orig/flashplugin-nonfree-2.8.2/update-flashplugin-nonfree ./update-flashplugin-nonfree
--- ../orig/flashplugin-nonfree-2.8.2/update-flashplugin-nonfree 2010-09-17 20:42:15.000000000 +0200
+++ ./update-flashplugin-nonfree 2012-12-14 19:06:17.000000000 +0100
@@ -164,6 +164,8 @@
gpg -q --homedir "." --import /usr/lib/flashplugin-nonfree/pubkey.asc > /dev/null 2>&1 \
|| die_hard_with_a_cleanup "gpg failed to import /usr/lib/flashplugin-nonfree/pubkey.asc"
[ "$verbose" != "yes" ] || echo "verifying PGP $downloadfile ..."
+ gpg -q --homedir "." --verify $downloadfile 2> /dev/null \
+ || die_hard_with_a_cleanup "gpg rejected signature of $downloadurl"
gpg -q --homedir "." < $downloadfile > checksums.txt 2> /dev/null \
|| die_hard_with_a_cleanup "gpg rejected signature of $downloadurl"
Reply to: