Hi, This seems to be at least mitigated by an md5sum check of the file contents. There's still attack vectors the programs used to look at the download (arguably just wget, tar and b43-fwcutter). There's also the possibility of hash collisions, but that's less likely given the file still needs to be recognized as valid by b43-fwcutter and possibly the kernel if it makes it that far.
postinst calls b43-fwcutter which extracts the file and then checks the md5sum of the contained file. b43-fwcutter supports skipping the check, but this is not automatic and is not done by the postinst script. See http://anonscm.debian.org/cgit/collab-maint/b43-fwcutter.git/tree/fwcutter_list.h and an example of how new firmware support was added upstream: http://lists.infradead.org/pipermail/b43-dev/2013-July/003173.html If firmware 784.2 from Asus driver 6.30.163.46 is accepted as GPL then the firmware could just be included in the kernel (see the patch above from 2013), and directly in this package. Cheers, Drew Daniels Blog: http://www.boxheap.net/ddaniels/blog/
