diff options
author | Tobias Geerinckx-Rice <me@tobias.gr> | 2020-11-09 22:41:57 +0100 |
---|---|---|
committer | Tobias Geerinckx-Rice <me@tobias.gr> | 2020-11-10 18:19:39 +0100 |
commit | ed02857beb1ffb6c5108c438142f27eea200fb4c (patch) | |
tree | 2f632ab33e7a8128fb938f8de39d363a378fa996 | |
parent | d065517b73cdfc1be17b6d38f210c3d008a50e91 (diff) | |
download | guix-ed02857beb1ffb6c5108c438142f27eea200fb4c.tar.gz |
gnu: ruby-chunky-png: Add warning about untrusted input.
* gnu/packages/ruby.scm (ruby-chunky-png)[description]: Warn of decompression bombs.
-rw-r--r-- | gnu/packages/ruby.scm | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 38e421a4c1..b34a33a528 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -1638,7 +1638,12 @@ pixel, depending on the hardware). Performance: ChunkyPNG is reasonably fast for Ruby standards, by only using integer math and a highly optimized saving routine. @item Interoperability with RMagick. -@end itemize") +@end itemize + +ChunkyPNG is vulnerable to decompression bombs and can run out of memory when +loading a specifically crafted PNG file. This is hard to fix in pure Ruby. +Deal with untrusted images in a separate process, e.g., by using @code{fork} +or a background processing library.") (home-page "https://github.com/wvanbergen/chunky_png/wiki") (license license:expat))) |