guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/10: gnu: ruby-chunky-png: Add warning about untrusted input.

From: guix-commits
Subject: 02/10: gnu: ruby-chunky-png: Add warning about untrusted input.
Date: Tue, 10 Nov 2020 14:05:30 -0500 (EST) 
nckx pushed a commit to branch master
in repository guix.

commit ed02857beb1ffb6c5108c438142f27eea200fb4c
Author: Tobias Geerinckx-Rice <me@tobias.gr>
AuthorDate: Mon Nov 9 22:41:57 2020 +0100

    gnu: ruby-chunky-png: Add warning about untrusted input.
    
    * gnu/packages/ruby.scm (ruby-chunky-png)[description]: Warn of 
decompression bombs.
---
 gnu/packages/ruby.scm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 38e421a..b34a33a 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -1638,7 +1638,12 @@ pixel, depending on the hardware).
 Performance: ChunkyPNG is reasonably fast for Ruby standards, by only using
 integer math and a highly optimized saving routine.
 @item Interoperability with RMagick.
-@end itemize")
+@end itemize
+
+ChunkyPNG is vulnerable to decompression bombs and can run out of memory when
+loading a specifically crafted PNG file.  This is hard to fix in pure Ruby.
+Deal with untrusted images in a separate process, e.g., by using @code{fork}
+or a background processing library.")
     (home-page "https://github.com/wvanbergen/chunky_png/wiki";)
     (license license:expat)))
reply via email to
[Prev in Thread] Current Thread [Next in Thread]