From ed02857beb1ffb6c5108c438142f27eea200fb4c Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Mon, 9 Nov 2020 22:41:57 +0100 Subject: gnu: ruby-chunky-png: Add warning about untrusted input. * gnu/packages/ruby.scm (ruby-chunky-png)[description]: Warn of decompression bombs. --- gnu/packages/ruby.scm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'gnu') diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 38e421a4c1..b34a33a528 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -1638,7 +1638,12 @@ pixel, depending on the hardware). Performance: ChunkyPNG is reasonably fast for Ruby standards, by only using integer math and a highly optimized saving routine. @item Interoperability with RMagick. -@end itemize") +@end itemize + +ChunkyPNG is vulnerable to decompression bombs and can run out of memory when +loading a specifically crafted PNG file. This is hard to fix in pure Ruby. +Deal with untrusted images in a separate process, e.g., by using @code{fork} +or a background processing library.") (home-page "https://github.com/wvanbergen/chunky_png/wiki") (license license:expat))) -- cgit v1.2.3