TakeV/guix
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

gnu: ruby-chunky-png: Add warning about untrusted input.

Browse source 
* gnu/packages/ruby.scm (ruby-chunky-png)[description]: Warn of decompression bombs.
This commit is contained in:
Tobias Geerinckx-Rice 2020-11-09 22:41:57 +01:00
parent d065517b73
commit ed02857beb
No known key found for this signature in database
GPG key ID: 0DB0FF884F556D79
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
gnu/packages/ruby.scm
View file

@ -1638,7 +1638,12 @@ (define-public ruby-chunky-png
Performance: ChunkyPNG is reasonably fast for Ruby standards, by only using
integer math and a highly optimized saving routine.
@item Interoperability with RMagick.
@end itemize")
@end itemize
ChunkyPNG is vulnerable to decompression bombs and can run out of memory when
loading a specifically crafted PNG file. This is hard to fix in pure Ruby.
Deal with untrusted images in a separate process, e.g., by using @code{fork}
or a background processing library.")
(home-page "https://github.com/wvanbergen/chunky_png/wiki")
(license license:expat)))