gnu: ruby-chunky-png: Add warning about untrusted input.

author Tobias Geerinckx-Rice <me@tobias.gr>

Mon, 9 Nov 2020 21:41:57 +0000 (22:41 +0100)

committer Tobias Geerinckx-Rice <me@tobias.gr>

Tue, 10 Nov 2020 17:19:39 +0000 (18:19 +0100)
author Tobias Geerinckx-Rice <me@tobias.gr>
Mon, 9 Nov 2020 21:41:57 +0000 (22:41 +0100)
committer Tobias Geerinckx-Rice <me@tobias.gr>
Tue, 10 Nov 2020 17:19:39 +0000 (18:19 +0100)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm

index 38e421a..b34a33a 100644 (file)
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -1638,7 +1638,12 @@ pixel, depending on the hardware).
  Performance: ChunkyPNG is reasonably fast for Ruby standards, by only using
  integer math and a highly optimized saving routine.
  @item Interoperability with RMagick.
-@end itemize")
+@end itemize
+
+ChunkyPNG is vulnerable to decompression bombs and can run out of memory when
+loading a specifically crafted PNG file.  This is hard to fix in pure Ruby.
+Deal with untrusted images in a separate process, e.g., by using @code{fork}
+or a background processing library.")
      (home-page "https://github.com/wvanbergen/chunky_png/wiki")
      (license license:expat)))
author	Tobias Geerinckx-Rice <me@tobias.gr>
	Mon, 9 Nov 2020 21:41:57 +0000 (22:41 +0100)
committer	Tobias Geerinckx-Rice <me@tobias.gr>
	Tue, 10 Nov 2020 17:19:39 +0000 (18:19 +0100)