gnu: ruby-chunky-png: Add warning about untrusted input.

* gnu/packages/ruby.scm (ruby-chunky-png)[description]: Warn of decompression bombs.
author: Tobias Geerinckx-Rice <me@tobias.gr> 2020-11-09 22:41:57 +0100
committer: Tobias Geerinckx-Rice <me@tobias.gr> 2020-11-10 18:19:39 +0100
commit: ed02857beb1ffb6c5108c438142f27eea200fb4c (patch)
tree: 2f632ab33e7a8128fb938f8de39d363a378fa996 /gnu/packages/ruby.scm
parent: d065517b73cdfc1be17b6d38f210c3d008a50e91 (diff)
download: guix-patches-ed02857beb1ffb6c5108c438142f27eea200fb4c.tar
guix-patches-ed02857beb1ffb6c5108c438142f27eea200fb4c.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index 38e421a4c1..b34a33a528 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -1638,7 +1638,12 @@ pixel, depending on the hardware).
 Performance: ChunkyPNG is reasonably fast for Ruby standards, by only using
 integer math and a highly optimized saving routine.
 @item Interoperability with RMagick.
-@end itemize")
+@end itemize
+
+ChunkyPNG is vulnerable to decompression bombs and can run out of memory when
+loading a specifically crafted PNG file.  This is hard to fix in pure Ruby.
+Deal with untrusted images in a separate process, e.g., by using @code{fork}
+or a background processing library.")
     (home-page "https://github.com/wvanbergen/chunky_png/wiki")
     (license license:expat)))
author	Tobias Geerinckx-Rice <me@tobias.gr>	2020-11-09 22:41:57 +0100
committer	Tobias Geerinckx-Rice <me@tobias.gr>	2020-11-10 18:19:39 +0100
commit	ed02857beb1ffb6c5108c438142f27eea200fb4c (patch)
tree	2f632ab33e7a8128fb938f8de39d363a378fa996 /gnu/packages/ruby.scm
parent	d065517b73cdfc1be17b6d38f210c3d008a50e91 (diff)
download	guix-patches-ed02857beb1ffb6c5108c438142f27eea200fb4c.tar guix-patches-ed02857beb1ffb6c5108c438142f27eea200fb4c.tar.gz