gnu: ruby-chunky-png: Add warning about untrusted input.
* gnu/packages/ruby.scm (ruby-chunky-png)[description]: Warn of decompression bombs.
This commit is contained in:
Tobias Geerinckx-Rice
parent
d065517b73
commit
ed02857beb
1 changed files with 6 additions and 1 deletions
|
|
@ -1638,7 +1638,12 @@ pixel, depending on the hardware).
|
|||
Performance: ChunkyPNG is reasonably fast for Ruby standards, by only using
|
||||
integer math and a highly optimized saving routine.
|
||||
@item Interoperability with RMagick.
|
||||
@end itemize")
|
||||
@end itemize
|
||||
|
||||
ChunkyPNG is vulnerable to decompression bombs and can run out of memory when
|
||||
loading a specifically crafted PNG file. This is hard to fix in pure Ruby.
|
||||
Deal with untrusted images in a separate process, e.g., by using @code{fork}
|
||||
or a background processing library.")
|
||||
(home-page "https://github.com/wvanbergen/chunky_png/wiki")
|
||||
(license license:expat)))
|
||||
|
||||
|
|
|
|||
Reference in a new issue