From d065517b73cdfc1be17b6d38f210c3d008a50e91 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Mon, 9 Nov 2020 10:19:28 +0100 Subject: gnu: ruby-chunky-png: Update to 1.3.14. * gnu/packages/ruby.scm (ruby-chunky-png): Update to 1.3.14. --- gnu/packages/ruby.scm | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'gnu/packages/ruby.scm') diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 73bf85241c..38e421a4c1 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -1582,7 +1582,7 @@ (define-public ruby-standard (define-public ruby-chunky-png (package (name "ruby-chunky-png") - (version "1.3.12") + (version "1.3.14") (source (origin (method git-fetch) @@ -1591,8 +1591,7 @@ (define-public ruby-chunky-png (commit (string-append "v" version)))) (file-name (git-file-name name version)) (sha256 - (base32 - "0hn8ap7iib47qkqdp0awmxgma11z0lmk1ca3lp7c97ykhv7ij1zs")))) + (base32 "1m7y11ix38h5a2pj5v81qdmvqh980ql9hp62hk2dxwkwsa4nh22h")))) (build-system ruby-build-system) (arguments `(#:test-target "spec" -- cgit v1.2.3 From ed02857beb1ffb6c5108c438142f27eea200fb4c Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Mon, 9 Nov 2020 22:41:57 +0100 Subject: gnu: ruby-chunky-png: Add warning about untrusted input. * gnu/packages/ruby.scm (ruby-chunky-png)[description]: Warn of decompression bombs. --- gnu/packages/ruby.scm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'gnu/packages/ruby.scm') diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 38e421a4c1..b34a33a528 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -1638,7 +1638,12 @@ (define-public ruby-chunky-png Performance: ChunkyPNG is reasonably fast for Ruby standards, by only using integer math and a highly optimized saving routine. @item Interoperability with RMagick. -@end itemize") +@end itemize + +ChunkyPNG is vulnerable to decompression bombs and can run out of memory when +loading a specifically crafted PNG file. This is hard to fix in pure Ruby. +Deal with untrusted images in a separate process, e.g., by using @code{fork} +or a background processing library.") (home-page "https://github.com/wvanbergen/chunky_png/wiki") (license license:expat))) -- cgit v1.2.3