CVE-2022-2085
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-2085
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2085.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-2085
- Related
- Published
- 2022-06-16T18:15:10Z
- Modified
- 2024-09-18T01:00:21Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an initdeviceprocs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, memxdevice is used and does not have an initdeviceprocs defined. This flaw allows an attacker to parse a large number of bits (more than 64 bits per pixel), which triggers a NULL pointer dereference flaw, causing an application to crash.
- References
-
- https://bugs.ghostscript.com/show_bug.cgi?id=704945
- https://security.gentoo.org/glsa/202211-11
- https://security.gentoo.org/glsa/202309-03
- https://bugzilla.redhat.com/show_bug.cgi?id=2095261
- http://git.ghostscript.com/?p=ghostpdl.git%3Bh=ae1061d948d88667bdf51d47d918c4684d0f67df
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERSZX5LKDWAHZWJYBMP2E2UHOPUCDEGV/
- https://security-tracker.debian.org/tracker/CVE-2022-2085
Affected packages
Debian:12 / ghostscript
Package
- Name
- ghostscript
- Purl
- pkg:deb/debian/ghostscript?arch=source
Debian:13 / ghostscript
Package
- Name
- ghostscript
- Purl
- pkg:deb/debian/ghostscript?arch=source