5.5

CVE-2022-2085

Exploit
A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an init_device_procs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, mem_x_device is used and does not have an init_device_procs defined. This flaw allows an attacker to parse a large number of bits (more than 64 bits per pixel), which triggers a NULL pointer dereference flaw, causing an application to crash.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ArtifexGhostscript Version9.55.0
FedoraprojectFedora Version35
FedoraprojectFedora Version36
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.4% 0.692
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:N/A:P
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://security.gentoo.org/glsa/202211-11
Third Party Advisory
http://git.ghostscript.com/?p=ghostpdl.git%3Bh=ae1061d948d88667bdf51d47d918c4684d0f67df
https://bugs.ghostscript.com/show_bug.cgi?id=704945
Patch
Vendor Advisory
Exploit
Mailing List
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2095261
Patch
Third Party Advisory
Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERSZX5LKDWAHZWJYBMP2E2UHOPUCDEGV/
https://security.gentoo.org/glsa/202309-03