CVE-2022-2085: Null Pointer Dereference
First published: Thu Jun 09 2022(Updated: )
A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an init_device_procs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, mem_x_device is used and does not have an init_device_procs defined. This flaw allows an attacker to parse a large number of bits (more than 64 bits per pixel), which triggers a NULL pointer dereference flaw, causing an application to crash.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Artifex Software Ghostscript | =9.55.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| fedoraproject fedora | =35 | |
| fedoraproject fedora | =36 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.ghostscript.com/?p=ghostpdl.git%3Bh=ae1061d948d88667bdf51d47d918c4684d0f67df
- https://bugs.ghostscript.com/show_bug.cgi?id=704945
- https://bugzilla.redhat.com/show_bug.cgi?id=2095261
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERSZX5LKDWAHZWJYBMP2E2UHOPUCDEGV/
- https://security.gentoo.org/glsa/202211-11
- https://security.gentoo.org/glsa/202309-03
- http://git.ghostscript.com/?p=ghostpdl.git;h=ae1061d948d88667bdf51d47d918c4684d0f67df
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2097175
- https://access.redhat.com/security/cve/cve-2022-2085
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2022-2085.
What is the severity of CVE-2022-2085?
The severity of CVE-2022-2085 is medium.
What software is affected by CVE-2022-2085?
The Artifex Ghostscript version 9.55.0 and Fedora versions 35 and 36 are affected by CVE-2022-2085.
How can this vulnerability be exploited?
This vulnerability can be exploited by an attacker by rendering a large number of bits in memory using Ghostscript.
Are there any references for more information about this vulnerability?
Yes, you can find more information about CVE-2022-2085 at the following references: - [Git Repository](http://git.ghostscript.com/?p=ghostpdl.git%3Bh=ae1061d948d88667bdf51d47d918c4684d0f67df) - [Ghostscript Bug Tracker](https://bugs.ghostscript.com/show_bug.cgi?id=704945) - [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2095261)
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-2085
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- vendor/artifex
- canonical/artifex software ghostscript
- version/artifex software ghostscript/9.55.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36