NULL Pointer Dereference Affecting ghostscript-debuginfo package, versions <0:9.56.1-5.amzn2023.0.1


Severity

Recommended
0.0
medium
0
10

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-AMZN2023-GHOSTSCRIPTDEBUGINFO-3345336
  • published7 Mar 2023
  • disclosed16 Jun 2022

Introduced: 16 Jun 2022

CVE-2022-2085  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 ghostscript-debuginfo to version 0:9.56.1-5.amzn2023.0.1 or higher.
This issue was patched in ALAS2023-2023-053.

NVD Description

Note: Versions mentioned in the description apply only to the upstream ghostscript-debuginfo package and not the ghostscript-debuginfo package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

A NULL pointer dereference vulnerability was found in Ghostscript, which occurs when it tries to render a large number of bits in memory. When allocating a buffer device, it relies on an init_device_procs defined for the device that uses it as a prototype that depends upon the number of bits per pixel. For bpp > 64, mem_x_device is used and does not have an init_device_procs defined. This flaw allows an attacker to parse a large number of bits (more than 64 bits per pixel), which triggers a NULL pointer dereference flaw, causing an application to crash.

CVSS Scores

version 3.1