CVE-2022-2085: 
Ghostscript vulnerability analysis and mitigation

A NULL pointer dereference vulnerability (CVE-2022-2085) was discovered in Ghostscript, which occurs when it attempts to render a large number of bits in memory. The vulnerability affects Ghostscript version 9.55.0 and was discovered in February 2022 (Ghostscript Bug).

When allocating a buffer device, Ghostscript relies on an initdeviceprocs being defined for the device used as a prototype. The device selection depends on the number of bits per pixel. For bpp > 64, memxdevice is used, which did not have an initdeviceprocs defined. This condition is particularly rare as very few devices use more than 64 bits per pixel, with DeviceN being one of the few exceptions. The vulnerability has a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

If exploited, this vulnerability allows an attacker to trigger a NULL pointer dereference flaw by parsing a large number of bits (more than 64 bits per pixel), causing the application to crash and resulting in a denial of service (NVD).

The vulnerability was fixed in Ghostscript versions 9.56.1 and later. Users are advised to upgrade to the patched version. The fix involves adding an initdeviceprocs entry for memxdevice (Ghostscript Bug, Gentoo Advisory).