Candidate: CVE-2022-1350
PublicDate: 2022-04-14 07:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1350
 https://vuldb.com/?id.197290
 https://bugs.ghostscript.com/attachment.cgi?id=22323
Description:
 A vulnerability classified as problematic was found in GhostPCL 9.55.0.
 This vulnerability affects the function chunk_free_object of the file
 gsmchunk.c. The manipulation with a malicious file leads to a memory
 corruption. The attack can be initiated remotely but requires user
 interaction. The exploit has been disclosed to the public as a POC and may
 be used. It is recommended to apply the patches to fix this issue.
Ubuntu-Description:
Notes:
 mdeslaur> First commit fixes pcl/pcl/pcstatus.c, while this file exists
 mdeslaur> in the focal source package (only), it does not appear to get
 mdeslaur> built as debian/rules contains --without-pcl. The reproducer
 mdeslaur> in the upstream bug needs PCL support to work.
 mdeslaur> The second commit does fix a file that is built in Ubuntu
 mdeslaur> ghostscript packages, but there is no indication that it is
 mdeslaur> security relevant without the PCL support. Marking as "low"
 mdeslaur> for now until further information becomes available.
Mitigation:
Bugs:
 https://bugs.ghostscript.com/show_bug.cgi?id=705156
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_ghostscript:
 upstream: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e1134d375e2c
 upstream: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2dbc87e52c59
upstream_ghostscript: needs-triage
esm-infra/xenial_ghostscript: needs-triage
trusty_ghostscript: ignored (out of standard support)
xenial_ghostscript: ignored (out of standard support)
bionic_ghostscript: needs-triage
focal_ghostscript: needs-triage
impish_ghostscript: needs-triage
jammy_ghostscript: needs-triage
devel_ghostscript: needs-triage