A vulnerability classified as problematic was found in Ghostscript 9.55.0. This vulnerability affects the function chunk_free_object of the file gsmchunk.c. The manipulation with a malicious file leads to a memory corruption. The attack can be initiated remotely but requires user interaction. The exploit has been disclosed to the public as a POC and may be used. It is recommended to apply the patches to fix this issue. https://bugs.ghostscript.com/show_bug.cgi?id=705156 https://vuldb.com/?id.197290 https://bugs.ghostscript.com/attachment.cgi?id=22323
All referenced bugs are locked. There is no way for us to know whether http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e1134d375e2ca176068e19a2aa9b040baffe1c22 is a complete fix or (2) is pending. The vulnerability does not mention Ghostscript 9.56.1 but from quick-checking git, I don't expect it to contain any fixes. Do not expect a fix of the Fedora package until this changes :|
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 2086552]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1350