Buffer overflow in xscreensaver - CVE-2021-34557
Published: August 17, 2022
Vulnerability identifier: #VU66593
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-34557
CWE-ID: CWE-119
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: www.jwz.org
Affected software:
xscreensaver
xscreensaver
Detailed vulnerability description
The vulnerability allows an attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error within the update_screen_layout() function. An attacker with physical access to the system can trigger memory corruption and bypass the standard screen lock authentication mechanism.
How to mitigate CVE-2021-34557
Install updates from vendor's website.
Sources
- https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outputs-info.patch
- https://github.com/QubesOS/qubes-issues/issues/6595
- https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-068-2021.txt
- https://www.openwall.com/lists/oss-security/2021/06/05/1
- http://www.openwall.com/lists/oss-security/2021/06/11/1
- http://www.openwall.com/lists/oss-security/2021/07/06/2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TC4QB7TRS4GS7LDXQQ4PC6J3LVFJYISV/