SB2021092123 - Lock screen bypass in XScreenSaver
Published: September 21, 2021 Updated: August 17, 2022
Security Bulletin ID
SB2021092123
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Physical access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer overflow (CVE-ID: CVE-2021-34557)
The vulnerability allows an attacker to escalate privileges on the system.
The vulnerability exists due to a boundary error within the update_screen_layout() function. An attacker with physical access to the system can trigger memory corruption and bypass the standard screen lock authentication mechanism.
Remediation
Install update from vendor's website.
References
- https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outputs-info.patch
- https://github.com/QubesOS/qubes-issues/issues/6595
- https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-068-2021.txt
- https://www.openwall.com/lists/oss-security/2021/06/05/1
- http://www.openwall.com/lists/oss-security/2021/06/11/1
- http://www.openwall.com/lists/oss-security/2021/07/06/2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TC4QB7TRS4GS7LDXQQ4PC6J3LVFJYISV/