SUSE update for xscreensaver

1) Buffer overflow

EUVDB-ID: #VU66593

Risk: Low

CVSSv3.1: 5.9 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-34557

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows an attacker to escalate privileges on the system.

The vulnerability exists due to a boundary error within the update_screen_layout()  function. An attacker with physical access to the system can trigger memory corruption and bypass the standard screen lock authentication mechanism.

Mitigation

Update the affected package xscreensaver to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server: 12-SP5

xscreensaver-debugsource: before 5.22-8.3.1

xscreensaver-debuginfo: before 5.22-8.3.1

xscreensaver-data-debuginfo: before 5.22-8.3.1

xscreensaver-data: before 5.22-8.3.1

xscreensaver: before 5.22-8.3.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_server:12-SP5:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20222642-1/

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.