Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 794475 (CVE-2021-34557) - <x11-misc/xscreensaver-5.45-r1: screen lock bypass when >=10 video outputs (CVE-2021-34557)
Summary: <x11-misc/xscreensaver-5.45-r1: screen lock bypass when >=10 video outputs (C...
Status: RESOLVED FIXED
Alias: CVE-2021-34557
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-05 20:23 UTC by John Helmert III
Modified: 2021-08-08 01:53 UTC (History)
4 users (show)

See Also:
Package list:
x11-misc/xscreensaver-5.45-r1
Runtime testing required: ---
nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-05 20:23:36 UTC 
Impact: 

XScreenSaver is the default screen locker in dom0. It tracks which video
outputs are connected to the system in order to blank them properly. In
some specific hardware configurations, disconnecting an output can cause
XScreenSaver to crash, leaving the screen unlocked.

The issue affects XScreenSaver 5.45 only.


Qubes applies a patch: https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outputs-info.patch
Comment 1 Larry the Git Cow gentoo-dev 2021-06-11 15:36:48 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbfd1bffe2e7f0c68efb06aa292ed7ebcb796239

commit fbfd1bffe2e7f0c68efb06aa292ed7ebcb796239
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2021-06-11 15:35:34 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2021-06-11 15:36:08 +0000

    x11-misc/xscreensaver: CVE-2021-34557
    
    Bug: https://bugs.gentoo.org/794475
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.19, Repoman-3.0.3

 .../files/xscreensaver-5.45-cve-2021-34557.patch   |  40 +++++
 x11-misc/xscreensaver/xscreensaver-5.45-r1.ebuild  | 168 +++++++++++++++++++++
 2 files changed, 208 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-11 20:19:57 UTC 
Thank you! Please bump when ready
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 03:29:32 UTC 
amd64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 07:54:55 UTC 
arm64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 07:54:59 UTC 
arm done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 16:27:50 UTC 
x86 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 16:30:02 UTC 
ppc done
Comment 8 Agostino Sarubbo gentoo-dev 2021-06-13 06:29:27 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2021-06-13 06:31:00 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Larry the Git Cow gentoo-dev 2021-06-13 11:44:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2d720ae5fc226fac1e8ce032c4126984b8c377e

commit b2d720ae5fc226fac1e8ce032c4126984b8c377e
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2021-06-13 11:42:23 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2021-06-13 11:42:23 +0000

    x11-misc/xscreensaver: Drop vulnerable
    
    Bug: https://bugs.gentoo.org/794475
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.19, Repoman-3.0.3

 x11-misc/xscreensaver/Manifest                     |   1 -
 .../files/xscreensaver-5.05-interix.patch          |  32 ----
 .../xscreensaver/files/xscreensaver-5.44-gcc.patch |  16 --
 x11-misc/xscreensaver/xscreensaver-5.44-r4.ebuild  | 160 --------------------
 x11-misc/xscreensaver/xscreensaver-5.45.ebuild     | 167 ---------------------
 5 files changed, 376 deletions(-)
Comment 11 NATTkA bot gentoo-dev 2021-06-22 22:40:24 UTC 
Unable to check for sanity:

> no match for package: x11-misc/xscreensaver-5.45-r1
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-08 01:53:16 UTC 
Seemingly rather hard to exploit so no need for a GLSA. Closing.