CVE-2021-34557
https://notcve.org/view.php?id=CVE-2021-34557
XScreenSaver 5.45 can be bypassed if the machine has more than ten disconnectable video outputs. A buffer overflow in update_screen_layout() allows an attacker to bypass the standard screen lock authentication mechanism by crashing XScreenSaver. The attacker must physically disconnect many video outputs. XScreenSaver versión 5.45 puede ser omitido si la máquina tiene más de diez salidas de vídeo desconectables. Un desbordamiento de búfer en la función update_screen_layout() permite a un atacante omitir el mecanismo de autenticación de bloqueo de pantalla estándar, al bloquear a XScreenSaver. • http://www.openwall.com/lists/oss-security/2021/06/11/1 http://www.openwall.com/lists/oss-security/2021/07/06/2 https://github.com/QubesOS/qubes-issues/issues/6595 https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-068-2021.txt https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outputs-info.patch https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TC4QB7TRS4GS7LDXQQ4PC6J3LVFJYISV https://www.openwall.com/lists/o • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2021-31523
https://notcve.org/view.php?id=CVE-2021-31523
The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver has cap_net_raw enabled for the /usr/libexec/xscreensaver/sonar file, which allows local users to gain privileges because this is arguably incompatible with the design of the Mesa 3D Graphics library dependency. El paquete Debian xscreensaver versión 5.42+dfsg1-1 para XScreenSaver presenta la función cap_net_raw habilitado para el archivo /usr/libexec/xscreensaver/sonar, lo que permite a usuarios locales alcanzar privilegios porque podría decirse que esto es incompatible con el diseño de la dependencia de la biblioteca Mesa 3D Graphics • http://www.openwall.com/lists/oss-security/2021/04/21/3 https://www.openwall.com/lists/oss-security/2021/04/17/1 • CWE-269: Improper Privilege Management •
CVE-2011-2187
https://notcve.org/view.php?id=CVE-2011-2187
xscreensaver before 5.14 crashes during activation and leaves the screen unlocked when in Blank Only Mode and when DPMS is disabled, which allows local attackers to access resources without authentication. xscreensaver versiones anteriores a la versión 5.14, se bloquea durante la activación y deja la pantalla desbloqueada cuando está en Modo Blank Only y cuando DPMS está desactivado, lo que permite a atacantes locales acceder a los recursos sin identificación • https://access.redhat.com/security/cve/cve-2011-2187 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627382 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2187 https://security-tracker.debian.org/tracker/CVE-2011-2187 https://www.jwz.org/xscreensaver/changelog.html https://www.openwall.com/lists/oss-security/2011/06/06/17 • CWE-306: Missing Authentication for Critical Function •
CVE-2015-8025
https://notcve.org/view.php?id=CVE-2015-8025
driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors. driver/subprocs.c en XScreenSaver en versiones anteriores a 5.34 no lleva a cabo correctamente una comprobación de consistencia interna, lo que permite a atacantes físicamente próximos eludir la pantalla de bloqueo cambiando los monitores sin apagar el dispositivo. • http://lists.opensuse.org/opensuse-updates/2015-11/msg00102.html http://www.debian.org/security/2016/dsa-3438 http://www.openwall.com/lists/oss-security/2015/10/24/2 http://www.openwall.com/lists/oss-security/2015/10/25/1 http://www.openwall.com/lists/oss-security/2015/10/29/12 http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html http://www.securitytracker.com/id/1034052 http://www.ubuntu.com/usn/USN-2789-1 https://twitter.com/Thaolia& • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2007-5585
https://notcve.org/view.php?id=CVE-2007-5585
xscreensaver 5.03 and earlier, when running without xscreensaver-gl-extras (GL extras) installed, crashes when /usr/bin/xscreensaver-gl-helper does not exist and a user attempts to unlock the screen, which allows attackers with physical access to gain access to the locked session. xscreensaver 5.03 y anteriores, cuando funciona sin las instalaciones xscreensaver-gl-extras (GL extras), caen cuando /usr/bin/xscreensaver-gl-helper no existe y un usuario intenta desbloquar la pantalla, lo cual permite a atacantes con acceso físico ganar privilegio en la sesión bloqueada. • http://secunia.com/advisories/27392 http://www.securityfocus.com/bid/26204 https://bugzilla.redhat.com/show_bug.cgi?id=336331 https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00336.html • CWE-399: Resource Management Errors •