FS#70531 : [xscreensaver] [Security] privilege escalation (CVE-2021-31523)

FS#70531 - [xscreensaver] [Security] privilege escalation (CVE-2021-31523)

Attached to Project: Arch Linux
Opened by Jonas Witschel (diabonas) - Wednesday, 21 April 2021, 19:46 GMT
Last edited by Andreas Radke (AndyRTR) - Thursday, 22 April 2021, 06:43 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	No-one
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Summary
=======

The package xscreensaver is vulnerable to privilege escalation via CVE-2021-31523.

Guidance
========

Upgrading xscreensaver to the fixed version 6.00 (https://www.jwz.org/xscreensaver/xscreensaver-6.00.tar.gz) fixes the issue.

References
==========

https://security.archlinux.org/AVG-1857
https://www.openwall.com/lists/oss-security/2021/04/17/1
https://www.openwall.com/lists/oss-security/2021/04/21/3
https://www.openwall.com/lists/oss-security/2021/04/17/1/1
https://twitter.com/jwz/status/1383503845217554444

This task depends upon

Closed by Andreas Radke (AndyRTR)
Thursday, 22 April 2021, 06:43 GMT
Reason for closing: Not a bug
Additional comments about closing: Arch is not affected by this issue

Comment by Jonas Witschel (diabonas) - Wednesday, 21 April 2021, 19:57 GMT

Never mind, Arch does not ship /usr/lib/xscreensaver/sonar with CAP_NET_RAW (as can be verified using "pacman -S xscreensaver; getcap /usr/lib/xscreensaver/sonar), so this issue is not exploitable with our package.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#70531 - [xscreensaver] [Security] privilege escalation (CVE-2021-31523)

Details

Loading...