via oss-security:
I found a trivial way to bypass the screen lock in the Cinnamon DE.
However, I don't know how to contact Cinnamon or Linux Mint people
properly, that's why I am posting here. Also, I am not sure whether
this is a Cinnamon bug or Xorg bug.

For the exploit to work, more than one keyboard layout needs to be
configured in Cinnamon keyboard settings, on the "layouts" tab. In the
demo VMs linked below, that's English and Russian. Instructions:

1. Boot the system. Or, boot a demo VM using the provided ./start.sh script.
2. Log in. In the demo VMs, the username is "user" and the password is
"password".
3. Lock the screen, using the "Lock Screen" icon in the main menu.
4.  Click the following using your mouse. On real hardware, a
touchscreen also works, so watch out for cats doing this by accident
 Important: do not use a hardware keyboard.

 * The virtual keyboard button at the bottom. The virtual keyboard
should appear.
 * The country flag or two-letter code on the left of the password
field. It should switch to RU, Russian.
 * The "q" virtual key, maybe more than once (what apparently matters
is that the character is not in the layout indicated in the password
field).

You may need to wait a few seconds for cinnamon-screensaver to actually crash.

Distributions affected:

Linux Mint 20.1 with Cinnamon DE:
https://u.pcloud.link/publink/show?code=kZBnOYXZq6WVUsKA6VQgrz9HgBGiyBC2JreX
cinnamon-screensaver 4.8.1+ulyssa, xserver-xorg-core 2:1.20.8-2ubuntu2.6
Note: if one updates the xserver-xorg-core package using apt (to
2:1.20.9-2ubuntu1.1~20.04.1) and reboots the VM, the bug is no longer
reproducible, so it may be a Xorg problem, not Cinnamon DE problem,
after all. The changelog entry for 2:1.20.8-2ubuntu6 does ring a bell,
it's for CVE-2020-14345 "Correct bounds checking in XkbSetNames()",
https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d
. However, the _XkbCheckRequestBounds() function added by this patch
also exists in the xorg-server version used by Arch Linux, so this
can't be it.

Debian Testing:
https://u.pcloud.link/publink/show?code=kZGwUYXZC1oC2dQq0TzDxhB0OBAL87B7JAaV
This distribution has 4.8.1-2, the only patch is for the path to PNG
versions of country flags. xserver-xorg-core is at 2:1.20.10-2, the
only patch is for a MIPS-specific build issue, obviously irrelevant
here. Dist-upgrading to Debian Unstable and rebooting does not fix the
bug.

Arch Linux: https://u.pcloud.link/publink/show?code=kZWfUYXZ7gbkkdrvvALNp1WkDy2EkJCjBAH7
This distribution also has the latest released cinnamon-screensaver,
4.8.1-1. xorg-server version is 1.20.10-3, the only patches applied
are for the build system, not for C code.

Note: for the purpose of not destroying the evidence, the VMs above
use "snapshot=on", so all changes will be lost on shutdown. Rebooting
is OK.

Distributions not affected:

Fedora 33 (automatically switches the layout to US)
cinnamon-screensaver 4.6.0-2.fc33
xorg-x11-server-common-1.20.10-1.fc33 in updates

Fedora 34 pre-release (Rawhide, also automatically switches the layout to US)
cinnamon-screensaver 4.8.1-1.fc34
xorg-x11-server-common 1.20.10-1.fc34

Debian 10 (cinnamon-screensaver 3.8.2-1 does not have a virtual keyboard)

I have not tested anything else. The above data points do not let me
conclude which package is responsible, so I cannot file a CVE at this
point.

References:
https://github.com/linuxmint/cinnamon-screensaver/issues/354
https://www.openwall.com/lists/oss-security/2021/01/15/1