Already fixed in XScreenSaver 6.00. The bug is in Mesa: it has a panoply of env vars that do what LD_PRELOAD does, except Mesa only checks geteuid instead of checking getauxval AT_SECURE, as the kernel does. So anything that uses both Mesa and setcap is vulnerable.
Ironically, using setuid instead of setcap does not have the vulnerability.
