Version in base suite: 1.9.14-1 Base version: haveged_1.9.14-1 Target version: haveged_1.9.14-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/haveged/haveged_1.9.14-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/h/haveged/haveged_1.9.14-1+deb12u1.dsc changelog | 9 + patches/Check-peer-credentials-before-reading-command-CVE-20.patch | 77 ++++++++++ patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch | 39 +++++ patches/series | 2 4 files changed, 127 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7wdzk7mz/haveged_1.9.14-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7wdzk7mz/haveged_1.9.14-1+deb12u1.dsc: no acceptable signature found diff -Nru haveged-1.9.14/debian/changelog haveged-1.9.14/debian/changelog --- haveged-1.9.14/debian/changelog 2021-01-13 23:56:44.000000000 +0000 +++ haveged-1.9.14/debian/changelog 2026-05-22 12:56:30.000000000 +0000 @@ -1,3 +1,12 @@ +haveged (1.9.14-1+deb12u1) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix privilege escalation via command socket (CVE-2026-41054) + (Closes: #1137096) + * Check peer credentials before reading command (CVE-2026-41054) + + -- Salvatore Bonaccorso Fri, 22 May 2026 14:56:30 +0200 + haveged (1.9.14-1) unstable; urgency=low * New upstram version (2021-01-01) diff -Nru haveged-1.9.14/debian/patches/Check-peer-credentials-before-reading-command-CVE-20.patch haveged-1.9.14/debian/patches/Check-peer-credentials-before-reading-command-CVE-20.patch --- haveged-1.9.14/debian/patches/Check-peer-credentials-before-reading-command-CVE-20.patch 1970-01-01 00:00:00.000000000 +0000 +++ haveged-1.9.14/debian/patches/Check-peer-credentials-before-reading-command-CVE-20.patch 2026-05-22 12:56:30.000000000 +0000 @@ -0,0 +1,77 @@ +From: Jirka Hladky +Date: Fri, 8 May 2026 00:09:33 +0200 +Subject: Check peer credentials before reading command (CVE-2026-41054) +Origin: https://github.com/jirka-h/haveged/commit/bcd7e52bcf0068225b7ee84a1f85c9d72a787b54 + +Move the SO_PEERCRED uid check before the magic-byte read so +unauthenticated callers are rejected without any command parsing. +Also zero-initialize the magic buffer. + +Co-Authored-By: Claude Opus 4.6 +--- + src/havegecmd.c | 40 ++++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/src/havegecmd.c ++++ b/src/havegecmd.c +@@ -246,7 +246,7 @@ int socket_handler( /* RE + struct pparams *params) /* IN: input params */ + { + struct ucred cred = {0}; +- unsigned char magic[2], *ptr; ++ unsigned char magic[2] = {0}, *ptr; + char *enqry; + char *optarg = NULL; + socklen_t clen; +@@ -256,6 +256,25 @@ int socket_handler( /* RE + print_msg("%s: no connection jet\n", params->daemon); + } + ++ clen = sizeof(struct ucred); ++ ret = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cred, &clen); ++ if (ret < 0) { ++ print_msg("%s: can not get credentials from UNIX socket part1\n", params->daemon); ++ goto out; ++ } ++ if (clen != sizeof(struct ucred)) { ++ print_msg("%s: can not get credentials from UNIX socket part2\n", params->daemon); ++ goto out; ++ } ++ if (cred.uid != 0) { ++ enqry = ASCII_NAK; ++ ++ ptr = (unsigned char *)enqry; ++ len = (int)strlen(enqry)+1; ++ safeout(fd, ptr, len); ++ goto out; ++ } ++ + ptr = &magic[0]; + len = sizeof(magic); + ret = safein(fd, ptr, len); +@@ -287,25 +306,6 @@ int socket_handler( /* RE + } + } + +- clen = sizeof(struct ucred); +- ret = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cred, &clen); +- if (ret < 0) { +- print_msg("%s: can not get credentials from UNIX socket part1\n", params->daemon); +- goto out; +- } +- if (clen != sizeof(struct ucred)) { +- print_msg("%s: can not get credentials from UNIX socket part2\n", params->daemon); +- goto out; +- } +- if (cred.uid != 0) { +- enqry = ASCII_NAK; +- +- ptr = (unsigned char *)enqry; +- len = (int)strlen(enqry)+1; +- safeout(fd, ptr, len); +- goto out; +- } +- + switch (magic[0]) { + case MAGIC_CHROOT: + enqry = ASCII_ACK; diff -Nru haveged-1.9.14/debian/patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch haveged-1.9.14/debian/patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch --- haveged-1.9.14/debian/patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch 1970-01-01 00:00:00.000000000 +0000 +++ haveged-1.9.14/debian/patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch 2026-05-22 12:55:53.000000000 +0000 @@ -0,0 +1,39 @@ +From: Jirka Hladky +Date: Tue, 5 May 2026 15:35:13 +0200 +Subject: Fix privilege escalation via command socket (CVE-2026-41054) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://github.com/jirka-h/haveged/commit/3870de0270d3fa2067490ffa47491abde4ad69c6 +Bug-Debian: https://bugs.debian.org/1137096 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-41054 + +The uid != 0 check sent a NAK to non-root callers but did not +exit the function, allowing execution to fall through to the +command switch. This allowed unprivileged local users to send +commands (MAGIC_CHROOT, MAGIC_CLOSE) to the root-running daemon +via the abstract UNIX socket. + +Add goto out after the NAK response to properly reject +non-root connections. + +Reported-by: Dirk Müller +--- + src/havegecmd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/havegecmd.c b/src/havegecmd.c +index e87767e33325..e0fc4b213004 100644 +--- a/src/havegecmd.c ++++ b/src/havegecmd.c +@@ -317,6 +317,7 @@ int socket_handler( /* RETURN: closed file descriptor */ + ptr = (unsigned char *)enqry; + len = (int)strlen(enqry)+1; + safeout(fd, ptr, len); ++ goto out; + } + + switch (magic[0]) { +-- +2.53.0 + diff -Nru haveged-1.9.14/debian/patches/series haveged-1.9.14/debian/patches/series --- haveged-1.9.14/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ haveged-1.9.14/debian/patches/series 2026-05-22 12:56:15.000000000 +0000 @@ -0,0 +1,2 @@ +Fix-privilege-escalation-via-command-socket-CVE-2026.patch +Check-peer-credentials-before-reading-command-CVE-20.patch