Version in base suite: 1.9.19-12

Base version: haveged_1.9.19-12
Target version: haveged_1.9.19-12+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/haveged/haveged_1.9.19-12.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/h/haveged/haveged_1.9.19-12+deb13u1.dsc

 changelog                                                          |    9 +
 patches/Check-peer-credentials-before-reading-command-CVE-20.patch |   82 ++++++++++
 patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch |   39 ++++
 patches/series                                                     |    2 
 4 files changed, 132 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpzj9aoh5b/haveged_1.9.19-12.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpzj9aoh5b/haveged_1.9.19-12+deb13u1.dsc: no acceptable signature found
diff -Nru haveged-1.9.19/debian/changelog haveged-1.9.19/debian/changelog
--- haveged-1.9.19/debian/changelog	2025-04-25 15:58:00.000000000 +0000
+++ haveged-1.9.19/debian/changelog	2026-05-22 12:51:39.000000000 +0000
@@ -1,3 +1,12 @@
+haveged (1.9.19-12+deb13u1) trixie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix privilege escalation via command socket (CVE-2026-41054)
+    (Closes: #1137096)
+  * Check peer credentials before reading command (CVE-2026-41054)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 22 May 2026 14:51:39 +0200
+
 haveged (1.9.19-12) sid; urgency=medium
 
   [ Daniel Baumann ]
diff -Nru haveged-1.9.19/debian/patches/Check-peer-credentials-before-reading-command-CVE-20.patch haveged-1.9.19/debian/patches/Check-peer-credentials-before-reading-command-CVE-20.patch
--- haveged-1.9.19/debian/patches/Check-peer-credentials-before-reading-command-CVE-20.patch	1970-01-01 00:00:00.000000000 +0000
+++ haveged-1.9.19/debian/patches/Check-peer-credentials-before-reading-command-CVE-20.patch	2026-05-22 12:51:06.000000000 +0000
@@ -0,0 +1,82 @@
+From: Jirka Hladky <hladky.jiri@gmail.com>
+Date: Fri, 8 May 2026 00:09:33 +0200
+Subject: Check peer credentials before reading command (CVE-2026-41054)
+Origin: https://github.com/jirka-h/haveged/commit/bcd7e52bcf0068225b7ee84a1f85c9d72a787b54
+
+Move the SO_PEERCRED uid check before the magic-byte read so
+unauthenticated callers are rejected without any command parsing.
+Also zero-initialize the magic buffer.
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+---
+ src/havegecmd.c | 40 ++++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/src/havegecmd.c b/src/havegecmd.c
+index e0fc4b213004..13b3d5611c1d 100644
+--- a/src/havegecmd.c
++++ b/src/havegecmd.c
+@@ -249,7 +249,7 @@ int socket_handler(                /* RETURN: closed file descriptor        */
+    struct pparams *params)         /* IN: input params                      */
+ {
+    struct ucred cred = {0};
+-   unsigned char magic[2], *ptr;
++   unsigned char magic[2] = {0}, *ptr;
+    char *enqry;
+    char *optarg = NULL;
+    socklen_t clen;
+@@ -259,6 +259,25 @@ int socket_handler(                /* RETURN: closed file descriptor        */
+       print_msg("%s: no connection jet\n", params->daemon);
+       }
+ 
++   clen = sizeof(struct ucred);
++   ret = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cred, &clen);
++   if (ret < 0) {
++      print_msg("%s: can not get credentials from UNIX socket part1\n", params->daemon);
++      goto out;
++      }
++   if (clen != sizeof(struct ucred)) {
++      print_msg("%s: can not get credentials from UNIX socket part2\n", params->daemon);
++      goto out;
++      }
++   if (cred.uid != 0) {
++      enqry = ASCII_NAK;
++
++      ptr = (unsigned char *)enqry;
++      len = (int)strlen(enqry)+1;
++      safeout(fd, ptr, len);
++      goto out;
++      }
++
+    ptr = &magic[0];
+    len = sizeof(magic);
+    ret = safein(fd, ptr, len);
+@@ -301,25 +320,6 @@ int socket_handler(                /* RETURN: closed file descriptor        */
+       sem_unlink(SEM_NAME);
+       }
+ 
+-   clen = sizeof(struct ucred);
+-   ret = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cred, &clen);
+-   if (ret < 0) {
+-      print_msg("%s: can not get credentials from UNIX socket part1\n", params->daemon);
+-      goto out;
+-      }
+-   if (clen != sizeof(struct ucred)) {
+-      print_msg("%s: can not get credentials from UNIX socket part2\n", params->daemon);
+-      goto out;
+-      }
+-   if (cred.uid != 0) {
+-      enqry = ASCII_NAK;
+-
+-      ptr = (unsigned char *)enqry;
+-      len = (int)strlen(enqry)+1;
+-      safeout(fd, ptr, len);
+-      goto out;
+-      }
+-
+    switch (magic[0]) {
+       case MAGIC_CHROOT:
+          enqry = ASCII_ACK;
+-- 
+2.53.0
+
diff -Nru haveged-1.9.19/debian/patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch haveged-1.9.19/debian/patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch
--- haveged-1.9.19/debian/patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch	1970-01-01 00:00:00.000000000 +0000
+++ haveged-1.9.19/debian/patches/Fix-privilege-escalation-via-command-socket-CVE-2026.patch	2026-05-22 12:50:13.000000000 +0000
@@ -0,0 +1,39 @@
+From: Jirka Hladky <hladky.jiri@gmail.com>
+Date: Tue, 5 May 2026 15:35:13 +0200
+Subject: Fix privilege escalation via command socket (CVE-2026-41054)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://github.com/jirka-h/haveged/commit/3870de0270d3fa2067490ffa47491abde4ad69c6
+Bug-Debian: https://bugs.debian.org/1137096
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-41054
+
+The uid != 0 check sent a NAK to non-root callers but did not
+exit the function, allowing execution to fall through to the
+command switch. This allowed unprivileged local users to send
+commands (MAGIC_CHROOT, MAGIC_CLOSE) to the root-running daemon
+via the abstract UNIX socket.
+
+Add goto out after the NAK response to properly reject
+non-root connections.
+
+Reported-by: Dirk Müller <dmueller@suse.de>
+---
+ src/havegecmd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/havegecmd.c b/src/havegecmd.c
+index e87767e33325..e0fc4b213004 100644
+--- a/src/havegecmd.c
++++ b/src/havegecmd.c
+@@ -317,6 +317,7 @@ int socket_handler(                /* RETURN: closed file descriptor        */
+       ptr = (unsigned char *)enqry;
+       len = (int)strlen(enqry)+1;
+       safeout(fd, ptr, len);
++      goto out;
+       }
+ 
+    switch (magic[0]) {
+-- 
+2.53.0
+
diff -Nru haveged-1.9.19/debian/patches/series haveged-1.9.19/debian/patches/series
--- haveged-1.9.19/debian/patches/series	2025-04-25 15:57:27.000000000 +0000
+++ haveged-1.9.19/debian/patches/series	2026-05-22 12:51:11.000000000 +0000
@@ -1,2 +1,4 @@
 debian/0001-shm-directory.patch
 debian/0002-flush-startup-output.patch
+Fix-privilege-escalation-via-command-socket-CVE-2026.patch
+Check-peer-credentials-before-reading-command-CVE-20.patch