haveged: upgrade 1.9.20 -> 1.9.22

Backport from wrynose (8bd9783601). Fixes CVE-2026-41054 (local
privilege escalation via command socket credential check bypass).

Changelog:
===========
* Add ReadWritePaths=/dev/shm to systemd service for semaphore creation
  under ProtectSystem=full sandboxing
* Fix privilege escalation via command socket (CVE-2026-41054)
* Check peer credentials before reading command (CVE-2026-41054)
* Handle failing opening of semaphore
* Fix /dev/shm permissions to use sticky bit
* Use chmod after mkdir to ensure correct /dev/shm permissions
* Update libtool: add lib64 search paths, remove dead code

Tested: Built core-image-full-cmdline for qemux86-64 (scarthgap,
bitbake 2.8). Booted in QEMU, verified haveged 1.9.22 starts and
provides entropy (entropy_avail=256, pool full).

(cherry picked from commit 8bd9783601)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Assisted-by: Kiro (Amazon)
Signed-off-by: Venkatasainath Ravikanti <venkatasainath.ravikanti@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Wang Mingyu
2026-06-30 20:51:57 +00:00
committed by Anuj Mittal
parent a553f99002
commit dae9f04be9
@@ -6,7 +6,7 @@ HOMEPAGE = "https://www.issihosts.com/haveged/index.html"
LICENSE = "GPL-3.0-only"
LIC_FILES_CHKSUM="file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SRCREV = "e2d96806273caa9ce7457e2f8669a3c40517ca27"
SRCREV = "21bad00a09233855fbea14ac062bc72b5eabc9a6"
SRC_URI = "git://github.com/jirka-h/haveged.git;branch=master;protocol=https \
"
S = "${WORKDIR}/git"