On Sat, Jan 10, 2026 at 09:07:49PM +0000, Colin Watson wrote:
> On Sat, Jan 10, 2026 at 05:01:12AM -0600, G. Branden Robinson wrote:
> > Between glibc malloc's and Debian's hardening flags, this problem
> > appears to be pre-mitigated, at least as far back as groff 1.22.4-6.
> [...]
> > $ ~/groff-1.23.0/bin/groff -p /tmp/bigger-crasher.groff
> > *** stack smashing detected ***: terminated
> > /home/branden/groff-1.23.0/bin/groff: error: pic: Aborted (core dumped)
> > $ /usr/bin/groff -p /tmp/bigger-crasher.groff
> > *** stack smashing detected ***: terminated
> > /usr/bin/groff: pic: Signal 6 (core dumped)
> >
> > Perhaps these findings put a ceiling on the potential severity of this
> > bug report.
>
> Given your output I'm inclined to agree. In this case I think it would be
> fine to just pick this fix up when you release 1.24.0, and not worry about
> backporting it to stable releases?
>
> CCing team@security to double-check. (I haven't included the whole history;
> see https://bugs.debian.org/1125162.)
This needs to be looked on from two angles:
* As far as Debian is concerned, the toolchain changes render
this harmless, it's just a regular bug and I can be ignored for older branches.
* Most Linux distributions use -fstack-protector by default; e.g. Ubuntu
modifies
their default flags to include it and Debian passes it via dpkg-buildflags.
SuSE and Red Hat also enable it by default.That said, there will still be a few
setups on Linux and most certainly also on other Unix variants where default
GCC flafs are used which don't include -fstack-protector, so for their benefit
cherrypicking into it into older release branches would still be useful.
Cheers,
Moritz
