Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:sudo User: [email protected] Usertags: pu
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] sudo on i386 on a not-quite-i686 CPU like the AMD Geode terminates with an illegal opcode error. [ Impact ] Sudo is unuseable on those machines. [ Tests ] This has been discussed with the TC (#1113774). sudo has a testsuite. [ Risks ] bookworm is the last full release for i386. It is therefore likely to be used for a long time. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Enable intel CET on amd64 only
diff -Nru sudo-1.9.13p3/debian/changelog sudo-1.9.13p3/debian/changelog --- sudo-1.9.13p3/debian/changelog 2025-06-24 09:29:50.000000000 +0200 +++ sudo-1.9.13p3/debian/changelog 2025-12-30 21:07:33.000000000 +0100 @@ -1,3 +1,12 @@ +sudo (1.9.13p3-1+deb12u3) bookworm; urgency=medium + + * Apply a patch fro Marcos Del Sol Vives to Enable Intel CET on amd64 only. + This has been discussed with the TC in #1113774. After following their + advice to apply the patch, I verified that this change produces an + identical deb on amd64 (Closes: #1124339) + + -- Marc Haber <[email protected]> Tue, 30 Dec 2025 21:07:33 +0100 + sudo (1.9.13p3-1+deb12u2) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru sudo-1.9.13p3/debian/patches/amd64-ibt.diff sudo-1.9.13p3/debian/patches/amd64-ibt.diff --- sudo-1.9.13p3/debian/patches/amd64-ibt.diff 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.9.13p3/debian/patches/amd64-ibt.diff 2025-12-30 21:07:33.000000000 +0100 @@ -0,0 +1,28 @@ +From: Marcos Del Sol Vives <[email protected]> +Date: Tue, 2 Sep 2025 00:00:35 +0200 +Subject: Enable Intel CET on amd64 only + +--- + m4/hardening.m4 | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/m4/hardening.m4 b/m4/hardening.m4 +index f7d2a8c..cc7ee01 100644 +--- a/m4/hardening.m4 ++++ b/m4/hardening.m4 +@@ -105,6 +105,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ + ]) + fi + ++ if test "$host_cpu" = "x86_64"; then + # Check for control-flow transfer instrumentation (Intel CET). + AX_CHECK_COMPILE_FLAG([-fcf-protection], [ + AX_CHECK_LINK_FLAG([-fcf-protection], [ +@@ -112,6 +113,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ + AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) + ]) + ]) ++ fi + fi + + # Linker-specific hardening flags. diff -Nru sudo-1.9.13p3/debian/patches/series sudo-1.9.13p3/debian/patches/series --- sudo-1.9.13p3/debian/patches/series 2025-06-24 09:24:11.000000000 +0200 +++ sudo-1.9.13p3/debian/patches/series 2025-12-30 21:07:33.000000000 +0100 @@ -1,8 +1,6 @@ -# 1004909-ftbfs-kfreebsd -# debian-bugs-1019428 -# dont-create-ChangeLog debian-bug-1039557 paths-in-samples.diff Whitelist-DPKG_COLORS-environment-variable.diff sudo-ldap-docs sudo_host_vuln.diff +amd64-ibt.diff
