Bug#1124339: enable intel CET on amd64 only
Package: sudo
Version: 1.9.13p3-1
Severity: important
X-Debbugs-Cc: debian-amd64@lists.debian.org
User: debian-amd64@lists.debian.org
Usertags: amd64
User: debian-qa@lists.debian.org
Usertags: i386
Hi,
this bug only affects bookworm, and only i386 systems running on one of
those not-so-quite-i686 CPUs that unfortunately incudes the rather
common AMD Geode. There was discussion with the ctte (#1113774) and
their advice was to enable the offending hardening option (Intel CET
which hides itself behind -fcf-protection) on AMD64 only.
This will probably also fix #1004894.
Bookworm is the last Debian release that supports i386 as a full
architecture. It is therefore expected that this sudo version is going
to be used on i386 systems for a long time. On current systems, i386 is
likely to be used in containers and chroots and multiarch setups only,
so using an amd64 sudo on such systems is advised. Independe of an
upstream fix that is on the way, there is no update for trixie and newer
necessary for this reason.
The patch was submitted by Marcos Del Sol Vives. I verified that the
patched package built on bookworm delivers a byte identical package on
amd64 and a different one on i386. I did not do any further testing.
Greetings
Marc
Reply to: