[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1113774: Disabling -fcf-protection in sudo for bookworm

On Wed, Sep 24, 2025 at 07:19:37PM +0200, Christoph Berg wrote:

Around the time of the discussion, upstream sudo included a change that limits
-fcf-protection to x86_64: https://github.com/sudo-project/sudo/pull/468
The problem that I have with this change is that it was suggested by the same individual who wants us to do this change in Debian. Only sudo upstream didn't push back as hard as I did.
Upstream mentioned in the upstream issue: "https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html 
explicitly mentions x86_64 for when to use `-fcf-protection`."
I planned to talk to upstream about this, but it looks like I didnt get a round tuit quickly enough to actually do that. I apologize.
Given your summary [snipped] I would like to thank you for that research. I don't have anything to add to your sound reasoning. It was important to me to hear that from a source I trust. That is the case now. 


Possible TC rulings are:
* agree with the submitter. -fcf-protection is no-op on i386; the sudo package
 should be updated.
* reject the request; changing sudo for a very small number of users is too risky
 (FWIW, the patch from https://github.com/sudo-project/sudo/pull/468 applies
 trivially to sudo 1.9.13p3-1+deb12u2)
* reject the request; bookworm is already oldstable (if it's reaching us only
 now, it's not that important)
* reject the request; the CPU in question is not part of the baseline

Marc has indicated that he would accept advice on this issue so we might go
with issuing that instead of formally overriding him.
I reaffirm that. Should the TC decline to give formal advice (which I would be fine with), I would go ahead to disable -fcf-protection for i386 builds (and verify that the amd64 and arm64 binary stay identical) and build packages for trixie and bookworm, submit both of them for the next point release.
Given that upstream went ahead with that change, I don't plan doing extra work for sid and forky, that'll happen in due time when I package the next upstream release.
Sadly, it will be at least mid october until I will have time to do that. So the TC can take the time to decide whether to go forward or not. 

I really appreciate the work you did on this.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
Reply to: