On Thu, Aug 21, 2025 at 04:48:35PM +0200, Marcos Del Sol Vives wrote:
I've recently acquired a Vortex86DX3 machine and found about this bug. This machine, while even being SSE1-capable, crashes with a SIGILL if ENDBR32 instructions are encountered. So far, sudo has been the only issue I've encountered. I am working on getting a patch merged on the Linux kernel to simply skip over these instructions when they raise an exception, and another kernel developer was confused to see ENDBR32 in IA32 because the kernel's IA32 vDSO is not CET-compliant, so CET would AFAIK not protect against anything in an IA32 environment (or IA32 running under IA64): https://lore.kernel.org/all/9EDED468-AB68-4558-8D94-C3756170C364@zytor.com/ Would it be acceptable to, rather than disable it entirely as previously proposed, enable CET only when compiling for IA64 (amd64), but not for any other architecture? Hardware that support it for sure would still be protected that way, while it would allow running sudo again on older hardware that all other Debian packages support just fine.
Please note (and ideally follow) https://www.debian.org/releases/trixie/release-notes/issues.html#reduced-support-for-i386While you are of course free to file wishlist bugs with any content, anything up to and including *dropping sudo on i386* is currently possible and valid. If you are fine with staying on bookworm or maybe trixie you can recompile sudo with the necessary changes yourself (taking into account possible security updates to it).
-- WBR, wRAR
Attachment:
signature.asc
Description: PGP signature