Bug#1124342: bookworm-pu: package sudo/1.9.13p3-1+deb12u3
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: sudo@packages.debian.org
Control: affects -1 + src:sudo
User: release.debian.org@packages.debian.org
Usertags: pu
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
sudo on i386 on a not-quite-i686 CPU like the AMD Geode terminates with
an illegal opcode error.
[ Impact ]
Sudo is unuseable on those machines.
[ Tests ]
This has been discussed with the TC (#1113774). sudo has a testsuite.
[ Risks ]
bookworm is the last full release for i386. It is therefore likely to be
used for a long time.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Enable intel CET on amd64 only
diff -Nru sudo-1.9.13p3/debian/changelog sudo-1.9.13p3/debian/changelog
--- sudo-1.9.13p3/debian/changelog 2025-06-24 09:29:50.000000000 +0200
+++ sudo-1.9.13p3/debian/changelog 2025-12-30 21:07:33.000000000 +0100
@@ -1,3 +1,12 @@
+sudo (1.9.13p3-1+deb12u3) bookworm; urgency=medium
+
+ * Apply a patch fro Marcos Del Sol Vives to Enable Intel CET on amd64 only.
+ This has been discussed with the TC in #1113774. After following their
+ advice to apply the patch, I verified that this change produces an
+ identical deb on amd64 (Closes: #1124339)
+
+ -- Marc Haber <mh+debian-packages@zugschlus.de> Tue, 30 Dec 2025 21:07:33 +0100
+
sudo (1.9.13p3-1+deb12u2) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru sudo-1.9.13p3/debian/patches/amd64-ibt.diff sudo-1.9.13p3/debian/patches/amd64-ibt.diff
--- sudo-1.9.13p3/debian/patches/amd64-ibt.diff 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.9.13p3/debian/patches/amd64-ibt.diff 2025-12-30 21:07:33.000000000 +0100
@@ -0,0 +1,28 @@
+From: Marcos Del Sol Vives <marcos@orca.pet>
+Date: Tue, 2 Sep 2025 00:00:35 +0200
+Subject: Enable Intel CET on amd64 only
+
+---
+ m4/hardening.m4 | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/m4/hardening.m4 b/m4/hardening.m4
+index f7d2a8c..cc7ee01 100644
+--- a/m4/hardening.m4
++++ b/m4/hardening.m4
+@@ -105,6 +105,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
+ ])
+ fi
+
++ if test "$host_cpu" = "x86_64"; then
+ # Check for control-flow transfer instrumentation (Intel CET).
+ AX_CHECK_COMPILE_FLAG([-fcf-protection], [
+ AX_CHECK_LINK_FLAG([-fcf-protection], [
+@@ -112,6 +113,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
+ AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
+ ])
+ ])
++ fi
+ fi
+
+ # Linker-specific hardening flags.
diff -Nru sudo-1.9.13p3/debian/patches/series sudo-1.9.13p3/debian/patches/series
--- sudo-1.9.13p3/debian/patches/series 2025-06-24 09:24:11.000000000 +0200
+++ sudo-1.9.13p3/debian/patches/series 2025-12-30 21:07:33.000000000 +0100
@@ -1,8 +1,6 @@
-# 1004909-ftbfs-kfreebsd
-# debian-bugs-1019428
-# dont-create-ChangeLog
debian-bug-1039557
paths-in-samples.diff
Whitelist-DPKG_COLORS-environment-variable.diff
sudo-ldap-docs
sudo_host_vuln.diff
+amd64-ibt.diff
Reply to: