Upstream sudo-1.9.10 in the release notes forces gcc build to include -fcf-protector for security purposes. For most i686 CPUs, this gets executed as a NOP if it does not support CET. However some processors like the Via C3 Nehemiah that can run most i686 instructions (I can use -march=i686 for all other uses), will SIGILL on CET instructions. https://www.sudo.ws/releases/stable/ for release notes. Reproducible: Always Steps to Reproduce: 1. build sudo 2. run sudo on Via C3 Nehemiah 3. Actual Results: sudo immediately crashes with Illegal Instruction on the old CPU, note: it will work fine on newer AMD/Intel SSE2 and newer i686 CPUs. Expected Results: it should work the same on all i686 CPUs or at least a way to disable -fcf-protector Workaround is use -march=i486 for just this package as this was fixed in gcc such that i486 would disable any -fcf-protector on the command line. I don't know if this should simply be warned in the ebuild, or a USE hack to remove -fcf-protector ...
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd464e04dac31f761430fb3c8f2cb940f3f44463 commit bd464e04dac31f761430fb3c8f2cb940f3f44463 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-11-06 03:35:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-11-06 03:36:47 +0000 app-admin/sudo: add 1.9.12_p1 Note that CVE-2022-43995 was already fixed in Gentoo in 1.9.12-r1 (5eca952121b4f64dc7c40f81338384bf299ee771) but tagging the bug for completeness. Bug: https://bugs.gentoo.org/879209 Closes: https://bugs.gentoo.org/862201 Signed-off-by: Sam James <sam@gentoo.org> app-admin/sudo/Manifest | 2 + app-admin/sudo/sudo-1.9.12_p1.ebuild | 286 +++++++++++++++++++++++++++++++++++ app-admin/sudo/sudo-9999.ebuild | 14 +- 3 files changed, 297 insertions(+), 5 deletions(-)
