Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 862201 - >=app-admin/sudo-1.9.10 upstream force passes gcc -fcf-protector causing illegal instruction for old CPUs
Summary: >=app-admin/sudo-1.9.10 upstream force passes gcc -fcf-protector causing ille...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
Depends on:
Reported: 2022-07-30 02:36 UTC by Ben
Modified: 2022-11-06 04:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ben 2022-07-30 02:36:12 UTC
Upstream sudo-1.9.10 in the release notes forces gcc build to include -fcf-protector for security purposes.  For most i686 CPUs, this gets executed as a NOP if it does not support CET.  However some processors like the Via C3 Nehemiah that can run most i686 instructions (I can use -march=i686 for all other uses), will SIGILL on CET instructions. for release notes.

Reproducible: Always

Steps to Reproduce:
1. build sudo
2. run sudo on Via C3 Nehemiah
Actual Results:  
sudo immediately crashes with Illegal Instruction on the old CPU, note: it will work fine on newer AMD/Intel SSE2 and newer i686 CPUs.

Expected Results:  
it should work the same on all i686 CPUs or at least a way to disable -fcf-protector 

Workaround is use -march=i486 for just this package as this was fixed in gcc such that i486 would disable any -fcf-protector on the command line.

I don't know if this should simply be warned in the ebuild, or a USE hack to remove -fcf-protector ...
Comment 1 Larry the Git Cow gentoo-dev 2022-11-06 03:59:57 UTC
The bug has been closed via the following commit(s):

commit bd464e04dac31f761430fb3c8f2cb940f3f44463
Author:     Sam James <>
AuthorDate: 2022-11-06 03:35:55 +0000
Commit:     Sam James <>
CommitDate: 2022-11-06 03:36:47 +0000

    app-admin/sudo: add 1.9.12_p1
    Note that CVE-2022-43995 was already fixed in Gentoo in 1.9.12-r1
    (5eca952121b4f64dc7c40f81338384bf299ee771) but tagging the bug
    for completeness.
    Signed-off-by: Sam James <>

 app-admin/sudo/Manifest              |   2 +
 app-admin/sudo/sudo-1.9.12_p1.ebuild | 286 +++++++++++++++++++++++++++++++++++
 app-admin/sudo/sudo-9999.ebuild      |  14 +-
 3 files changed, 297 insertions(+), 5 deletions(-)