[cfe-dev] Updating/removing clang-tidy-vs from clang-tools-extra because of CVE-2018-1000210
Reid Kleckner via cfe-dev
cfe-dev at lists.llvm.org
Tue Aug 27 10:24:42 PDT 2019
I reached out to Zach and he said Clang Power Tools (
https://marketplace.visualstudio.com/items?itemName=caphyon.ClangPowerTools)
does everything clang-tidy-vs does, so we should go ahead and remove
clang-tidy-vs.
On Mon, Aug 26, 2019 at 10:41 AM Alex L via cfe-dev <cfe-dev at lists.llvm.org>
wrote:
> Hi,
>
> The `clang-tidy-vs` visual studio plugin in clang-tools-extra contains a
> security vulnerability in the YamlDotNet package [1]. Github flags the code
> in clang-tools-extra as a high priority security vulnerability. If you're
> an admin of a custom fork of the llvm-project monorepo on Github, you get a
> banner every time you open the GitHub webpage for the repo, and an
> additional weekly email about this high priority vulnerability.
>
> I've emailed Zachary, who originally added the plugin about this issue,
> and also filed a bug report on llvm.org [2]. From what I gathered so far,
> I don't think Zachary works on llvm-project anymore, would there be anyone
> else who'd be interested in updating the plugin to address the
> vulnerability? If not, would it be reasonable to remove this plugin from
> llvm-project entirely?
>
> Thanks,
> Alex
>
> [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-1000210
> [2]: https://bugs.llvm.org/show_bug.cgi?id=41791
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190827/c18caa41/attachment.html>
More information about the cfe-dev
mailing list