[llvm] Add security group 2023 transparency report. (PR #80320)
Peter Smith via llvm-commits
llvm-commits at lists.llvm.org
Thu Feb 1 11:01:55 PST 2024
https://github.com/smithp35 updated https://github.com/llvm/llvm-project/pull/80320
>From 1851a200772dcbfc5a2c310c6d146f891701154f Mon Sep 17 00:00:00 2001
From: Peter Smith <peter.smith at arm.com>
Date: Wed, 17 Jan 2024 18:13:04 +0000
Subject: [PATCH 1/2] Add security group 2023 transparency report.
---
llvm/docs/SecurityTransparencyReports.rst | 39 +++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/llvm/docs/SecurityTransparencyReports.rst b/llvm/docs/SecurityTransparencyReports.rst
index a857e676880f8..b43a85a012f41 100644
--- a/llvm/docs/SecurityTransparencyReports.rst
+++ b/llvm/docs/SecurityTransparencyReports.rst
@@ -76,3 +76,42 @@ the time of writing this transparency report.
No dedicated LLVM releases were made for any of the above issues.
+2023
+----
+
+In this section we report on the issues the group received in 2023, or on issues
+that were received earlier, but were disclosed in 2023.
+
+9 of these were judged to be security issues:
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=36 reports the presence of
+.git folder in https://llvm.org/.git.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=66 reports the presence of
+a GitHub Personal Access token in a DockerHub imaage.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=42 reports a potential gap
+in the Armv8.1-m BTI protection, involving a combination of large switch statements
+and __builtin_unreachable() in the default case.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=43 reports a dependency
+on an old version of xml2js with a CVE filed against it.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=45 reports a number of
+dependencies that have had vulnerabilities reported against them.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=46 is related to issue 43.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=48 reports a buffer overflow
+in std::format from -fexperimental-library.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=54 reports a memory leak in
+basic_string move assignment when built with libc++ versions <=6.0 and run against
+newer libc++ shared/dylibs.
+
+https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports a out of bounds buffer
+store introduced by LLVM backends, that regressed due to a procedural oversight.
+
+No dedicated LLVM releases were made for any of the above issues.
+
+Over the course of 2023 we had one person join the LLVM Security Group.
>From d51aff6e387c5564e7a22a7ec65e1be9d8eab34c Mon Sep 17 00:00:00 2001
From: Peter Smith <peter.smith at arm.com>
Date: Thu, 1 Feb 2024 19:00:00 +0000
Subject: [PATCH 2/2] 2023 Transparency Report, fix typo.
---
llvm/docs/SecurityTransparencyReports.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/llvm/docs/SecurityTransparencyReports.rst b/llvm/docs/SecurityTransparencyReports.rst
index b43a85a012f41..bfa15ab4c484d 100644
--- a/llvm/docs/SecurityTransparencyReports.rst
+++ b/llvm/docs/SecurityTransparencyReports.rst
@@ -109,7 +109,7 @@ https://bugs.chromium.org/p/llvm/issues/detail?id=54 reports a memory leak in
basic_string move assignment when built with libc++ versions <=6.0 and run against
newer libc++ shared/dylibs.
-https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports a out of bounds buffer
+https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports an out of bounds buffer
store introduced by LLVM backends, that regressed due to a procedural oversight.
No dedicated LLVM releases were made for any of the above issues.
More information about the llvm-commits
mailing list