[cfe-dev] Updating/removing clang-tidy-vs from clang-tools-extra because of CVE-2018-1000210

Tue Aug 27 10:52:54 PDT 2019

Great, thanks for reaching out to Zach! I posted a patch that removes the
plugin, and suggests Clang Power Tools in the release notes instead:
https://reviews.llvm.org/D66813.

On Tue, 27 Aug 2019 at 10:24, Reid Kleckner <rnk at google.com> wrote:

> I reached out to Zach and he said Clang Power Tools (
> https://marketplace.visualstudio.com/items?itemName=caphyon.ClangPowerTools)
> does everything clang-tidy-vs does, so we should go ahead and remove
> clang-tidy-vs.
>
> On Mon, Aug 26, 2019 at 10:41 AM Alex L via cfe-dev <
> cfe-dev at lists.llvm.org> wrote:
>
>> Hi,
>>
>> The `clang-tidy-vs` visual studio plugin in clang-tools-extra contains a
>> security vulnerability in the YamlDotNet package [1]. Github flags the code
>> in clang-tools-extra as a high priority security vulnerability. If you're
>> an admin of a custom fork of the llvm-project monorepo on Github, you get a
>> banner every time you open the GitHub webpage for the repo, and an
>> additional weekly email about this high priority vulnerability.
>>
>> I've emailed Zachary, who originally added the plugin about this issue,
>> and also filed a bug report on llvm.org [2]. From what I gathered so
>> far, I don't think Zachary works on llvm-project anymore, would there be
>> anyone else who'd be interested in updating the plugin to address the
>> vulnerability? If not, would it be reasonable to remove this plugin from
>> llvm-project entirely?
>>
>> Thanks,
>> Alex
>>
>> [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-1000210
>> [2]: https://bugs.llvm.org/show_bug.cgi?id=41791
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at lists.llvm.org
>> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190827/c17da027/attachment.html>