[llvm] 2024 Security Group Transparency Report (PR #132011)
Peter Smith via llvm-commits
llvm-commits at lists.llvm.org
Wed Mar 19 07:07:41 PDT 2025
================
@@ -115,3 +115,171 @@ store introduced by LLVM backends, that regressed due to a procedural oversight.
No dedicated LLVM releases were made for any of the above issues.
Over the course of 2023 we had one person join the LLVM Security Group.
+
+2024
+----
+
+.. |br| raw:: html
+
+ <br/>
+
+
+Introduction
+^^^^^^^^^^^^
+
+In the first half of 2024, LLVM used the Chromium issue tracker to enable
+reporting security issues responsibly. We switched over to using GitHub's
+"privately reporting a security vulnerability" workflow in the middle of 2024.
+
+In previous years, our transparency reports were shorter, since the full
+discussion on a security ticket in the Chromium issue tracker is fully visible
+once disclosed. This is not the case with issues using GitHub's security
+advisory workflow, so instead we give a longer description in this transparency
+report, to make the relevant information on the ticket publicly available.
+
+This transparency report doesn't necessarily mention all issues that were deemed
+duplicates of other issues, or tickets only created to test the bug tracking
+system.
+
+Security issues fixed under a coordinated disclosure process
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This section lists the reported issues where we ended up implementing fixes
+under a coordinated disclosure process. While we were still using the Chromium
+issue tracker, we did not write security advisories for such issues. Since we
+started using the GitHub issues tracker for security issues, we're now
+publishing security advisories for those issues at
+https://github.com/llvm/llvm-security-repo/security/advisories/.
+
+1. “Unexpected behavior when using LTO and branch-protection together” |br|
+ Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=58
+2. “Security weakness in PCS for CMSE”
+ (`CVE-2024-0151 <https://nvd.nist.gov/vuln/detail/CVE-2024-0151>`_) |br|
----------------
smithp35 wrote:
I can create llvm-project issues with archive pdfs of these. One thing I noticed was that the original Chromium bug tracker redirects.
https://bugs.chromium.org/p/llvm/issues/detail?id=58 -> https://issuetracker.google.com/issues/42410051
https://bugs.chromium.org/p/llvm/issues/detail?id=68 -> https://issuetracker.google.com/issues/42410062
I've used the updated URL when adding the archives.
For this patch I don't think this needs anything changing, I can make a follow up patch when this lands (or rebase and extend https://github.com/llvm/llvm-project/pull/132030).
https://github.com/llvm/llvm-project/pull/132011
More information about the llvm-commits
mailing list