[llvm] Add llvm-project archive issues for Chromium bug tracker (PR #132030)

Peter Smith via llvm-commits llvm-commits at lists.llvm.org
Thu Mar 20 09:31:18 PDT 2025 

https://github.com/smithp35 updated https://github.com/llvm/llvm-project/pull/132030

>From ad6181c4f634bbc1a559597f81e838fc95ad0d2c Mon Sep 17 00:00:00 2001
From: Peter Smith <peter.smith at arm.com>
Date: Wed, 19 Mar 2025 10:04:41 +0000
Subject: [PATCH 1/3] Add llvm-project archive issues for Chromium bug tracker

The Chromium bug tracker is in an archived state. The Security
Response Group has preemptively created llvm-project GitHub
issues with PDF copies of the Chromium issues should the
repository become inaccessible.

* Replace URLs in format:
  https://bugs.chromium.org/p/llvm/issues/detail?id=X with
  their redirect https://issuetracker.google.com/issues/y
* Add URLs to llvm-project archive issues.
* Add an explanation of archive use.
---
 llvm/docs/SecurityTransparencyReports.rst | 78 ++++++++++++++---------
 1 file changed, 48 insertions(+), 30 deletions(-)

diff --git a/llvm/docs/SecurityTransparencyReports.rst b/llvm/docs/SecurityTransparencyReports.rst
index bfa15ab4c484d..cc028ae1e1d2a 100644
--- a/llvm/docs/SecurityTransparencyReports.rst
+++ b/llvm/docs/SecurityTransparencyReports.rst
@@ -2,7 +2,15 @@
 LLVM Security Group Transparency Reports
 ========================================
 
-This page lists the yearly LLVM Security group transparency reports.
+This page lists the yearly LLVM Security Response group transparency reports.
+
+The LLVM Security Response group started out as the LLVM security group, previous
+year's transparency reports keep the original year.
+
+Initially the Chromium issue tracker was used to record issues. This component
+has been archived and is read-only. A llvm-project issue with the SecurityArchive
+label has been created with a further backup PDF copy in a llvm-project
+repository.
 
 2021
 ----
@@ -29,8 +37,11 @@ In 2021, the security group received 13 issue reports that were made publicly
 visible before 31st of December 2021.  The security group judged 2 of these
 reports to be security issues:
 
-* https://bugs.chromium.org/p/llvm/issues/detail?id=5
-* https://bugs.chromium.org/p/llvm/issues/detail?id=11
+* https://issuetracker.google.com/issues/42410043 archive:
+  https://github.com/llvm/llvm-project/issues/125709
+
+* https://issuetracker.google.com/issues/42410002 archive:
+  https://github.com/llvm/llvm-project/issues/127644
 
 Both issues were addressed with source changes: #5 in clangd/vscode-clangd, and
 #11 in llvm-project.  No dedicated LLVM release was made for either.
@@ -54,24 +65,27 @@ the time of writing this transparency report.
 
 5 of these were judged to be security issues:
 
-* https://bugs.chromium.org/p/llvm/issues/detail?id=17 reports a miscompile in
+* https://issuetracker.google.com/issues/42410008 reports a miscompile in
   LLVM that can result in the frame pointer and return address being
-  overwritten. This was fixed.
+  overwritten. This was fixed. Archive: https://github.com/llvm/llvm-project/issues/127645
 
-* https://bugs.chromium.org/p/llvm/issues/detail?id=19 reports a vulnerability
-  in `std::filesystem::remove_all` in libc++. This was fixed.
+* https://issuetracker.google.com/issues/42410010 reports a vulnerability
+  in `std::filesystem::remove_all` in libc++. This was fixed. Archive:
+  https://github.com/llvm/llvm-project/issues/127647
 
-* https://bugs.chromium.org/p/llvm/issues/detail?id=23 reports a new Spectre
+* https://issuetracker.google.com/issues/42410015 reports a new Spectre
   gadget variant that Speculative Load Hardening (SLH) does not mitigate. No
   extension to SLH was implemented to also mitigate against this variant.
+  Archive: https://github.com/llvm/llvm-project/issues/127648
 
-* https://bugs.chromium.org/p/llvm/issues/detail?id=30 reports missing memory
+* https://issuetracker.google.com/issues/42410023 reports missing memory
   safety protection on the (C++) exception handling path. A number of fixes
-  were implemented.
+  were implemented. Archive: https://github.com/llvm/llvm-project/issues/127649
 
-* https://bugs.chromium.org/p/llvm/issues/detail?id=33 reports the RETBLEED
+* https://issuetracker.google.com/issues/42410026 reports the RETBLEED
   vulnerability. The outcome was clang growing a new security hardening feature
   `-mfunction-return=thunk-extern`, see https://reviews.llvm.org/D129572.
+  Archive: https://github.com/llvm/llvm-project/issues/127650
 
 
 No dedicated LLVM releases were made for any of the above issues.
@@ -84,33 +98,37 @@ that were received earlier, but were disclosed in 2023.
 
 9 of these were judged to be security issues:
 
-https://bugs.chromium.org/p/llvm/issues/detail?id=36 reports the presence of
-.git folder in https://llvm.org/.git.
+ * https://issuetracker.google.com/issues/42410029 reports the presence of
+   .git folder in https://llvm.org/.git. Archive: https://github.com/llvm/llvm-project/issues/131841
 
-https://bugs.chromium.org/p/llvm/issues/detail?id=66 reports the presence of
-a GitHub Personal Access token in a DockerHub imaage.
+ * https://issuetracker.google.com/issues/42410060 reports the presence of
+   a GitHub Personal Access token in a DockerHub imaage. Archive: https://github.com/llvm/llvm-project/issues/131846
 
-https://bugs.chromium.org/p/llvm/issues/detail?id=42 reports a potential gap
-in the Armv8.1-m BTI protection, involving a combination of large switch statements
-and __builtin_unreachable() in the default case.
+ * https://issuetracker.google.com/issues/42410035 reports a potential gap
+   in the Armv8.1-m BTI protection, involving a combination of large switch statements
+   and __builtin_unreachable() in the default case. Archive: https://github.com/llvm/llvm-project/issues/131848
 
-https://bugs.chromium.org/p/llvm/issues/detail?id=43 reports a dependency
-on an old version of xml2js with a CVE filed against it.
+ * https://issuetracker.google.com/issues/42410036 reports a dependency on
+   an old version of xml2js with a CVE filed against it.
+   Archive: https://github.com/llvm/llvm-project/issues/131849
 
-https://bugs.chromium.org/p/llvm/issues/detail?id=45 reports a number of
-dependencies that have had vulnerabilities reported against them.
+ * https://issuetracker.google.com/issues/42410038 reports a number of
+   dependencies that have had vulnerabilities reported against them.
+   Archive: https://github.com/llvm/llvm-project/issues/131851
 
-https://bugs.chromium.org/p/llvm/issues/detail?id=46 is related to issue 43.
+ * https://issuetracker.google.com/issues/42410039 is related to issue 42410038.
+   Archive: https://github.com/llvm/llvm-project/issues/131852
 
-https://bugs.chromium.org/p/llvm/issues/detail?id=48 reports a buffer overflow
-in std::format from -fexperimental-library.
+ * https://issuetracker.google.com/issues/42410041 reports a buffer overflow
+   in std::format from -fexperimental-library. Archive: https://github.com/llvm/llvm-project/issues/131856
 
-https://bugs.chromium.org/p/llvm/issues/detail?id=54 reports a memory leak in
-basic_string move assignment when built with libc++ versions <=6.0 and run against
-newer libc++ shared/dylibs.
+ * https://issuetracker.google.com/issues/42410047 reports a memory leak in
+   basic_string move assignment when built with libc++ versions <=6.0 and run against
+   newer libc++ shared/dylibs. Archive: https://github.com/llvm/llvm-project/issues/131857
 
-https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports an out of bounds buffer
-store introduced by LLVM backends, that regressed due to a procedural oversight.
+ * https://issuetracker.google.com/issues/42410049 reports an out of bounds buffer
+   store introduced by LLVM backends, that regressed due to a procedural oversight.
+   Archive: https://github.com/llvm/llvm-project/issues/131858
 
 No dedicated LLVM releases were made for any of the above issues.
 

>From e5d6ac7d9b54b5d39532bb791c62a6ca51b1db82 Mon Sep 17 00:00:00 2001
From: Peter Smith <peter.smith at arm.com>
Date: Wed, 19 Mar 2025 14:15:05 +0000
Subject: [PATCH 2/3] Kristof's Review comments

* year should have been name.
* reworded part about archives.

I've kept the URLs the same for now.
---
 llvm/docs/SecurityTransparencyReports.rst | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/llvm/docs/SecurityTransparencyReports.rst b/llvm/docs/SecurityTransparencyReports.rst
index cc028ae1e1d2a..9fca66a48cec3 100644
--- a/llvm/docs/SecurityTransparencyReports.rst
+++ b/llvm/docs/SecurityTransparencyReports.rst
@@ -5,12 +5,14 @@ LLVM Security Group Transparency Reports
 This page lists the yearly LLVM Security Response group transparency reports.
 
 The LLVM Security Response group started out as the LLVM security group, previous
-year's transparency reports keep the original year.
-
-Initially the Chromium issue tracker was used to record issues. This component
-has been archived and is read-only. A llvm-project issue with the SecurityArchive
-label has been created with a further backup PDF copy in a llvm-project
-repository.
+year's transparency reports keep the original name.
+
+Initially the Chromium issue tracker was used to record issues. This
+component has been archived and is read-only. A GitHub
+llvm/llvm-project issue has been created for each issue in the
+Chromium issue tracker. All of these issues contain an attached PDF
+with the content of the Chromium issue, and have the SecurityArchive
+label.
 
 2021
 ----

>From 8a41e0033a7d3042a1374ef8aa9a45c986a92ad0 Mon Sep 17 00:00:00 2001
From: Peter Smith <peter.smith at arm.com>
Date: Thu, 20 Mar 2025 16:30:04 +0000
Subject: [PATCH 3/3] Rebase on 2024 Transparency update

I've added Github issues for all the new Chromium issue tracker
entries.
---
 llvm/docs/SecurityTransparencyReports.rst | 41 +++++++++++++++--------
 1 file changed, 27 insertions(+), 14 deletions(-)

diff --git a/llvm/docs/SecurityTransparencyReports.rst b/llvm/docs/SecurityTransparencyReports.rst
index 5c1d574590967..b824b76dab8a8 100644
--- a/llvm/docs/SecurityTransparencyReports.rst
+++ b/llvm/docs/SecurityTransparencyReports.rst
@@ -172,10 +172,12 @@ publishing security advisories for those issues at
 https://github.com/llvm/llvm-security-repo/security/advisories/.
 
 1. “Unexpected behavior when using LTO and branch-protection together” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=58
+   Details are available at https://issuetracker.google.com/issues/42410051
+   archive: https://github.com/llvm/llvm-project/issues/132185
 2. “Security weakness in PCS for CMSE”
    (`CVE-2024-0151 <https://nvd.nist.gov/vuln/detail/CVE-2024-0151>`_) |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=68
+   Details are available at https://issuetracker.google.com/issues/42410062
+   archive: https://github.com/llvm/llvm-project/issues/132186
 3. “CMSE secure state may leak from stack to floating-point registers”
    (`CVE-2024-7883 <https://www.cve.org/cverecord?id=CVE-2024-7883>`_) |br|
    Details are available at
@@ -185,9 +187,11 @@ Supply chain security related issues and project services-related issues
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 1. “GitHub User Involved in xz backdoor may have attempted to change to clang in order to help hide the exploit” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=71
+   Details are available at https://issuetracker.google.com/issues/42410066
+   archive: https://github.com/llvm/llvm-project/issues/132187
 2. “llvmbot account suspended due to supicious login” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=72
+   Details are available at https://issuetracker.google.com/issues/42410067
+   archive: https://github.com/llvm/llvm-project/issues/132243
 3. “.git Exposure” |br|
    GHSA-mr8r-vvrc-w6rq |br|
    The .git directory was accessible via web browsers under apt.llvm.org, a site
@@ -224,23 +228,32 @@ Issues deemed to not require coordinated action before disclosing publicly
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 1. “Clang Address Sanitizer gives False Negative for Array Out of Bounds Compiled with Optimization” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=57
+   Details are available at https://issuetracker.google.com/issues/42410050
+   archive: https://github.com/llvm/llvm-project/issues/132191
 2. “Found exposed .svn folder” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=59
+   Details are available at https://issuetracker.google.com/issues/42410052
+   archive: https://github.com/llvm/llvm-project/issues/132192
 3. “Arbitrary code execution when combining SafeStack \+ dynamic stack allocations \+ \_\_builtin\_setjmp/longjmp” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=60
+   Details are available at https://issuetracker.google.com/issues/42410054
+   archive: https://github.com/llvm/llvm-project/issues/132220
 4. “RISC-V: Constants are allocated in writeable .sdata section” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=61
+   Details are available at https://issuetracker.google.com/issues/42410055
+   archive: https://github.com/llvm/llvm-project/issues/132223
 5. “Manifest File with Out-of-Date Dependencies with CVEs” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=62
+   Details are available at https://issuetracker.google.com/issues/42410056
+   archive: https://github.com/llvm/llvm-project/issues/132225
 6. “Non-const derived ctor should fail compilation when having a consteval base ctor” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=67
+   Details are available at https://issuetracker.google.com/issues/42410061
+   archive: https://github.com/llvm/llvm-project/issues/132226
 7. “Wrong assembly code generation. Branching to the corrupted "LR".” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=69
+   Details are available at https://issuetracker.google.com/issues/42410063
+   archive: https://github.com/llvm/llvm-project/issues/132229
 8. “Security bug report” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=70
+   Details are available at https://issuetracker.google.com/issues/42410065
+   archive: https://github.com/llvm/llvm-project/issues/132233
 9. “Using ASan with setuid binaries can lead to arbitrary file write and elevation of privileges” |br|
-   Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=73
+   Details are available at https://issuetracker.google.com/issues/42410068
+   archive: https://github.com/llvm/llvm-project/issues/132235
 10. “Interesting bugs for bool variable in clang projects and aarch64 modes outputting inaccurate results.” |br|
     GHSA-w7qc-292v-5xh6 |br|
     The issue reported is on a source code example having undefined behaviour
@@ -302,4 +315,4 @@ as part of migrating to GitHub's “security advisory”-based reporting:
 1. “Test if new draft security advisory gets emailed to LLVM security group” |br|
    GHSA-82m9-xvw3-rvpv
 2. “Test that a non-admin can create an advisory (no vulnerability).” |br|
-   GHSA-34gr-6c7h-cc93
\ No newline at end of file
+   GHSA-34gr-6c7h-cc93

More information about the llvm-commits mailing list