diff --git a/llvm/docs/SecurityTransparencyReports.rst b/llvm/docs/SecurityTransparencyReports.rst index 3a91ab1a52479..e4d7c23236b6c 100644 --- a/llvm/docs/SecurityTransparencyReports.rst +++ b/llvm/docs/SecurityTransparencyReports.rst @@ -2,7 +2,21 @@ LLVM Security Group Transparency Reports ======================================== -This page lists the yearly LLVM Security group transparency reports. +This page lists the yearly LLVM Security Response group transparency reports. + +The LLVM Security Response group started out as the LLVM security group, previous +year's transparency reports keep the original name. + +Initially the Chromium issue tracker was used to record issues. This +component has been archived and is read-only. A GitHub +llvm/llvm-project issue has been created for each issue in the +Chromium issue tracker. All of these issues contain an attached PDF +with the content of the Chromium issue, and have the SecurityArchive +label. + +Each Chromium issue has 3 URLs, the first is the original URL recorded in +previous transparency reports. The second is the redirect URL to the archive. +The third is to the GitHub archive issue. 2021 ---- @@ -29,8 +43,13 @@ In 2021, the security group received 13 issue reports that were made publicly visible before 31st of December 2021. The security group judged 2 of these reports to be security issues: -* https://bugs.chromium.org/p/llvm/issues/detail?id=5 -* https://bugs.chromium.org/p/llvm/issues/detail?id=11 +* original: https://bugs.chromium.org/p/llvm/issues/detail?id=5 + redirect: https://issuetracker.google.com/issues/42410043 archive: + https://github.com/llvm/llvm-project/issues/125709 + +* original: https://bugs.chromium.org/p/llvm/issues/detail?id=11 + redirect: https://issuetracker.google.com/issues/42410002 archive: + https://github.com/llvm/llvm-project/issues/127644 Both issues were addressed with source changes: #5 in clangd/vscode-clangd, and #11 in llvm-project. No dedicated LLVM release was made for either. @@ -54,24 +73,32 @@ the time of writing this transparency report. 5 of these were judged to be security issues: -* https://bugs.chromium.org/p/llvm/issues/detail?id=17 reports a miscompile in - LLVM that can result in the frame pointer and return address being - overwritten. This was fixed. +* https://bugs.chromium.org/p/llvm/issues/detail?id=17 reports a miscompile in LLVM + that can result in the frame pointer and return address being overwritten. This + was fixed. Redirect: https://issuetracker.google.com/issues/42410008 archive: + https://github.com/llvm/llvm-project/issues/127645 -* https://bugs.chromium.org/p/llvm/issues/detail?id=19 reports a vulnerability - in `std::filesystem::remove_all` in libc++. This was fixed. +* https://bugs.chromium.org/p/llvm/issues/detail?id=19 reports a vulnerability in + `std::filesystem::remove_all` in libc++. This was fixed. + Redirect: https://issuetracker.google.com/issues/42410010 archive: + https://github.com/llvm/llvm-project/issues/127647 * https://bugs.chromium.org/p/llvm/issues/detail?id=23 reports a new Spectre gadget variant that Speculative Load Hardening (SLH) does not mitigate. No extension to SLH was implemented to also mitigate against this variant. + Redirect: https://issuetracker.google.com/issues/42410015 archive: + https://github.com/llvm/llvm-project/issues/127648 * https://bugs.chromium.org/p/llvm/issues/detail?id=30 reports missing memory safety protection on the (C++) exception handling path. A number of fixes - were implemented. + were implemented. Redirect: https://issuetracker.google.com/issues/42410023 + archive: https://github.com/llvm/llvm-project/issues/127649 * https://bugs.chromium.org/p/llvm/issues/detail?id=33 reports the RETBLEED vulnerability. The outcome was clang growing a new security hardening feature `-mfunction-return=thunk-extern`, see https://reviews.llvm.org/D129572. + Redirect: https://issuetracker.google.com/issues/42410026 archive: + https://github.com/llvm/llvm-project/issues/127650 No dedicated LLVM releases were made for any of the above issues. @@ -84,33 +111,52 @@ that were received earlier, but were disclosed in 2023. 9 of these were judged to be security issues: -https://bugs.chromium.org/p/llvm/issues/detail?id=36 reports the presence of -.git folder in https://llvm.org/.git. - -https://bugs.chromium.org/p/llvm/issues/detail?id=66 reports the presence of -a GitHub Personal Access token in a DockerHub imaage. - -https://bugs.chromium.org/p/llvm/issues/detail?id=42 reports a potential gap -in the Armv8.1-m BTI protection, involving a combination of large switch statements -and __builtin_unreachable() in the default case. - -https://bugs.chromium.org/p/llvm/issues/detail?id=43 reports a dependency -on an old version of xml2js with a CVE filed against it. - -https://bugs.chromium.org/p/llvm/issues/detail?id=45 reports a number of -dependencies that have had vulnerabilities reported against them. - -https://bugs.chromium.org/p/llvm/issues/detail?id=46 is related to issue 43. - -https://bugs.chromium.org/p/llvm/issues/detail?id=48 reports a buffer overflow -in std::format from -fexperimental-library. - -https://bugs.chromium.org/p/llvm/issues/detail?id=54 reports a memory leak in -basic_string move assignment when built with libc++ versions <=6.0 and run against -newer libc++ shared/dylibs. - -https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports an out of bounds buffer -store introduced by LLVM backends, that regressed due to a procedural oversight. + * https://bugs.chromium.org/p/llvm/issues/detail?id=36 reports the presence of + .git folder in https://llvm.org/.git. Redirect: + https://issuetracker.google.com/issues/42410029 archive: + https://github.com/llvm/llvm-project/issues/131841 + + * https://bugs.chromium.org/p/llvm/issues/detail?id=66 reports the presence of a + GitHub Personal Access token in a DockerHub imaage. Redirect + https://issuetracker.google.com/issues/42410060 archive: + https://github.com/llvm/llvm-project/issues/131846 + + * https://bugs.chromium.org/p/llvm/issues/detail?id=42 reports a potential gap + in the Armv8.1-m BTI protection, involving a combination of large switch statements + and __builtin_unreachable() in the default case. Redirect: + https://issuetracker.google.com/issues/42410035 archive: + https://github.com/llvm/llvm-project/issues/131848 + + * https://bugs.chromium.org/p/llvm/issues/detail?id=43 reports a dependency + on an old version of xml2js with a CVE filed against it. Redirect: + https://issuetracker.google.com/issues/42410036 archive: + https://github.com/llvm/llvm-project/issues/131849 + + * https://bugs.chromium.org/p/llvm/issues/detail?id=45 reports a number of + dependencies that have had vulnerabilities reported against them. Redirect: + https://issuetracker.google.com/issues/42410038 archive: + https://github.com/llvm/llvm-project/issues/131851 + + * https://bugs.chromium.org/p/llvm/issues/detail?id=46 is related to + issue 43. Redirect https://issuetracker.google.com/issues/42410039 archive: + https://github.com/llvm/llvm-project/issues/131852 + + * https://bugs.chromium.org/p/llvm/issues/detail?id=48 reports a buffer overflow in + std::format from -fexperimental-library. Redirect: + https://issuetracker.google.com/issues/42410041 archive: + https://github.com/llvm/llvm-project/issues/131856 + + * https://bugs.chromium.org/p/llvm/issues/detail?id=54 reports a memory leak in + basic_string move assignment when built with libc++ versions <=6.0 and run against + newer libc++ shared/dylibs. Redirect: + https://issuetracker.google.com/issues/42410047 archive: + https://github.com/llvm/llvm-project/issues/131857 + + * https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports an out + of bounds buffer store introduced by LLVM backends, that regressed + due to a procedural oversight. Redirect + https://issuetracker.google.com/issues/42410049 archive: + https://github.com/llvm/llvm-project/issues/131858 No dedicated LLVM releases were made for any of the above issues. @@ -152,10 +198,14 @@ publishing security advisories for those issues at https://github.com/llvm/llvm-security-repo/security/advisories/. 1. “Unexpected behavior when using LTO and branch-protection together” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=58 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=58 |br| + redirect: https://issuetracker.google.com/issues/42410051 |br| + archive: https://github.com/llvm/llvm-project/issues/132185 2. “Security weakness in PCS for CMSE” (`CVE-2024-0151 `_) |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=68 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=68 |br| + redirect: https://issuetracker.google.com/issues/42410062 |br| + archive: https://github.com/llvm/llvm-project/issues/132186 3. “CMSE secure state may leak from stack to floating-point registers” (`CVE-2024-7883 `_) |br| Details are available at @@ -165,9 +215,13 @@ Supply chain security related issues and project services-related issues ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1. “GitHub User Involved in xz backdoor may have attempted to change to clang in order to help hide the exploit” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=71 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=71 |br| + redirect: https://issuetracker.google.com/issues/42410066 |br| + archive: https://github.com/llvm/llvm-project/issues/132187 2. “llvmbot account suspended due to supicious login” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=72 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=72 |br| + redirect: https://issuetracker.google.com/issues/42410067 |br| + archive: https://github.com/llvm/llvm-project/issues/132243 3. “.git Exposure” |br| GHSA-mr8r-vvrc-w6rq |br| The .git directory was accessible via web browsers under apt.llvm.org, a site @@ -204,23 +258,41 @@ Issues deemed to not require coordinated action before disclosing publicly ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1. “Clang Address Sanitizer gives False Negative for Array Out of Bounds Compiled with Optimization” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=57 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=57 |br| + redirect: https://issuetracker.google.com/issues/42410050 |br| + archive: https://github.com/llvm/llvm-project/issues/132191 2. “Found exposed .svn folder” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=59 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=59 |br| + redirect: https://issuetracker.google.com/issues/42410052 + archive: https://github.com/llvm/llvm-project/issues/132192 3. “Arbitrary code execution when combining SafeStack \+ dynamic stack allocations \+ \_\_builtin\_setjmp/longjmp” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=60 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=60 |br| + redirect: https://issuetracker.google.com/issues/42410054 + archive: https://github.com/llvm/llvm-project/issues/132220 4. “RISC-V: Constants are allocated in writeable .sdata section” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=61 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=61 |br| + redirect: https://issuetracker.google.com/issues/42410055 |br| + archive: https://github.com/llvm/llvm-project/issues/132223 5. “Manifest File with Out-of-Date Dependencies with CVEs” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=62 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=62 |br| + redirect: https://issuetracker.google.com/issues/42410056 |br| + archive: https://github.com/llvm/llvm-project/issues/132225 6. “Non-const derived ctor should fail compilation when having a consteval base ctor” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=67 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=67 |br| + redirect: https://issuetracker.google.com/issues/42410061 |br| + archive: https://github.com/llvm/llvm-project/issues/132226 7. “Wrong assembly code generation. Branching to the corrupted "LR".” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=69 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=69 |br| + redirect: https://issuetracker.google.com/issues/42410063 |br| + archive: https://github.com/llvm/llvm-project/issues/132229 8. “Security bug report” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=70 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=70 |br| + redirect: https://issuetracker.google.com/issues/42410065 |br| + archive: https://github.com/llvm/llvm-project/issues/132233 9. “Using ASan with setuid binaries can lead to arbitrary file write and elevation of privileges” |br| - Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=73 + Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=73 |br| + redirect: https://issuetracker.google.com/issues/42410068 |br| + archive: https://github.com/llvm/llvm-project/issues/132235 10. “Interesting bugs for bool variable in clang projects and aarch64 modes outputting inaccurate results.” |br| GHSA-w7qc-292v-5xh6 |br| The issue reported is on a source code example having undefined behaviour @@ -282,4 +354,4 @@ as part of migrating to GitHub's “security advisory”-based reporting: 1. “Test if new draft security advisory gets emailed to LLVM security group” |br| GHSA-82m9-xvw3-rvpv 2. “Test that a non-admin can create an advisory (no vulnerability).” |br| - GHSA-34gr-6c7h-cc93 \ No newline at end of file + GHSA-34gr-6c7h-cc93