Skip to content

Add llvm-project archive issues for Chromium bug tracker #132030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
May 21, 2025
Merged

Add llvm-project archive issues for Chromium bug tracker #132030

Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ad6181c
Add llvm-project archive issues for Chromium bug tracker
smithp35 Mar 19, 2025
e5d6ac7
Kristof's Review comments
smithp35 Mar 19, 2025
1bd9859
Merge branch 'llvm:main' into transparencyurls
smithp35 Mar 20, 2025
8a41e00
Rebase on 2024 Transparency update
smithp35 Mar 20, 2025
f096afc
Updated to use both original, redirect and archive URLs.
smithp35 May 20, 2025
8ba6ff5
Fix typo . the -> . The
smithp35 May 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
172 changes: 122 additions & 50 deletions llvm/docs/SecurityTransparencyReports.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,21 @@
LLVM Security Group Transparency Reports
Copy link
Contributor

@tuliom tuliom Mar 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is probably beyond the scope of this PR, but it looks like the name of the group needs to be updated in the title.

Copy link
Collaborator Author

@smithp35 smithp35 Mar 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I thought about updating it, but had enough doubts to not do it in this PR.

========================================

This page lists the yearly LLVM Security group transparency reports.
This page lists the yearly LLVM Security Response group transparency reports.

The LLVM Security Response group started out as the LLVM security group, previous
year's transparency reports keep the original name.

Initially the Chromium issue tracker was used to record issues. This
component has been archived and is read-only. A GitHub
llvm/llvm-project issue has been created for each issue in the
Chromium issue tracker. All of these issues contain an attached PDF
with the content of the Chromium issue, and have the SecurityArchive
label.

Each Chromium issue has 3 URLs, the first is the original URL recorded in
previous transparency reports. the second is the redirect URL to the archive.
Copy link
Collaborator

@kbeyls kbeyls May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/the/The/ ?

Copy link
Collaborator Author

@smithp35 smithp35 May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for spotting, will fix.

The third is to the GitHub archive issue.

2021
----
Expand All @@ -29,8 +43,13 @@ In 2021, the security group received 13 issue reports that were made publicly
visible before 31st of December 2021. The security group judged 2 of these
reports to be security issues:

* https://bugs.chromium.org/p/llvm/issues/detail?id=5
* https://bugs.chromium.org/p/llvm/issues/detail?id=11
* original: https://bugs.chromium.org/p/llvm/issues/detail?id=5
redirect: https://issuetracker.google.com/issues/42410043 archive:
https://github.com/llvm/llvm-project/issues/125709

* original: https://bugs.chromium.org/p/llvm/issues/detail?id=11
redirect: https://issuetracker.google.com/issues/42410002 archive:
https://github.com/llvm/llvm-project/issues/127644

Both issues were addressed with source changes: #5 in clangd/vscode-clangd, and
#11 in llvm-project. No dedicated LLVM release was made for either.
Expand All @@ -54,24 +73,32 @@ the time of writing this transparency report.

5 of these were judged to be security issues:

* https://bugs.chromium.org/p/llvm/issues/detail?id=17 reports a miscompile in
LLVM that can result in the frame pointer and return address being
overwritten. This was fixed.
* https://bugs.chromium.org/p/llvm/issues/detail?id=17 reports a miscompile in LLVM
that can result in the frame pointer and return address being overwritten. This
was fixed. Redirect: https://issuetracker.google.com/issues/42410008 archive:
https://github.com/llvm/llvm-project/issues/127645

* https://bugs.chromium.org/p/llvm/issues/detail?id=19 reports a vulnerability
in `std::filesystem::remove_all` in libc++. This was fixed.
* https://bugs.chromium.org/p/llvm/issues/detail?id=19 reports a vulnerability in
`std::filesystem::remove_all` in libc++. This was fixed.
Redirect: https://issuetracker.google.com/issues/42410010 archive:
https://github.com/llvm/llvm-project/issues/127647

* https://bugs.chromium.org/p/llvm/issues/detail?id=23 reports a new Spectre
gadget variant that Speculative Load Hardening (SLH) does not mitigate. No
extension to SLH was implemented to also mitigate against this variant.
Redirect: https://issuetracker.google.com/issues/42410015 archive:
https://github.com/llvm/llvm-project/issues/127648

* https://bugs.chromium.org/p/llvm/issues/detail?id=30 reports missing memory
safety protection on the (C++) exception handling path. A number of fixes
were implemented.
were implemented. Redirect: https://issuetracker.google.com/issues/42410023
archive: https://github.com/llvm/llvm-project/issues/127649

* https://bugs.chromium.org/p/llvm/issues/detail?id=33 reports the RETBLEED
vulnerability. The outcome was clang growing a new security hardening feature
`-mfunction-return=thunk-extern`, see https://reviews.llvm.org/D129572.
Redirect: https://issuetracker.google.com/issues/42410026 archive:
https://github.com/llvm/llvm-project/issues/127650


No dedicated LLVM releases were made for any of the above issues.
Expand All @@ -84,33 +111,52 @@ that were received earlier, but were disclosed in 2023.

9 of these were judged to be security issues:

https://bugs.chromium.org/p/llvm/issues/detail?id=36 reports the presence of
.git folder in https://llvm.org/.git.

https://bugs.chromium.org/p/llvm/issues/detail?id=66 reports the presence of
a GitHub Personal Access token in a DockerHub imaage.

https://bugs.chromium.org/p/llvm/issues/detail?id=42 reports a potential gap
in the Armv8.1-m BTI protection, involving a combination of large switch statements
and __builtin_unreachable() in the default case.

https://bugs.chromium.org/p/llvm/issues/detail?id=43 reports a dependency
on an old version of xml2js with a CVE filed against it.

https://bugs.chromium.org/p/llvm/issues/detail?id=45 reports a number of
dependencies that have had vulnerabilities reported against them.

https://bugs.chromium.org/p/llvm/issues/detail?id=46 is related to issue 43.

https://bugs.chromium.org/p/llvm/issues/detail?id=48 reports a buffer overflow
in std::format from -fexperimental-library.

https://bugs.chromium.org/p/llvm/issues/detail?id=54 reports a memory leak in
basic_string move assignment when built with libc++ versions <=6.0 and run against
newer libc++ shared/dylibs.

https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports an out of bounds buffer
store introduced by LLVM backends, that regressed due to a procedural oversight.
* https://bugs.chromium.org/p/llvm/issues/detail?id=36 reports the presence of
.git folder in https://llvm.org/.git. Redirect:
https://issuetracker.google.com/issues/42410029 archive:
https://github.com/llvm/llvm-project/issues/131841

* https://bugs.chromium.org/p/llvm/issues/detail?id=66 reports the presence of a
GitHub Personal Access token in a DockerHub imaage. Redirect
https://issuetracker.google.com/issues/42410060 archive:
https://github.com/llvm/llvm-project/issues/131846

* https://bugs.chromium.org/p/llvm/issues/detail?id=42 reports a potential gap
in the Armv8.1-m BTI protection, involving a combination of large switch statements
and __builtin_unreachable() in the default case. Redirect:
https://issuetracker.google.com/issues/42410035 archive:
https://github.com/llvm/llvm-project/issues/131848

* https://bugs.chromium.org/p/llvm/issues/detail?id=43 reports a dependency
on an old version of xml2js with a CVE filed against it. Redirect:
https://issuetracker.google.com/issues/42410036 archive:
https://github.com/llvm/llvm-project/issues/131849

* https://bugs.chromium.org/p/llvm/issues/detail?id=45 reports a number of
dependencies that have had vulnerabilities reported against them. Redirect:
https://issuetracker.google.com/issues/42410038 archive:
https://github.com/llvm/llvm-project/issues/131851

* https://bugs.chromium.org/p/llvm/issues/detail?id=46 is related to
issue 43. Redirect https://issuetracker.google.com/issues/42410039 archive:
https://github.com/llvm/llvm-project/issues/131852

* https://bugs.chromium.org/p/llvm/issues/detail?id=48 reports a buffer overflow in
std::format from -fexperimental-library. Redirect:
https://issuetracker.google.com/issues/42410041 archive:
https://github.com/llvm/llvm-project/issues/131856

* https://bugs.chromium.org/p/llvm/issues/detail?id=54 reports a memory leak in
basic_string move assignment when built with libc++ versions <=6.0 and run against
newer libc++ shared/dylibs. Redirect:
https://issuetracker.google.com/issues/42410047 archive:
https://github.com/llvm/llvm-project/issues/131857

* https://bugs.chromium.org/p/llvm/issues/detail?id=56 reports an out
of bounds buffer store introduced by LLVM backends, that regressed
due to a procedural oversight. Redirect
https://issuetracker.google.com/issues/42410049 archive:
https://github.com/llvm/llvm-project/issues/131858

No dedicated LLVM releases were made for any of the above issues.

Expand Down Expand Up @@ -152,10 +198,14 @@ publishing security advisories for those issues at
https://github.com/llvm/llvm-security-repo/security/advisories/.

1. “Unexpected behavior when using LTO and branch-protection together” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=58
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=58 |br|
redirect: https://issuetracker.google.com/issues/42410051 |br|
archive: https://github.com/llvm/llvm-project/issues/132185
2. “Security weakness in PCS for CMSE”
(`CVE-2024-0151 <https://nvd.nist.gov/vuln/detail/CVE-2024-0151>`_) |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=68
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=68 |br|
redirect: https://issuetracker.google.com/issues/42410062 |br|
archive: https://github.com/llvm/llvm-project/issues/132186
3. “CMSE secure state may leak from stack to floating-point registers”
(`CVE-2024-7883 <https://www.cve.org/cverecord?id=CVE-2024-7883>`_) |br|
Details are available at
Expand All @@ -165,9 +215,13 @@ Supply chain security related issues and project services-related issues
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

1. “GitHub User Involved in xz backdoor may have attempted to change to clang in order to help hide the exploit” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=71
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=71 |br|
redirect: https://issuetracker.google.com/issues/42410066 |br|
archive: https://github.com/llvm/llvm-project/issues/132187
2. “llvmbot account suspended due to supicious login” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=72
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=72 |br|
redirect: https://issuetracker.google.com/issues/42410067 |br|
archive: https://github.com/llvm/llvm-project/issues/132243
3. “.git Exposure” |br|
GHSA-mr8r-vvrc-w6rq |br|
The .git directory was accessible via web browsers under apt.llvm.org, a site
Expand Down Expand Up @@ -204,23 +258,41 @@ Issues deemed to not require coordinated action before disclosing publicly
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

1. “Clang Address Sanitizer gives False Negative for Array Out of Bounds Compiled with Optimization” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=57
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=57 |br|
redirect: https://issuetracker.google.com/issues/42410050 |br|
archive: https://github.com/llvm/llvm-project/issues/132191
2. “Found exposed .svn folder” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=59
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=59 |br|
redirect: https://issuetracker.google.com/issues/42410052
archive: https://github.com/llvm/llvm-project/issues/132192
3. “Arbitrary code execution when combining SafeStack \+ dynamic stack allocations \+ \_\_builtin\_setjmp/longjmp” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=60
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=60 |br|
redirect: https://issuetracker.google.com/issues/42410054
archive: https://github.com/llvm/llvm-project/issues/132220
4. “RISC-V: Constants are allocated in writeable .sdata section” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=61
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=61 |br|
redirect: https://issuetracker.google.com/issues/42410055 |br|
archive: https://github.com/llvm/llvm-project/issues/132223
5. “Manifest File with Out-of-Date Dependencies with CVEs” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=62
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=62 |br|
redirect: https://issuetracker.google.com/issues/42410056 |br|
archive: https://github.com/llvm/llvm-project/issues/132225
6. “Non-const derived ctor should fail compilation when having a consteval base ctor” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=67
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=67 |br|
redirect: https://issuetracker.google.com/issues/42410061 |br|
archive: https://github.com/llvm/llvm-project/issues/132226
7. “Wrong assembly code generation. Branching to the corrupted "LR".” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=69
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=69 |br|
redirect: https://issuetracker.google.com/issues/42410063 |br|
archive: https://github.com/llvm/llvm-project/issues/132229
8. “Security bug report” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=70
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=70 |br|
redirect: https://issuetracker.google.com/issues/42410065 |br|
archive: https://github.com/llvm/llvm-project/issues/132233
9. “Using ASan with setuid binaries can lead to arbitrary file write and elevation of privileges” |br|
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=73
Details are available at https://bugs.chromium.org/p/llvm/issues/detail?id=73 |br|
redirect: https://issuetracker.google.com/issues/42410068 |br|
archive: https://github.com/llvm/llvm-project/issues/132235
10. “Interesting bugs for bool variable in clang projects and aarch64 modes outputting inaccurate results.” |br|
GHSA-w7qc-292v-5xh6 |br|
The issue reported is on a source code example having undefined behaviour
Expand Down Expand Up @@ -282,4 +354,4 @@ as part of migrating to GitHub's “security advisory”-based reporting:
1. “Test if new draft security advisory gets emailed to LLVM security group” |br|
GHSA-82m9-xvw3-rvpv
2. “Test that a non-admin can create an advisory (no vulnerability).” |br|
GHSA-34gr-6c7h-cc93
GHSA-34gr-6c7h-cc93
Loading