Updating/removing clang-tidy-vs from clang-tools-extra because of CVE-2018-1000210

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Updating/removing clang-tidy-vs from clang-tools-extra because of CVE-2018-1000210

Kristóf Umann via cfe-dev
Hi,

The `clang-tidy-vs` visual studio plugin in clang-tools-extra contains a security vulnerability in the YamlDotNet package [1]. Github flags the code in clang-tools-extra as a high priority security vulnerability. If you're an admin of a custom fork of the llvm-project monorepo on Github, you get a banner every time you open the GitHub webpage for the repo, and an additional weekly email about this high priority vulnerability.

I've emailed Zachary, who originally added the plugin about this issue, and also filed a bug report on llvm.org [2]. From what I gathered so far, I don't think Zachary works on llvm-project anymore, would there be anyone else who'd be interested in updating the plugin to address the vulnerability? If not, would it be reasonable to remove this plugin from llvm-project entirely?

Thanks,
Alex


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Updating/removing clang-tidy-vs from clang-tools-extra because of CVE-2018-1000210

Kristóf Umann via cfe-dev
I reached out to Zach and he said Clang Power Tools (https://marketplace.visualstudio.com/items?itemName=caphyon.ClangPowerTools) does everything clang-tidy-vs does, so we should go ahead and remove clang-tidy-vs.

On Mon, Aug 26, 2019 at 10:41 AM Alex L via cfe-dev <[hidden email]> wrote:
Hi,

The `clang-tidy-vs` visual studio plugin in clang-tools-extra contains a security vulnerability in the YamlDotNet package [1]. Github flags the code in clang-tools-extra as a high priority security vulnerability. If you're an admin of a custom fork of the llvm-project monorepo on Github, you get a banner every time you open the GitHub webpage for the repo, and an additional weekly email about this high priority vulnerability.

I've emailed Zachary, who originally added the plugin about this issue, and also filed a bug report on llvm.org [2]. From what I gathered so far, I don't think Zachary works on llvm-project anymore, would there be anyone else who'd be interested in updating the plugin to address the vulnerability? If not, would it be reasonable to remove this plugin from llvm-project entirely?

Thanks,
Alex

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Updating/removing clang-tidy-vs from clang-tools-extra because of CVE-2018-1000210

Kristóf Umann via cfe-dev
Great, thanks for reaching out to Zach! I posted a patch that removes the plugin, and suggests Clang Power Tools in the release notes instead: https://reviews.llvm.org/D66813.

On Tue, 27 Aug 2019 at 10:24, Reid Kleckner <[hidden email]> wrote:
I reached out to Zach and he said Clang Power Tools (https://marketplace.visualstudio.com/items?itemName=caphyon.ClangPowerTools) does everything clang-tidy-vs does, so we should go ahead and remove clang-tidy-vs.

On Mon, Aug 26, 2019 at 10:41 AM Alex L via cfe-dev <[hidden email]> wrote:
Hi,

The `clang-tidy-vs` visual studio plugin in clang-tools-extra contains a security vulnerability in the YamlDotNet package [1]. Github flags the code in clang-tools-extra as a high priority security vulnerability. If you're an admin of a custom fork of the llvm-project monorepo on Github, you get a banner every time you open the GitHub webpage for the repo, and an additional weekly email about this high priority vulnerability.

I've emailed Zachary, who originally added the plugin about this issue, and also filed a bug report on llvm.org [2]. From what I gathered so far, I don't think Zachary works on llvm-project anymore, would there be anyone else who'd be interested in updating the plugin to address the vulnerability? If not, would it be reasonable to remove this plugin from llvm-project entirely?

Thanks,
Alex

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev