Fixed
Status Update
No update yet.
Comments
ti...@sony.com
It's not a .git directory but a .svn directory. :) That said, even though Subversion use by the llvm project has been long discontinued, it should still not be exposed, or even better, the directory should be cleaned up.
CC'ing Mike Edwards, who I hope is able to get rid of that directory.
CC'ing Mike Edwards, who I hope is able to get rid of that directory.
nm...@stanford.edu
[Empty comment from Monorail migration]
nm...@stanford.edu
Yes along with .svn i was able to download .git folder too.
I have attached the zip file, you can find the git folder inside it.
I have attached the zip file, you can find the git folder inside it.
ti...@sony.com
Pulling in Tom Stellard and Tobias Hieta as the LLVM release managers on this issue reported to the LLVM security group.
While .svn or .git directories probably shouldn't be present athttps://releases.llvm.org , I wonder how this is a security issue.
Is some of the information in those directories perhaps not available publicly already?
While .svn or .git directories probably shouldn't be present at
Is some of the information in those directories perhaps not available publicly already?
nm...@stanford.edu
I don' think there is any problem to have the .git directory exposed. I'm not sure about .svn though. I'm fairly certain we can remove the .svn directory, but not sure about the .git directory. Anton is probably the best person to talk to about this.
ti...@sony.com
cc-ing in Anton.
ti...@sony.com
FWIW https://bugs.chromium.org/p/llvm/issues/detail?id=36 reported a similar issue on https://llvm.org/.git the reporter mentioned that the source code of the website could be downloaded and searched for vulnerabilities. Not sure whether that will be the case with this one.
pe...@arm.com
The source code for the website is hosted on github, so it's already possible to search for vulnerabilities.
nm...@stanford.edu
Thanks, this was some kind of oversight during Apache => NGINX migration. For the sake of sanity we're reporting 404 for all hidden files.
nm...@stanford.edu
(CND cache was purged as well)
kr...@arm.com
Just to be 100% sure: Anton: you have removed the .svn/.git directories that were reported, so we can mark this ticket as fixed?
kr...@arm.com
# wget https://releases.llvm.org/.svn
--2024-01-18 10:34:56--https://releases.llvm.org/.svn
Resolvingreleases.llvm.org (releases.llvm.org )... 151.101.214.49
Connecting toreleases.llvm.org (releases.llvm.org )|151.101.214.49|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2024-01-18 10:34:56 ERROR 404: Not Found.
--2024-01-18 10:34:56--
Resolving
Connecting to
HTTP request sent, awaiting response... 404 Not Found
2024-01-18 10:34:56 ERROR 404: Not Found.
pe...@arm.com
[Empty comment from Monorail migration]
Description
Attached is a proof of concept (poc.c) and a malicious input file passed to the miscompiled program. Compile it as follows:
```
clang -fsanitize=safe-stack poc.c
```
This produces an executable `a.out`. Run it under valgrind, redirecting input from in.txt (attached), to observe a return to 0xdeadbeef:
```
valgrind ./a.out < in.txt
```