-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[mlir] mlir::outlineSingleBlockRegion
crashes with segmentation fault.
#60216
Comments
@llvm/issue-subscribers-mlir |
This inexplicably got assigned a CVE-2023-26924, which I assume will be rejected given LLVM's security process? |
Why would it be automatically rejected? MITRE doesn't care, they assign CVEs from anyone with very little validation. |
I've requested that MITRE reject the CVE based on https://llvm.org/docs/Security.html#what-is-considered-a-security-issue. |
Sorry, I meant to ask if the LLVM project will be filing a rejection, thanks for doing that. I could do it downstream (for Fedora/RHEL) but it's usually just easy if upstream does it. However I understand it's not scalable to do a formal filing for all reports; as downstream I'm happy with just a comment on the issue rejecting the security impact. Thanks! |
Anyone else able to reproduce this? I'm unable to reproduce on a0dab4950 or
|
FTR, this was MITRE's response:
|
This is even not really relevant, here we have what seems to be fuzzed that are directed at entry point which are meant to just be exposed to unit-tests. None of the |
Hi to everyone who has thankfully dealt with this problem. I was wondering whether there has been any news on the rejection request? Apparently the CVE is still open, and third-party security scanning tools have started reporting the affected LLVM version. From what I understood so far, there are several reasons for rejecting this as a security vulnerability:
Based on this argumentation, would it be possible to get the CVE closed? I am also happy to help if there is something I am able to do. |
Unfortunately Mitre hasn't been very discerning (or even responsive to disputes) and the trend of spurious CVE assignments continues; there are (AFAICT) at least 6 more bugs in MLIR that have got CVE numbers without any real reasoning. |
MLIR built at commit a0dab4950
Reproduced with:
temp.mlir
:trace:
The text was updated successfully, but these errors were encountered: