Bug#1102010: ros-dynamic-reconfigure: CVE-2024-39780
Salvatore Bonaccorso
carnil at debian.org
Thu Apr 3 22:21:20 BST 2025
Source: ros-dynamic-reconfigure
Version: 1.7.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ros/dynamic_reconfigure/pull/202
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1.7.3-2
Hi,
The following vulnerability was published for ros-dynamic-reconfigure.
CVE-2024-39780[0]:
| A YAML deserialization vulnerability was found in the Robot
| Operating System (ROS) 'dynparam', a command-line tool for getting,
| setting, and deleting parameters of a dynamically configurable node,
| affecting ROS distributions Noetic and earlier. The issue is caused
| by the use of the yaml.load() function in the 'set' and 'get' verbs,
| and allows for the creation of arbitrary Python objects. Through
| this flaw, a local or remote user can craft and execute arbitrary
| Python code. This issue has now been fixed for ROS Noetic via commit
| 3d93ac13603438323d7e9fa74e879e45c5fe2e8e.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-39780
https://www.cve.org/CVERecord?id=CVE-2024-39780
[1] https://github.com/ros/dynamic_reconfigure/pull/202
[2] https://github.com/ros/dynamic_reconfigure/commit/9975cc8b55b3039115da6662cc7279cc65303844
Regards,
Salvatore
More information about the debian-science-maintainers
mailing list