Bug#1110773: ros-ros-comm: CVE-2024-39289 CVE-2024-39835 CVE-2024-41148 CVE-2024-41921 CVE-2025-3753
Salvatore Bonaccorso
carnil at debian.org
Mon Aug 11 04:46:13 BST 2025
Source: ros-ros-comm
Version: 1.17.0+ds-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for ros-ros-comm.
I'm actually not really sure how we can tackle those or should handle
them. There is as well only little additional information on those.
Maybe remove all ROS1 related packages?
CVE-2024-39289[0]:
| A code execution vulnerability has been discovered in the Robot
| Operating System (ROS) 'rosparam' tool, affecting ROS distributions
| Noetic Ninjemys and earlier. The vulnerability stems from the use of
| the eval() function to process unsanitized, user-supplied parameter
| values via special converters for angle representations in radians.
| This flaw allowed attackers to craft and execute arbitrary Python
| code.
CVE-2024-39835[1]:
| A code injection vulnerability has been identified in the Robot
| Operating System (ROS) 'roslaunch' command-line tool, affecting ROS
| distributions Noetic Ninjemys and earlier. The vulnerability arises
| from the use of the eval() method to process user-supplied,
| unsanitized parameter values within the substitution args mechanism,
| which roslaunch evaluates before launching a node. This flaw allows
| attackers to craft and execute arbitrary Python code.
CVE-2024-41148[2]:
| A code injection vulnerability has been discovered in the Robot
| Operating System (ROS) 'rostopic' command-line tool, affecting ROS
| distributions Noetic Ninjemys and earlier. The vulnerability lies in
| the 'hz' verb, which reports the publishing rate of a topic and
| accepts a user-provided Python expression via the --filter option.
| This input is passed directly to the eval() function without
| sanitization, allowing a local user to craft and execute arbitrary
| code.
CVE-2024-41921[3]:
| A code injection vulnerability has been discovered in the Robot
| Operating System (ROS) 'rostopic' command-line tool, affecting ROS
| distributions Noetic Ninjemys and earlier. The vulnerability lies in
| the 'echo' verb, which allows a user to introspect a ROS topic and
| accepts a user-provided Python expression via the --filter option.
| This input is passed directly to the eval() function without
| sanitization, allowing a local user to craft and execute arbitrary
| code.
CVE-2025-3753[4]:
| A code execution vulnerability has been identified in the Robot
| Operating System (ROS) 'rosbag' tool, affecting ROS distributions
| Noetic Ninjemys and earlier. The vulnerability arises from the use
| of the eval() function to process unsanitized, user-supplied input
| in the 'rosbag filter' command. This flaw enables attackers to craft
| and execute arbitrary Python code.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-39289
https://www.cve.org/CVERecord?id=CVE-2024-39289
[1] https://security-tracker.debian.org/tracker/CVE-2024-39835
https://www.cve.org/CVERecord?id=CVE-2024-39835
[2] https://security-tracker.debian.org/tracker/CVE-2024-41148
https://www.cve.org/CVERecord?id=CVE-2024-41148
[3] https://security-tracker.debian.org/tracker/CVE-2024-41921
https://www.cve.org/CVERecord?id=CVE-2024-41921
[4] https://security-tracker.debian.org/tracker/CVE-2025-3753
https://www.cve.org/CVERecord?id=CVE-2025-3753
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the debian-science-maintainers
mailing list