Bug#1110773: ros-ros-comm: CVE-2024-39289 CVE-2024-39835 CVE-2024-41148 CVE-2024-41921 CVE-2025-3753

Timo Röhling roehling at debian.org
Mon Aug 11 13:44:44 BST 2025 

Hi Salvatore!

On Mon, 11 Aug 2025 05:46:13 +0200 Salvatore Bonaccorso 
<carnil at debian.org> wrote:
> The following vulnerabilities were published for ros-ros-comm.
> [...]
> CVE-2024-39289
> CVE-2024-39835
> CVE-2024-41148
> CVE-2024-41921
> CVE-2025-3753

Jochen and I do not think this is a genuine vulnerability. The eval() 
statements in ros-comm receive their input exclusively from the invoking 
(ROS) user's CLI arguments and/or codebase, so there is no privilege 
escalation: The user could just as easily "inject" code by invoking the 
Python or shell interpreter. Any attack would have to be a social 
engineering attack that needs to trick the user into either executing a 
bad shell command or run malicious code they downloaded somewhere.

Furthermore, we find the CVE reports borderline inactionable, as the 
reports have virtually no information beyond mentioning eval(), and one 
report (CVE-2024-39289) even refers to "special converters for angle 
representations in radians", which makes little sense in this context 
and makes us suspect LLM involvement or some other form of bogus 
reporting. This suspicion is further reinforced by the link to the 
purported advisory, which merely points to the upstream blog entry 
announcing the end-of-life (i.e., the end of official upstream support) 
for ROS 1, with no mention of vulnerabilities whatsoever.

We do not believe these bugs need fixing, but we will accept patches if 
someone can strengthen the code without compromising established 
functionality.


Cheers
Timo


-- 
⢀⣴⠾⠻⢶⣦⠀   ╭────────────────────────────────────────────────────╮
⣾⠁⢠⠒⠀⣿⡁   │ Timo Röhling                                       │
⢿⡄⠘⠷⠚⠋⠀   │ 9B03 EBB9 8300 DF97 C2B1  23BF CC8C 6BDD 1403 F4CA │
⠈⠳⣄⠀⠀⠀⠀   ╰────────────────────────────────────────────────────╯
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-science-maintainers/attachments/20250811/e71817fb/attachment.sig>

More information about the debian-science-maintainers mailing list