Bug#1110773: ros-ros-comm: CVE-2024-39289 CVE-2024-39835 CVE-2024-41148 CVE-2024-41921 CVE-2025-3753
Salvatore Bonaccorso
carnil at debian.org
Mon Aug 11 20:11:08 BST 2025
Hi Timo,
On Mon, Aug 11, 2025 at 02:44:44PM +0200, Timo Röhling wrote:
> Hi Salvatore!
>
> On Mon, 11 Aug 2025 05:46:13 +0200 Salvatore Bonaccorso <carnil at debian.org>
> wrote:
> > The following vulnerabilities were published for ros-ros-comm.
> > [...]
> > CVE-2024-39289
> > CVE-2024-39835
> > CVE-2024-41148
> > CVE-2024-41921
> > CVE-2025-3753
>
> Jochen and I do not think this is a genuine vulnerability. The eval()
> statements in ros-comm receive their input exclusively from the invoking
> (ROS) user's CLI arguments and/or codebase, so there is no privilege
> escalation: The user could just as easily "inject" code by invoking the
> Python or shell interpreter. Any attack would have to be a social
> engineering attack that needs to trick the user into either executing a bad
> shell command or run malicious code they downloaded somewhere.
>
> Furthermore, we find the CVE reports borderline inactionable, as the reports
> have virtually no information beyond mentioning eval(), and one report
> (CVE-2024-39289) even refers to "special converters for angle
> representations in radians", which makes little sense in this context and
> makes us suspect LLM involvement or some other form of bogus reporting. This
> suspicion is further reinforced by the link to the purported advisory, which
> merely points to the upstream blog entry announcing the end-of-life (i.e.,
> the end of official upstream support) for ROS 1, with no mention of
> vulnerabilities whatsoever.
>
> We do not believe these bugs need fixing, but we will accept patches if
> someone can strengthen the code without compromising established
> functionality.
Thank you, I maked all of those CVEs as unimportant with a negligible
security impact note.
Regards,
Salvatore
More information about the debian-science-maintainers
mailing list