Hi Salvatore!On Mon, 11 Aug 2025 05:46:13 +0200 Salvatore Bonaccorso <[email protected]> wrote:
The following vulnerabilities were published for ros-ros-comm. [...] CVE-2024-39289 CVE-2024-39835 CVE-2024-41148 CVE-2024-41921 CVE-2025-3753
Jochen and I do not think this is a genuine vulnerability. The eval() statements in ros-comm receive their input exclusively from the invoking (ROS) user's CLI arguments and/or codebase, so there is no privilege escalation: The user could just as easily "inject" code by invoking the Python or shell interpreter. Any attack would have to be a social engineering attack that needs to trick the user into either executing a bad shell command or run malicious code they downloaded somewhere.
Furthermore, we find the CVE reports borderline inactionable, as the reports have virtually no information beyond mentioning eval(), and one report (CVE-2024-39289) even refers to "special converters for angle representations in radians", which makes little sense in this context and makes us suspect LLM involvement or some other form of bogus reporting. This suspicion is further reinforced by the link to the purported advisory, which merely points to the upstream blog entry announcing the end-of-life (i.e., the end of official upstream support) for ROS 1, with no mention of vulnerabilities whatsoever.
We do not believe these bugs need fixing, but we will accept patches if someone can strengthen the code without compromising established functionality.
Cheers Timo -- ⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮ ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ ⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
signature.asc
Description: PGP signature
