Hi Timo, On Mon, Aug 11, 2025 at 02:44:44PM +0200, Timo Röhling wrote: > Hi Salvatore! > > On Mon, 11 Aug 2025 05:46:13 +0200 Salvatore Bonaccorso <[email protected]> > wrote: > > The following vulnerabilities were published for ros-ros-comm. > > [...] > > CVE-2024-39289 > > CVE-2024-39835 > > CVE-2024-41148 > > CVE-2024-41921 > > CVE-2025-3753 > > Jochen and I do not think this is a genuine vulnerability. The eval() > statements in ros-comm receive their input exclusively from the invoking > (ROS) user's CLI arguments and/or codebase, so there is no privilege > escalation: The user could just as easily "inject" code by invoking the > Python or shell interpreter. Any attack would have to be a social > engineering attack that needs to trick the user into either executing a bad > shell command or run malicious code they downloaded somewhere. > > Furthermore, we find the CVE reports borderline inactionable, as the reports > have virtually no information beyond mentioning eval(), and one report > (CVE-2024-39289) even refers to "special converters for angle > representations in radians", which makes little sense in this context and > makes us suspect LLM involvement or some other form of bogus reporting. This > suspicion is further reinforced by the link to the purported advisory, which > merely points to the upstream blog entry announcing the end-of-life (i.e., > the end of official upstream support) for ROS 1, with no mention of > vulnerabilities whatsoever. > > We do not believe these bugs need fixing, but we will accept patches if > someone can strengthen the code without compromising established > functionality.
Thank you, I maked all of those CVEs as unimportant with a negligible security impact note. Regards, Salvatore
