- Package:
- src:ros-dynamic-reconfigure
- Source:
- src:ros-dynamic-reconfigure
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-09-17 14:57:04 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for ros-dynamic-reconfigure. CVE-2024-39780[0]: | A YAML deserialization vulnerability was found in the Robot | Operating System (ROS) 'dynparam', a command-line tool for getting, | setting, and deleting parameters of a dynamically configurable node, | affecting ROS distributions Noetic and earlier. The issue is caused | by the use of the yaml.load() function in the 'set' and 'get' verbs, | and allows for the creation of arbitrary Python objects. Through | this flaw, a local or remote user can craft and execute arbitrary | Python code. This issue has now been fixed for ROS Noetic via commit | 3d93ac13603438323d7e9fa74e879e45c5fe2e8e. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-39780 https://www.cve.org/CVERecord?id=CVE-2024-39780 [1] https://github.com/ros/dynamic_reconfigure/pull/202 [2] https://github.com/ros/dynamic_reconfigure/commit/9975cc8b55b3039115da6662cc7279cc65303844 Regards, Salvatore
Hello, Bug #1102010 in ros-dynamic-reconfigure reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/science-team/ros-dynamic-reconfigure/-/commit/9a524eb8a4d14788af5ef5c19c02348bb8d52a5e Closes: #1102010 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1102010
We believe that the bug you reported is fixed in the latest version of ros-dynamic-reconfigure, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1102010@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Röhling <roehling@debian.org> (supplier of updated ros-dynamic-reconfigure package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Wed, 17 Sep 2025 15:17:51 +0200 Source: ros-dynamic-reconfigure Architecture: source Version: 1.7.6-1 Distribution: unstable Urgency: medium Maintainer: Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org> Changed-By: Timo Röhling <roehling@debian.org> Closes: 1102010 Changes: ros-dynamic-reconfigure (1.7.6-1) unstable; urgency=medium . * Migrate debian/watch to version 5 format * New upstream version 1.7.6 * Refresh patches (no functional changes) * Wrap and sort Debian package files * Bump Standards-Version to 4.7.2 * Fix CVE-2024-39780: Use safe loader for YAML input (Closes: #1102010) Checksums-Sha1: 6076e3f6a289d9e87b749474d35154a89065741c 3026 ros-dynamic-reconfigure_1.7.6-1.dsc 4fda94ad892fbfde9bddcdde4602cedd173b32b2 41313 ros-dynamic-reconfigure_1.7.6.orig.tar.gz 7a53f3ecba5ad2cd705ffaffe4b59d02a7501810 6296 ros-dynamic-reconfigure_1.7.6-1.debian.tar.xz Checksums-Sha256: c7fe17211a634c11c5d0f0fd242646c8ffd54e78bf35a3f5130bda0e267de6c0 3026 ros-dynamic-reconfigure_1.7.6-1.dsc f0e0d5e2402e46fc2b60ca9490ef5a7cdea29278ad49f07769b12abd79278636 41313 ros-dynamic-reconfigure_1.7.6.orig.tar.gz 809ae8ba02c6fe16c24fbfa3a0fbe177ca7e34fdd570405582a25419f145b19c 6296 ros-dynamic-reconfigure_1.7.6-1.debian.tar.xz Files: 2ec636f8b64b38cff155144d33011def 3026 libs optional ros-dynamic-reconfigure_1.7.6-1.dsc 5cb8c93458255411b3066c0e7f8a5816 41313 libs optional ros-dynamic-reconfigure_1.7.6.orig.tar.gz dc5233aa67697dca56461c311a6b1d5b 6296 libs optional ros-dynamic-reconfigure_1.7.6-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEmwPruYMA35fCsSO/zIxr3RQD9MoFAmjKuIcUHHJvZWhsaW5n QGRlYmlhbi5vcmcACgkQzIxr3RQD9MrS5A//TyeLcwoGCYoX1sicBVpFba3O/Kv2 tZKNXCGrKr7rSSinyH4K0Bbju7tNclk1aPCe5ODqNQ6bCBj6rO/Z048JsG9jUfvD bJWP6UBf9grIrtOC6oX4EGKCrjlOpn5LzOp9N2xvfEf6Wl1bMBbhesthB+VZbgIj zL1GTpJsXFU4LdvvpvinqBQ8/C5kqADLmku2Tx1AbU02Vhb+xYYhYepa+UhNiM6/ 9+TwthaIVd3GX07QDw93pTiuRDEHWlzgyWQI09pO/rAkHCj2UqBnH8xrP7htuEtw erxh+KwRHTL5u7qTyovYnj59azD8/VvLbSi5iTxIHXBJGqZpigpiGSDQaoB5FkWV 2TbO2OIQQfUuhpW+TYWB16AYPkKOaRUEpDPMQzUXH0FYbosAzAm//iu1Nl8qtamS bAho65m5PeRrt9L8nMfXEVnOXmZ5WkElzwUJZE35WoQus7QAc6yw3i3tk8CGaIbJ l10xuypShiXtWyVOX1CKDptFmGl/hY7isdt/tZl7fSQhEXk/BzlcMJRTBkK++pmq vmGdzpx0tPLUYPzvE/DxBPRYoT24xAdVv+fdyI3PKkVZTR7N/unTrvIeJoayGE01 xrl+m03P8VtSGm3/GKZBPDWoiE6WxQougCgd4hxeY6s+97222gOXVGY6KJ7yjghj PZUI8T8MJPmJ8xI= =Stp2 -----END PGP SIGNATURE-----