#1104239 fastdds: CVE-2023-24010

Package:
src:fastdds
Source:
src:fastdds
Submitter:
Salvatore Bonaccorso
Date:
2025-04-27 16:03:02 UTC
Severity:
normal
Tags:
#1104239#5
Date:
2025-04-27 16:00:12 UTC
From:
To:
Hi Timo,

The following vulnerability was published for fastdds. But I'm not
really sure on the state of it, if upstream intends or has acted on
it, there is one reference associated with various DDS implementations
which each got a own CVE, CVE-2023-24010 for fastdds.

CVE-2023-24010[0]:
| An attacker can arbitrarily craft malicious DDS Participants (or ROS
| 2 Nodes) with valid certificates to compromise and get full control
| of the attacked secure DDS databus system by exploiting vulnerable
| attributes in the configuration of PKCS#7 certificate’s validation.
| This is caused by a non-compliant implementation of permission
| document verification used by some DDS vendors. Specifically, an
| improper use of the OpenSSL PKCS7_verify function used to validate
| S/MIME signatures.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-24010
https://www.cve.org/CVERecord?id=CVE-2023-24010
[1] https://github.com/ros2/sros2/issues/282

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore