#1110773 ros-ros-comm: CVE-2024-39289 CVE-2024-39835 CVE-2024-41148 CVE-2024-41921 CVE-2025-3753

Package:
src:ros-ros-comm
Source:
src:ros-ros-comm
Submitter:
Salvatore Bonaccorso
Date:
2025-08-12 15:57:02 UTC
Severity:
normal
Tags:
#1110773#5
Date:
2025-08-11 03:46:13 UTC
From:
To:
Hi,

The following vulnerabilities were published for ros-ros-comm.

I'm actually not really sure how we can tackle those or should handle
them. There is as well only little additional information on those.

Maybe remove all ROS1 related packages?

CVE-2024-39289[0]:
| A code execution vulnerability has been discovered in the Robot
| Operating System (ROS) 'rosparam' tool, affecting ROS distributions
| Noetic Ninjemys and earlier. The vulnerability stems from the use of
| the eval() function to process unsanitized, user-supplied parameter
| values via special converters for angle representations in radians.
| This flaw allowed attackers to craft and execute arbitrary Python
| code.


CVE-2024-39835[1]:
| A code injection vulnerability has been identified in the Robot
| Operating System (ROS) 'roslaunch' command-line tool, affecting ROS
| distributions Noetic Ninjemys and earlier. The vulnerability arises
| from the use of the eval() method to process user-supplied,
| unsanitized parameter values within the substitution args mechanism,
| which roslaunch evaluates before launching a node. This flaw allows
| attackers to craft and execute arbitrary Python code.


CVE-2024-41148[2]:
| A code injection vulnerability has been discovered in the Robot
| Operating System (ROS) 'rostopic' command-line tool, affecting ROS
| distributions Noetic Ninjemys and earlier. The vulnerability lies in
| the 'hz' verb, which reports the publishing rate of a topic and
| accepts a user-provided Python expression via the --filter option.
| This input is passed directly to the eval() function without
| sanitization, allowing a local user to craft and execute arbitrary
| code.


CVE-2024-41921[3]:
| A code injection vulnerability has been discovered in the Robot
| Operating System (ROS) 'rostopic' command-line tool, affecting ROS
| distributions Noetic Ninjemys and earlier. The vulnerability lies in
| the 'echo' verb, which allows a user to introspect a ROS topic and
| accepts a user-provided Python expression via the --filter option.
| This input is passed directly to the eval() function without
| sanitization, allowing a local user to craft and execute arbitrary
| code.


CVE-2025-3753[4]:
| A code execution vulnerability has been identified in the Robot
| Operating System (ROS) 'rosbag' tool, affecting ROS distributions
| Noetic Ninjemys and earlier. The vulnerability arises from the use
| of the eval() function to process unsanitized, user-supplied input
| in the 'rosbag filter' command. This flaw enables attackers to craft
| and execute arbitrary Python code.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-39289
https://www.cve.org/CVERecord?id=CVE-2024-39289
[1] https://security-tracker.debian.org/tracker/CVE-2024-39835
https://www.cve.org/CVERecord?id=CVE-2024-39835
[2] https://security-tracker.debian.org/tracker/CVE-2024-41148
https://www.cve.org/CVERecord?id=CVE-2024-41148
[3] https://security-tracker.debian.org/tracker/CVE-2024-41921
https://www.cve.org/CVERecord?id=CVE-2024-41921
[4] https://security-tracker.debian.org/tracker/CVE-2025-3753
https://www.cve.org/CVERecord?id=CVE-2025-3753

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1110773#10
Date:
2025-08-11 12:44:44 UTC
From:
To:
Hi Salvatore!

Jochen and I do not think this is a genuine vulnerability. The eval()
statements in ros-comm receive their input exclusively from the invoking
(ROS) user's CLI arguments and/or codebase, so there is no privilege
escalation: The user could just as easily "inject" code by invoking the
Python or shell interpreter. Any attack would have to be a social
engineering attack that needs to trick the user into either executing a
bad shell command or run malicious code they downloaded somewhere.

Furthermore, we find the CVE reports borderline inactionable, as the
reports have virtually no information beyond mentioning eval(), and one
report (CVE-2024-39289) even refers to "special converters for angle
representations in radians", which makes little sense in this context
and makes us suspect LLM involvement or some other form of bogus
reporting. This suspicion is further reinforced by the link to the
purported advisory, which merely points to the upstream blog entry
announcing the end-of-life (i.e., the end of official upstream support)
for ROS 1, with no mention of vulnerabilities whatsoever.

We do not believe these bugs need fixing, but we will accept patches if
someone can strengthen the code without compromising established
functionality.


Cheers
Timo

#1110773#15
Date:
2025-08-11 19:11:08 UTC
From:
To:
Hi Timo,

Thank you, I maked all of those CVEs as unimportant with a negligible
security impact note.

Regards,
Salvatore